ITM 706 Study Guide - Final Guide: Systems Development Life Cycle, Operations Security, Cobit
30 May 2018
School
Department
Course
Professor
PRIVACY
What is Privacy: Its freedom of choice, personal control and informational self-
determination. Privacy is the right to be left alone; privacy is protected; it’s about
identification and key elements.
Privacy (Context):
PII – Personally identifiable information
Privacy architecture
PIA – Privacy impact assessment
Privacy risks (PBD)
Protecting Privacy: Fair Information Practices (FIP):
1. Consent - The knowledge and consent of the individual are required for the collection,
use, or disclosure of personal information, except where inappropriate.
2. Accountability - An organization is responsible for personal information under its
control and shall designate an individual or individuals who are accountable for the
organization’s compliance with the following principles.
3. Identifying purpose - The purposes for which personal information is collected shall be
identified by the organization at or before the time the information is collected.
4. Collection Limitation - The collection of personal information shall be limited to that
which is necessary for the purposes identified by the organization. Information shall be
collected by fair and lawful means.
5. Use, retention and disclosure limitation - Personal information shall not be used or
disclosed for purposes other than those for which it was collected, except with the
consent of the individual or as required by law. Personal information shall be retained
only as long as necessary for the fulfilment of those purposes.
6. Accuracy - Personal information shall be as accurate, complete, and up-to-date as is
necessary for the purposes for which it is to be used.
7. Security - Personal information shall be protected by security safeguards appropriate to
the sensitivity of the information.
8. Openness - An organization shall make readily available to individuals specific
information about its policies and practices relating to the management of personal
information.
9. Access - Upon request, an individual shall be informed of the existence, use, and
disclosure of his or her personal information and shall be given access to that
find more resources at oneclass.com
find more resources at oneclass.com
information. An individual shall be able to challenge the accuracy and completeness of
the information and have it amended as appropriate.
10. Compliance - An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual or individuals
accountable for the organization’s compliance.
Principle of triangulation – Triangulation is basically that we can get information,
identifying who you are by asking different questions. (Example: Surveys)
The Privacy Payoff: Competitve dvantage, Consumer trust and confidence, Brand
reputation, Customer loyalty
Privacy Content: is what is in the privacy
7 Principles - Privacy by Design (PBD):
Proactive/ Preventative - Anticipating and preventing privacy invasive events before they
happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for
resolving privacy infractions once they have occurred
Privacy by defult - Seeking to deliver the maximum degree of privacy by ensuring that
personal data are automatically protected in any given IT system or business practice. If
an individual does nothing, their privacy still remains intact.
Embedded in Design - Privacy by Design is embedded into the design and architecture of
IT systems and business practices. It is not bolted on as an add-on, after the fact. The
result is that privacy becomes an essential component of the core functionality being
delivered.
Positive-Sum not Zero-Sum - Seeking to accommodate all legitimate interests and
objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach,
where unnecessary trade-offs are made.
End-to-End Security; Lifecycle Protection – PBD having been embedded into the system
prior to the first element of information being collected, extends securely throughout the
entire lifecycle of the data involved — strong security measures are essential to privacy,
from start to finish.
Visibility/Transparency - seeks to assure all stakeholders that whatever the business
practice or technology involved, it is in fact, operating according to the istated promises
and objectives, subject to independent verification.
Respect For Users – PBD requires architects and operators to keep the interests of the
individual uppermost by offering such measures as strong privacy defaults, appropriate
notice, and empowering user-friendly options. Keep it user-centric.
find more resources at oneclass.com
find more resources at oneclass.com
COBIT 5
COBIT: (Control Objectives for Information and Related Technology) standard for IT
governance was initially published in 1996 by the Information Systems Audit and
Control Association. framework that provides organizations with ‘good practices’ that
help in implementing an IT governance structure throughout the enterprise. It aims to
bridge the gaps between business risks, control needs, and technical issues.
The core of the COBIT framework is the control objectives and management guidelines
for a set of IT processes, which are grouped into five domains:
1. Evaluate, direct and monitor
2. Align, plan and organize
3. Build, acquire and implement
4. Deliver, service and support
5. Monitor, evaluate and assess
The COBIT 5 Framework
- Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a
balance between realising benefits and optimising risk levels and resource use.
- COBIT 5 enables information and related technology to be governed and managed in a
holistic manner for the entire enterprise, taking in the full end-to -end business and
functional areas of responsibility, considering the IT-related interests of internal and
external stakeholders.
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
What is privacy: its freedom of choice, personal control and informational self- determination. Privacy is the right to be left alone; privacy is protected; it"s about identification and key elements. Principle of triangulation triangulation is basically that we can get information, identifying who you are by asking different questions. (example: surveys) The privacy payoff: competitve dvantage, consumer trust and confidence, brand reputation, customer loyalty. Privacy content: is what is in the privacy. Proactive/ preventative - anticipating and preventing privacy invasive events before they happen. Pbd does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred. Privacy by defult - seeking to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given it system or business practice. If an individual does nothing, their privacy still remains intact. Embedded in design - privacy by design is embedded into the design and architecture of.
