關(guān)于我們
書單推薦
新書推薦
|
國際注冊數(shù)據(jù)隱私安全專家認證(CDPSE):考試復(fù)習(xí)手冊 讀者對象:CDPSE考生;負責(zé)評估和確保法務(wù)和合規(guī)的專業(yè)人員;負責(zé)隱私保護政策和流程的開發(fā)、實施和運維的專業(yè)人員;與信息技術(shù)和數(shù)據(jù)治理流程打交道的人員
CDPSE 認證全稱為Certified Data Privacy Solutions Engineer,旨在評估技術(shù)專業(yè)人員通過設(shè)計實現(xiàn)隱私的能力,以使組織能夠增強隱私技術(shù)平臺和產(chǎn)品,從而為消費者帶來利益,建立信任,以及促進數(shù)據(jù)隱私。ISACA協(xié)會發(fā)現(xiàn)在眾多企業(yè)中,負責(zé)隱私政策落地和實施的IT人員缺乏相應(yīng)的專業(yè)知識和培訓(xùn)。大部分現(xiàn)有的隱私保護相關(guān)認證主要是很對企業(yè)法務(wù),這會增加法務(wù)和隱私保護落地實施的IT人員溝通成本。因此,ISACA 新推出了數(shù)據(jù)隱私保護工程師認證(CDPSE)。該認證不僅涉及隱私治理,更關(guān)注隱私技術(shù)控制。同時也成功搭建起法務(wù)和技術(shù)部門之間的橋梁。本書幫助參加CDPSE考試人員完整全面復(fù)習(xí)考試涉及內(nèi)容, 積極備考。
ISACA(國際信息系統(tǒng)審計協(xié)會)是一家成立于1969年的非營利組織,總部設(shè)在美國芝加哥。 ISACA是享譽全球的提供信息系統(tǒng)鑒證及安全,企業(yè)IT治理與管理,IT風(fēng)險及合規(guī)性知識、認證、社區(qū),倡導(dǎo)教育的領(lǐng)導(dǎo)組織。 ISACA在其近50年歷史中,致力于幫助專業(yè)人員和企業(yè)實現(xiàn)技術(shù)的最大潛力。當(dāng)今世界為技術(shù)所驅(qū)動,ISACA為全球?qū)I(yè)人員提供知識、職業(yè)認證并打造社群網(wǎng)絡(luò),助力其職業(yè)進階,推動他們所在的機構(gòu)轉(zhuǎn)型,通過技術(shù)實現(xiàn)創(chuàng)新。ISACA希望與全球的專業(yè)人士一起,不斷完善信息安全與IT風(fēng)險的行業(yè)規(guī)范,持續(xù)提升信息安全技術(shù)水平,為政府、企業(yè)、組織構(gòu)建堅實的信息安全屏障。ISACA全球社區(qū)中有50多萬名從事信息與網(wǎng)絡(luò)安全、治理、審計與鑒證、風(fēng)險與創(chuàng)新工作的人員。ISACA旗下的CMMI則專注于企業(yè)能力成熟度的評估與改進。ISACA在全球80個國家設(shè)有200個分會,并在中國開設(shè)辦公室。
ISACA(國際信息系統(tǒng)審計協(xié)會)是一家成立于1969年的非營利組織,總部設(shè)在美國芝加哥。 ISACA是享譽全球的提供信息系統(tǒng)鑒證及安全,企業(yè)IT治理與管理,IT風(fēng)險及合規(guī)性知識、認證、社區(qū),倡導(dǎo)教育的領(lǐng)導(dǎo)組織。?ISACA?在其近50年歷史中,致力于幫助專業(yè)人員和企業(yè)實現(xiàn)技術(shù)的最大潛力。當(dāng)今世界為技術(shù)所驅(qū)動,ISACA為全球?qū)I(yè)人員提供知識、職業(yè)認證并打造社群網(wǎng)絡(luò),助力其職業(yè)進階,推動他們所在的機構(gòu)轉(zhuǎn)型,通過技術(shù)實現(xiàn)創(chuàng)新。ISACA希望與全球的專業(yè)人士一起,不斷完善信息安全與IT風(fēng)險的行業(yè)規(guī)范,持續(xù)提升信息安全技術(shù)水平,為政府、企業(yè)、組織構(gòu)建堅實的信息安全屏障。ISACA全球社區(qū)中有50多萬名從事信息與網(wǎng)絡(luò)安全、治理、審計與鑒證、風(fēng)險與創(chuàng)新工作的人員。ISACA旗下的CMMI則專注于企業(yè)能力成熟度的評估與改進。ISACA在全球80個國家設(shè)有200個分會,并在中國開設(shè)辦公室。今天,ISACA在全球有140,000名成員,他們的組成非常具有多元性。這些成員在188個國家內(nèi)生活和工作,并涵蓋眾多專業(yè)信息技術(shù)的相關(guān)職業(yè),比如信息系統(tǒng)審計師、顧問、教導(dǎo)員、信息系統(tǒng)安全專家、管理者、首席信息官和內(nèi)部審計師等。有些職業(yè)是本領(lǐng)域內(nèi)新興的,其他為中級管理人員,另外還有許多人擔(dān)任最高級的職位。他們幾乎遍及所有行業(yè),包括財政金融、公共會計、政府與公共部門、公用事業(yè)和制造業(yè)。這種多元性使眾多成員能夠相互學(xué)習(xí),并在許多專業(yè)問題上廣泛交流彼此的觀點。該特點一直被認為是ISACA的強勢之一。
目錄
關(guān)于本手冊 .............................................................................................................................13 概述........................................................................................................................................................................................................13 本手冊的編排........................................................................................................................................................................................13 準(zhǔn)備 CDPSE 考試.................................................................................................................................................................................14 開始準(zhǔn)備................................................................................................................................................................................................14 使用《CDPSE? 考試復(fù)習(xí)手冊》......................................................................................................................................................14 考試復(fù)習(xí)手冊中的模塊 ..............................................................................................................................................................14 CDPSE 考試中的題目類型..................................................................................................................................................................15 第 1 章: 隱私治理 ..................................................................................................................................17 概述............................................................................................................................................................18 領(lǐng)域 1:考試內(nèi)容大綱.........................................................................................................................................................................18 學(xué)習(xí)目標(biāo)/任務(wù)說明...............................................................................................................................................................................18 深造學(xué)習(xí)參考資料................................................................................................................................................................................19 自我評估問題........................................................................................................................................................................................21 A 部分:治理 ............................................................................................................................................23 1.1 個人數(shù)據(jù)和信息 ..................................................................................................................................................................24 1.1.1 定義個人數(shù)據(jù)和個人信息 ......................................................................................................................................25 1.2 不同司法管轄區(qū)的隱私法律和標(biāo)準(zhǔn) ..................................................................................................................................26 1.2.1 隱私法律和法規(guī)的應(yīng)用 ..........................................................................................................................................26 1.2.2 隱私保護法律模式 ..................................................................................................................................................26 1.2.3 隱私法律和法規(guī) ......................................................................................................................................................28 1.2.4 隱私標(biāo)準(zhǔn) ..................................................................................................................................................................29 1.2.5 隱私原則和框架 ......................................................................................................................................................30 1.2.6 隱私自我監(jiān)管標(biāo)準(zhǔn) ..................................................................................................................................................31 1.3 隱私記錄 ..............................................................................................................................................................................32 1.3.1 文檔類型 ..................................................................................................................................................................33 隱私告知....................................................................................................................................................................33 同意書........................................................................................................................................................................34 隱私政策....................................................................................................................................................................34 隱私程序....................................................................................................................................................................34 處理記錄....................................................................................................................................................................35 糾正行動計劃............................................................................................................................................................35 數(shù)據(jù)保護影響評估....................................................................................................................................................36 備案通知制度............................................................................................................................................................36 個人信息清單............................................................................................................................................................36 其他類型的文檔........................................................................................................................................................37 1.4 法律目的、同意和合法權(quán)益 ..............................................................................................................................................38 1.4.1 法律目的 ..................................................................................................................................................................38 1.4.2 同意 ..........................................................................................................................................................................38 1.4.3 合法權(quán)益 ..................................................................................................................................................................39 1.5 數(shù)據(jù)主體的權(quán)利 ..................................................................................................................................................................40 B 部分:管理 ............................................................................................................................................42 1.6 與數(shù)據(jù)有關(guān)的角色和職責(zé) ..................................................................................................................................................42 1.7 隱私培訓(xùn)和意識 ..................................................................................................................................................................46 1.7.1 內(nèi)容與交付 ..............................................................................................................................................................46 1.7.2 培訓(xùn)頻次 ..................................................................................................................................................................47 1.7.3 衡量培訓(xùn)和意識 ......................................................................................................................................................48 1.8 供應(yīng)商和第三方管理 ..........................................................................................................................................................48 1.8.1 法律要求 ..................................................................................................................................................................48 1.8.2 管理程序 ..................................................................................................................................................................49 1.9 審計流程 ..............................................................................................................................................................................51 1.10 隱私事件管理 ....................................................................................................................................................................52 C 部分:風(fēng)險管理....................................................................................................................................55 1.11 風(fēng)險管理流程.....................................................................................................................................................................55 1.12 影響隱私的存在問題的數(shù)據(jù)操作 ....................................................................................................................................56 1.12.1 漏洞 ........................................................................................................................................................................56 1.12.2 存在問題的數(shù)據(jù)操作 ............................................................................................................................................57 利用漏洞的方法........................................................................................................................................................58 1.12.3 隱私危害和問題 ....................................................................................................................................................60 常見隱私危害的示例................................................................................................................................................60 與數(shù)據(jù)處理有關(guān)的存在問題的數(shù)據(jù)操作示例........................................................................................................60 1.13 隱私影響評估 ....................................................................................................................................................................61 1.13.1 已建立的 PIA 方法 ................................................................................................................................................62 美國政府 PIA ............................................................................................................................................................62 加拿大政府 PIA ........................................................................................................................................................63 新加坡政府 DPIA .....................................................................................................................................................64 菲律賓政府 PIA ........................................................................................................................................................64 英國政府 DPIA .........................................................................................................................................................65 1.13.2 NIST 隱私風(fēng)險評估方法 ......................................................................................................................................65 1.13.3 歐盟 GDPR DPIA 方法 .........................................................................................................................................66 第 2 章: 隱私架構(gòu) .................................................................................................................................69 概述............................................................................................................................................................70 領(lǐng)域 2:考試內(nèi)容大綱.........................................................................................................................................................................70 學(xué)習(xí)目標(biāo)/任務(wù)說明...............................................................................................................................................................................71 深造學(xué)習(xí)參考資料................................................................................................................................................................................71 A 部分:基礎(chǔ)設(shè)施 ....................................................................................................................................75 2.1 自主管理型基礎(chǔ)設(shè)施,包括技術(shù)棧 .................................................................................................................................76 2.1.1 本地中心的非云替代方案 ......................................................................................................................................77 托管服務(wù)數(shù)據(jù)中心....................................................................................................................................................77 主機托管數(shù)據(jù)中心....................................................................................................................................................77 2.1.2 自主管理型基礎(chǔ)設(shè)施的優(yōu)勢 ..................................................................................................................................78 控制............................................................................................................................................................................78 開發(fā)............................................................................................................................................................................78 安全............................................................................................................................................................................78 治理............................................................................................................................................................................78 2.1.3 自主管理型基礎(chǔ)設(shè)施的局限性 ..............................................................................................................................79 成本............................................................................................................................................................................79 系統(tǒng)管理....................................................................................................................................................................79 可擴展性....................................................................................................................................................................79 系統(tǒng)可用性................................................................................................................................................................79 2.1.4 關(guān)鍵隱私問題 ..........................................................................................................................................................80 