IT Privacy Certification



Similar documents
IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

IAPP Privacy Certification

I. Introduction to Privacy: Common Principles and Approaches

05.0 Application Development

PII Compliance Guidelines

Domain 1 The Process of Auditing Information Systems

Security Information & Policies

SECURITY RISK MANAGEMENT

Certified Information Systems Auditor (CISA)

Projectplace: A Secure Project Collaboration Solution

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

John Essner, CISO Office of Information Technology State of New Jersey

Uniting IAM and data protection for greater security

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

SERENA SOFTWARE Serena Service Manager Security

Microsoft s Compliance Framework for Online Services

MySQL Security: Best Practices

APIs The Next Hacker Target Or a Business and Security Opportunity?

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

A Flexible and Comprehensive Approach to a Cloud Compliance Program

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

8 Steps to Holistic Database Security

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Chapter 1 The Principles of Auditing 1

Security Controls What Works. Southside Virginia Community College: Security Awareness

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Intro to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Data Protection: From PKI to Virtualization & Cloud

IT Service Management ITIL, COBIT

The Next Generation of Security Leaders

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Take Control of Identities & Data Loss. Vipul Kumra

Cloud Security Certification

Cloud Computing An Auditor s Perspective

Privacy Risk Assessments

How To Protect A Web Application From Attack From A Trusted Environment

Key Management Interoperability Protocol (KMIP)

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

PRIVACY, SECURITY AND THE VOLLY SERVICE

IT Audit in the Cloud

Vormetric Encryption Architecture Overview

Contact: Henry Torres, (870)

How To Achieve Pca Compliance With Redhat Enterprise Linux

Passing PCI Compliance How to Address the Application Security Mandates

Alliance Key Manager Solution Brief

Online Lead Generation: Data Security Best Practices

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Security and Managing Use Risks

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Governance Simplified

Ensuring the security of your mobile business intelligence

Data Management Policies. Sage ERP Online

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Key Management Interoperability Protocol (KMIP)

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

Becoming PCI Compliant

IT Security & Compliance. On Time. On Budget. On Demand.

Windows Least Privilege Management and Beyond

Oracle WebCenter Content

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Securing Data in Oracle Database 12c

Security Considerations

Oracle Database 11g: Security. What you will learn:

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Consolidated Audit Program (CAP) A multi-compliance approach

GoodData Corporation Security White Paper

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Oracle Database 11g: Security

Who Am I? Mark Cusack Chief Architect 9 years@rainstor Founding developer Ex UK Ministry of Defence Research InfoSec projects

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Information Security Specialist Training on the Basis of ISO/IEC 27002

The Protection Mission a constant endeavor

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

ISO COMPLIANCE WITH OBSERVEIT

Cloud Computing Governance & Security. Security Risks in the Cloud

Transcription:

IT Privacy Certification Program Introduction copyright 2011, IAPP Overview The Certified Information Privacy Professional/Information Technology (CIPP/IT) is the newest credentialing initiative from the IAPP and the first global privacy certification for IT practitioners. The CIPP/IT cert ifies individuals in their knowledge of privacy-related issues and practices in the context of the design and implementation of information and communications technologies. The IAPP developed the CIPP/IT program in consultation with leading IT privacy academics as well as privacy officers and executives from a variety of global corporations and professional associations. These include Carnegie Mellon University, Indiana University, IBM Corporation, Oracle Corporation (formerly Sun Microsystems), Microsoft Corporation, Hewlett-Packard Company, LexisNexis Group, Intel Corporation, FirstData Corporation, Ernst & Young, The Procter & Gamble Company, Citizens Financial Group, the Data Security Council of India and the National Association of State CIOs (NASCIO). Who Should Apply The CIPP/IT certification establishes educational and testing standards in information privacy policies and practices for professionals who are responsible for the design, acquisition, implementation, configuration, audit, or management of IT products or services across any organization and from any location in the world. These individuals include: Enterprise system architects (CTO, CIO) Business process professionals (purchase decision -makers for IT services and products) Business intelligence professionals (providers of data for organizational decision support) Designers, developers, engineers, auditors and administrators of software, network or database systems or applications Hardware designers and engineers IT managers Web site operators Desktop support specialists Risk and regulatory compliance managers Information security professionals (CISO, CSO) IT compliance and auditing professionals (CISM, CISA) 1

