Access Control List - ✅✅ -A list of access control entries (ACE) that apply to an
object. Each ACE controls or monitors access to an object by a specified user. In a
discretionary access control list (DACL), the ACL controls access; in a system
access control list (SACL) the ACL monitors access in a security event log which can
comprise part of an audit trail.
Accountability -✅✅ -A fair information practices principle, it is the idea that when
personal information is to be transferred to another person or organization, the
personal information controller should obtain the consent of the individual or exercise
due diligence and take reasonable steps to ensure that the recipient person or
organization will protect the information consistently with other fair use principles.
Active Data Collection - ✅✅ -When an end user deliberately provides information,
typically through the use of web forms, text boxes, check boxes or radio buttons.
AdChoices - ✅✅ -A program run by the Digital Advertising Alliance to promote
awareness and choice in advertising for internet users. Websites with ads from
participating DAA members will have an AdChoices icon near advertisements or at
the bottom of their pages. By clicking on the Adchoices icon, users may set
preferences for behavioral advertising on that website or with DAA members
generally across the web.
Adequate Level of Protection - ✅✅ -A label that the EU may apply to third-party
countries who have committed to protect data through domestic law making or
international commitments. Conferring of the label requires a proposal by the
European Commission, an Article 29 Working Group Opinion, an opinion of the
article 31 Management Committee, a right of scrutiny by the European Parliament
and adoption by the European Commission.
Advanced Encryption Standard - ✅✅ -An encryption algorithm for security sensitive
non-classified material by the U.S. Government. This algorithm was selected in 2001
to replace the previous algorithm, the Date Encryption Standard (DES), by the
National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce
Department, through an open competition. The winning algorithm (RijnDael,
pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen
and Vincent Rijmen.
Adverse Action - ✅✅ -Under the Fair Credit Reporting Act, the term "adverse
action" is defined very broadly to include all business, credit and employment actions
affecting consumers that can be considered to have a negative impact, such as
denying or canceling credit or insurance, or denying employment or promotion. No
adverse action occurs in a credit transaction where the creditor makes a counteroffer
that is accepted by the consumer. Such an action requires that the decision maker
,furnish the recipient of the adverse action with a copy of the credit report leading to
the adverse action.
Agile Development Model - ✅✅ -A process of software system and product design
that incorporates new system requirements during the actual creation of the system,
as opposed to the Plan-Driven Development Model. Agile development takes a given
project and focuses on specific portions to develop one at a time. An example of
Agile development is the Scrum Model.
Anonymization - ✅✅ -The process in which individually identifiable data is altered in
such a way that it no longer can be related back to a given individual. Among many
techniques, there are three primary ways that data is anonymized. Suppression is
the most basic version of anonymization and it simply removes some identifying
values from data to reduce its identifiability. Generalization takes specific identifying
values and makes them broader, such as changing a specific age (18) to an age
range (18-24). Noise addition takes identifying values from a given data set and
switches them with identifying values from another individual in that data set. Note
that all of these processes will not guarantee that data is no longer identifiable and
have to be performed in such a way that does not harm the usability of the data.
Anonymous Data - ✅✅ -Data sets that in no way indicate to whom the data
belongs. Replacing user names with unique ID numbers DOES NOT make the data
set anonymous even if identification seems impractical.
Antidiscrimination Laws -✅✅-Refers to the right of people to be treated equally.
Application-Layer Attacks - ✅✅-Attacks that exploit flaws in the network
applications installed on network servers. Such weaknesses exist in web browsers,
e-mail server software, network routing software and other standard enterprise
applications. Regularly applying patches and updates to applications may help
prevent such attacks.
Asymmetric Encryption - ✅✅ -A form of data encryption that uses two separate but
related keys to encrypt data. The system uses a public key, made available to other
parties, and a private key, which is kept by the first party. Decryption of data
encrypted by the public key requires the use of the private key; decryption of the
data encrypted by the private key requires the public key.
Attribute-Based Access Control - ✅✅ -An authorization model that provides
dynamic access control by assigning attributes to the users, the data, and the
context in which the user requests access (also referred to as environmental factors)
and analyzes these attributes together to determine access.