系統(tǒng)權(quán)限和訪問........................................................................................................................................................80 日志記錄....................................................................................................................................................................80 監(jiān)控和警報................................................................................................................................................................81 隱私法律審查............................................................................................................................................................81 2.2 云計算 ..................................................................................................................................................................................82 2.2.1 云數(shù)據(jù)中心 ..............................................................................................................................................................82 2.2.2 云計算的基本特征 .................................................................................................................................................83 2.2.3 云服務(wù)模型 ..............................................................................................................................................................83 2.2.4 責(zé)任共擔(dān)模型 ..........................................................................................................................................................84 2.2.5 云計算的優(yōu)勢 ..........................................................................................................................................................86 成本............................................................................................................................................................................86 安全............................................................................................................................................................................86 可擴展性....................................................................................................................................................................86 向上/下擴展(縱向擴展) .............................................................................................................................86 向外/內(nèi)擴展(橫向擴展) .............................................................................................................................87 擴展方法 ..........................................................................................................................................................87 數(shù)據(jù)可訪問性............................................................................................................................................................87 2.2.6 云計算的局限性 ......................................................................................................................................................87 失去控制....................................................................................................................................................................87 成本............................................................................................................................................................................88 互聯(lián)網(wǎng)依賴/停機時間...............................................................................................................................................88 安全與隱私................................................................................................................................................................88 2.3 終端 ......................................................................................................................................................................................88 2.3.1 實現(xiàn)終端安全性的方法 ..........................................................................................................................................89 2.4 遠程訪問 ..............................................................................................................................................................................90 2.4.1 虛擬私有網(wǎng)絡(luò) ..........................................................................................................................................................90 問題............................................................................................................................................................................90 風(fēng)險............................................................................................................................................................................90 用戶憑證風(fēng)險 ..................................................................................................................................................90 惡意軟件和病毒 ..............................................................................................................................................90 拆分隧道 ..........................................................................................................................................................90 2.4.2 桌面共享 ..................................................................................................................................................................91 問題和風(fēng)險................................................................................................................................................................91 2.4.3 特權(quán)訪問管理 ..........................................................................................................................................................91 2.5 系統(tǒng)加固 ..............................................................................................................................................................................92 B 部分:應(yīng)用程序和軟件 ........................................................................................................................94 2.6 安全開發(fā)生命周期 ..............................................................................................................................................................94 2.6.1 隱私與安全開發(fā)生命周期的階段 ..........................................................................................................................94 需求收集....................................................................................................................................................................95 設(shè)計和編碼................................................................................................................................................................95 測試和發(fā)布................................................................................................................................................................95 維護............................................................................................................................................................................96 2.6.2 隱私設(shè)計 ..................................................................................................................................................................96 2.7 應(yīng)用程序和軟件加固 ..........................................................................................................................................................97 2.7.1 加固最佳實踐 ..........................................................................................................................................................98 2.8 API 和服務(wù) ..........................................................................................................................................................................99 2.8.1 API............................................................................................................................................................................99 2.8.2 Web 服務(wù) ................................................................................................................................................................100 2.9 跟蹤技術(shù) ............................................................................................................................................................................100 2.9.1 跟蹤技術(shù)的類型 ....................................................................................................................................................101 Cookie ......................................................................................................................................................................101 跟蹤像素..................................................................................................................................................................102 