Certification Requirements CIPP/IT certification requires the successful completion of both the IAPP Certification Foundation Examination and the CIPP/IT Examination (offered separately) for a grand total of three hours of testing: First-time candidates for IAPP privacy certification (e.g. individuals who do not presently hold any IAPP certification) must activate an IAPP membership at any level in advance of their test and then pass both the Certification Foundation Examination, a two-hour, three-part, 120- item, objective test and the CIPP/IT Examination, a one-hour, one-part, 60-item, objective test. Existing IAPP-certified professionals (e.g. individuals who presently hold a CIPP, CIPP/G or CIPP/C designation) are grandfathered into the IAPP membership and Foundation testing requirements but must still meet the CIPP/IT requirement by passing the CIPP/IT Examination, a one-hour, one-part, 60-item, objective test. Successful completion of CIPP/IT is defined as an aggregate score of 70% or greater on each exam (as applicable under each scenario above). This means at least 84 out of 120 total points for Certification Foundation exam and at least 42 out of 60 total points for CIPP/IT exam. Partial completion of either exam will result in no credential being awarded until such time that all requirements are met. The exams may be taken in sequence at the same sitting or separately at different testing events. Upon successful completion of the exam(s), the CIPP/IT certification becomes active on the date of examination and remains in force annually provided that: IAPP membership remains in good standing each year; and, a minimum of ten (10) credit hours of continuing privacy education ( CPE ) is met each year. CPE is defined as any program, event, forum, book, presentation, speaking engagement or teaching engagement that relates in whole to information privacy, security, auditing, risk management or legal compliance whether provided by the IAPP or by another professional organization such as (ISC) 2, ISSA or ISACA. Specific guidelines on CPE-eligible programs and application processes are available for review at www.privacyassociation.org. Course Format The common body of knowledge ( CBK ) for the CIPP/IT certification is described on the following pages in outline form. The course consists of six subject matter areas: I. System Activities that Impact End User Privacy II. Data Subject Privacy Expectations and Behaviors III. Privacy Protection Mechanisms IV. Providing Notice and Choice V. Auditing and Enforcing IT Privacy Compliance VI. Implementing Technologies with Privacy Impacts Course References Training for CIPP/IT certification is optional and available through the Certification Foundation Training Workshop and the CIPP/IT Training Workshop. Each of these courses is presented as live classroom instruction sessions at major IAPP conferences and events. For additional program references, please consult the CIPP/IT supplemental reading list. 2

IT Privacy Certification copyright 2011, IAPP Outline of the Common Body of Knowledge ( CBK ) for The Certified Information Privacy Professional/Information Technology ( CIPP/IT ) I. System Activities that Impact End User Privacy A. The Information Lifecycle a. Manual processes i. Interaction ii. Data entry b. Systems i. Operating and file ii. Database iii. Applications iv. Network and data transport v. Web services vi. Client services c. Data types i. Personally identifiable information (PII) ii. Regulated information (SOX, HIPAA) iii. Credit card information iv. Trade secrets (organization) v. Contractual information (partners, customers) B. The IT Development Lifecycle a. Privacy intersections in the development process i. Release planning ii. Definition iii. Development iv. Validation v. Deployment 3

C. Data collection and transfer a. Responsibilities of the IT professional b. Determining data accountability i. Ownership of data ii. Data inventory iii. Degree of data sensitivity c. Purpose and uses of PII i. PCI regulated data d. Employee data uses e. Onward transfers of data i. External parties ii. Storage/transfer media iii. Routine and non-routine transfers f. Employee data challenges i. Locations and modes ii. Business use of mobile services D. Data Security a. Top 20 security risks (SANS) i. Client-side ii. Server-side iii. Security policy and personnel iv. Application 1. SQL injection v. Network b. Credit card information i. Cardholder data types ii. Application of Payment Card Industry Data Security Standards (PCI DSS) E. Data Storage a. Types of storage i. Persistent ii. Transient b. Location of storage i. Systems ii. Location F. Data Processing a. Internal processing i. Primary and secondary uses b. Relationships with third parties i. Global resourcing and outsourcing ii. Vendor management G. Data Retention and Destruction a. Period of retention b. Duplication of records c. Consistency of policy and practice 4