, ✅✅
Audit Trail - -A chain of electronic activity or sequence of paperwork used to
monitor, track, record, or validate an activity. The term originates in accounting as a
reference to the chain of paperwork used to validate or invalidate accounting entries.
It has since been adapted for more general use in e-commerce, to track customer's
activity, or cyber-security, to investigate cybercrimes.
Authentication -✅✅ -The process by which an entity (such as a person or
computer system) determines whether another entity is who it claims to be.
Authentication identified as an individual based on some credential; i.e. a password,
biometrics, etc. Authentication is different from authorization. Proper authentication
ensures that a person is who he or she claims to be, but it says nothing about the
access rights of the individual.
Authorization -✅✅ -In the context of information security, it is process of
determining if the end user is permitted to have access to the desired resource such
as the information asset or the information system containing the asset.
Authorization criteria may be based upon a variety of factors such as organizational
role, level of security clearance, applicable law or a combination of factors. When
effective, authentication validates that the entity requesting access is who or what it
claims to be.
✅✅
Basel III - -A comprehensive set of reform measures, developed by the Basel
Committee on Banking Supervision, to strengthen the regulation, supervision and
risk management of the banking sector.
Behavioral Advertising - ✅✅ -The act of tracking users' online activities and then
delivering ads or recommendations based upon the tracked activities. The most
comprehensive form of targeted advertising. By building a profile on a user through
their browsing habits such as sites they visit, articles read, searches made, ads
previously clicked on, etc., advertising companies place ads pertaining to the known
information about the user across all websites visited. Behavioral Advertising also
uses data aggregation to place ads on websites that a user may not have shown
interest in, but similar individuals had shown interest in.
Big Data - ✅✅ -A term used to describe the large data sets which exponential
growth in the amount and availability of data have allowed organizations to collect.
Big data has been articulated as "the three V's: volume (the amount of data), velocity
(the speed at which data may now be collected and analyzed), and variety (the
format, structured or unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - ✅✅ -Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris
patterns, voice, face, handwriting, keystroke technique and gait.
, Breach Disclosure - ✅✅ -The requirement that a data controller notify regulators
and victims of incidents affecting the confidentiality and security of personal data. It
is a transparency mechanism highlights operational failures, this helps mitigate
damage and aids in the understanding of causes of failure.
Bring Your Own Device - ✅✅-Use of employees' own personal computing devices
for work purposes.
Browser Fingerprinting - ✅✅ -As technology has advanced, it has become easier to
differentiate between users just based on the given instance of the browser they are
using. Each browser keeps some information about the elements it encounters on a
given webpage. For instance, a browser will keep information on a text font so that
the next time that font is encountered on a webpage, the information can be
reproduced more easily. Because each of these saved elements have been
accessed at different times and in different orders, each instance of a browser is to
some extent unique. Tracking users using this kind of technology continues to
become more prevalent.
Caching - ✅✅ -The saving of local copies of downloaded content, reducing the
need to repeatedly download content. To protect privacy, pages that display personal
information should be set to prohibit caching.
California Online Privacy Protection Act - ✅✅ -Requires that all websites catering to
California citizens provide a privacy statement to visitors and a easy-to-find link to it
on their web pages. Websites that carry personal data on children less than 18 years
of age must permit those children to delete data collected about them. Websites also
must inform visitors of the type of Do Not Track mechanisms they support or if they
do not support any at all.
Children's Online Privacy Protection Act (COPPA) of 1998 - ✅✅ -A U.S. federal law
that applies to the operators of commercial websites and online services that are
directed to children under the age of 13. It also applies to general audience websites
and online services that have actual knowledge that they are collecting personal
information from children under the age of 13. COPPA requires these website
operators: to post a privacy policy on the homepage of the website; provide notice
about collection practices to parents; obtain verifiable parental consent before
collecting personal information from children; give parents a choice as to whether
their child's personal information will be disclosed to third parties; provide parents
access and the opportunity to delete the child's personal information and opt out of
future collection or use of the information, and maintain the confidentiality, security
and integrity of personal information collected from children.
Choice - ✅✅ -An individual's ability to determine whether or how their personal
information may be used or disclosed by the entity that collected the information.