H. Data Access and redress a. Legal requirements b. Business rationale c. Access mechanisms d. Handling requests I. Privacy and System Design a. Applying Fair Information Practice principles i. Collection limitation ii. Data quality iii. Purpose specification iv. Use limitation v. Security safeguards vi. Openness vii. Individual participation viii. Accountability II. Data Subject Privacy Expectations and Behaviors A. Privacy Expectations a. The consumer perspective b. Organizational practices B. Privacy Responsibility Framework a. User sphere b. Joint sphere c. Recipient sphere d. Engineering issues and responsibilities C. E-commerce Personalization a. End user benefits b. End user privacy concerns i. Unsolicited marketing ii. Inaccurate inferences iii. Price discrimination iv. Unauthorized account access or data sharing D. System Monitoring a. Phone-home software 5

III. Privacy Protection Mechanisms A. Privacy by Architecture a. Addressing data protection gaps b. Separating profile and transaction data c. Granularity levels for data collection d. Limiting common attributes and identifiers e. Regular or forced deletion of profile data f. Decentralized privacy architecture B. Privacy by policy a. Notice and choice b. Security safeguards c. Access d. Accountability i. Audits C. Identifiability a. Labels that point to individuals b. Strong and weak identifiers c. Pseudonymous and anonymous data d. Degrees of identifiability i. Definition under the EU Directive ii. Privacy stages and system characteristics 1. Identifiable versus identified 2. Linkable versus linked D. Privacy-enhancing Techniques a. Web security protocols i. Transport Security Layer (TLS) ii. Secure Sockets Layer (SSL) iii. Hypertext Transfer Protocol-Secure (HTTPS) b. Automated data retrieval c. Automated system audits d. Data masking and data obfuscation e. Data encryption i. Cryptography 1. Crypto design and implementation considerations 2. Application or field encryption 3. File encryption 4. Disk encryption 6

E. Privacy-enhancing Tools a. Limiting or preventing automated data capture b. Combating threats and exploits c. Anonymity tools i. Anonymizers ii. Privacy-preserving data mining iii. Applications of anonymity tools 1. Communication and publishing 2. Payment processing 3. Voting and surveying 4. Credentialing 5. Anonymity by Web proxy a. The Tor Anonymity System IV. Providing Notice and Choice A. Types of notice and choice a. Policy components b. Means of distribution c. Explicit and implicit consent B. Software-based notice and consent a. Guidelines b. End user license agreement (EULA) c. Mechanisms i. Out-of-box ii. Installation time iii. First-run iv. Just-in-time v. Collections and/or transfers of data vi. Online services 1. Redirecting Internet searches and queries 2. Modifying Web browser settings 3. Activating a feature function with system impact 4. Online advertising 5. Software updates 6. Software removal 7. Location-based services vii. Machine-readable privacy policy languages 1. Platform for Privacy Preferences Project (P3P) a. User agents b. Policy assertions c. Deployment 2. Application Preference Exchange Language (APPEL) 3. Enterprise Privacy Authorization Language (EPAL) 7

V. Auditing and Enforcing IT Privacy Compliance A. Data Governance a. Management, control and evaluation frameworks i. ISO/IEC 38500:2008 ii. Control Objectives for Information and Related Technology (COBIT) b. IT service management frameworks i. Information Technology Infrastructure Library (ITIL) ii. IBM Tivoli Unified Process (ITUP) c. Industry consortia security frameworks i. Payment Card Industry Data Security Standards (PCI DSS) ii. Health Information Trust Alliance (HITRUST) d. Security risk and compliance review (SRCR) B. Audits in the Context of Privacy a. Defining the audit b. Understanding the range of options i. Gap assessments (risk) ii. Legal reviews (compliance) iii. Attestation (third party) c. Generally Accepted Privacy Principles ( GAPP ) framework d. Role of the IT auditor i. Privacy impact assessments (PIA) ii. Control objectives iii. Evidence and documentation iv. Testing and verification e. IT internal audit i. Working with legal and compliance partners VI. Implementing Technologies with Privacy Impacts A. Software as a Service (SaaS) a. Cloud Computing Platforms i. Location considerations ii. Impacts on privacy obligations and protections iii. Legal uncertainty B. Wireless IDs a. Radio Frequency Identification (RFID) b. Bluetooth devices C. Location-based services a. Global Positioning Systems (GPS) b. Geographic Information Systems (GIS) 8

D. Identity and Access Management (IAM) a. Role-based access control (RBAC) b. User-based access controls c. Context of authority i. User to site ii. User to enterprise 1. Multiple enterprises d. Cross-enterprise authentication and authorization models i. Liberty Alliance Project ii. Open ID Federation iii. Identity Metasystem Architecture E. Business Intelligence and Analytics a. Applications b. Demand among businesses and governments c. Risks 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information