數(shù)字指紋識別/瀏覽器指紋識別.............................................................................................................................103 GPS 跟蹤 .................................................................................................................................................................103 射頻識別..................................................................................................................................................................103 C 部分:技術(shù)隱私控制..........................................................................................................................104 2.10 通信和傳輸協(xié)議 ..............................................................................................................................................................104 2.10.1 通信協(xié)議的類型 ..................................................................................................................................................105 2.10.2 局域網(wǎng) ..................................................................................................................................................................105 LAN 拓撲結(jié)構(gòu)與協(xié)議 ............................................................................................................................................105 LAN 組件 ................................................................................................................................................................106 2.10.3 TCP/IP 及其與 OSI 參考模型的關(guān)系.................................................................................................................107 TCP/IP 互聯(lián)網(wǎng)萬維網(wǎng)服務(wù) .....................................................................................................................................107 無線局域網(wǎng) ..............................................................................................................................................................110 2.10.4 傳輸層安全協(xié)議 ..................................................................................................................................................110 2.10.5 安全外殼 ..............................................................................................................................................................112 2.11 加密、哈希運算和去身份識別 .......................................................................................................................................112 2.11.1 加密 ......................................................................................................................................................................112 對稱算法 ..................................................................................................................................................................113 非對稱算法 ..............................................................................................................................................................114 量子密碼學(xué) ..............................................................................................................................................................115 2.11.2 去身份識別 ..........................................................................................................................................................115 2.11.3 哈希運算 ..............................................................................................................................................................115 消息的完整性和哈希運算算法 ..............................................................................................................................115 數(shù)字簽名 ..................................................................................................................................................................116 數(shù)字信封 ..................................................................................................................................................................117 2.11.4 加密系統(tǒng)的應(yīng)用 ..................................................................................................................................................117 IP 安全協(xié)議 .............................................................................................................................................................118 安全多功能互聯(lián)網(wǎng)郵件擴展協(xié)議 ..........................................................................................................................118 2.12 密鑰管理...........................................................................................................................................................................118 2.12.1 證書 ......................................................................................................................................................................118 2.12.2 公鑰基礎(chǔ)設(shè)施 ......................................................................................................................................................119 PKI 加密 ..................................................................................................................................................................119 2.13 監(jiān)控和日志記錄...............................................................................................................................................................119 2.13.1 監(jiān)控 ......................................................................................................................................................................120 2.13.2 日志記錄 ..............................................................................................................................................................120 2.13.3 隱私和安全日志記錄 ..........................................................................................................................................121 2.14 身份和訪問管理 ..............................................................................................................................................................122 2.14.1 系統(tǒng)訪問權(quán)限 ......................................................................................................................................................122 2.14.2 強制和自主訪問控制 ..........................................................................................................................................123 2.14.3 信息安全和外部相關(guān)方 ......................................................................................................................................124 識別與外部各方相關(guān)的風(fēng)險..................................................................................................................................124 滿足與客戶相關(guān)的安全要求..................................................................................................................................125 滿足第三方協(xié)議中的安全要求..............................................................................................................................125 人力資源安全和第三方 ................................................................................................................................127 篩選 ................................................................................................................................................................128 訪問權(quán)限的取消 ............................................................................................................................................128 第 3 章: 數(shù)據(jù)生命周期 .......................................................................................................................131 概述..........................................................................................................................................................132 領(lǐng)域 3:考試內(nèi)容大綱.......................................................................................................................................................................132 學(xué)習(xí)目標(biāo)/任務(wù)說明.............................................................................................................................................................................132 深造學(xué)習(xí)參考資料..............................................................................................................................................................................133 A 部分:數(shù)據(jù)目的 ..................................................................................................................................137 3.1 數(shù)據(jù)清單和分類 ................................................................................................................................................................140 3.1.1 數(shù)據(jù)清單 ................................................................................................................................................................140 創(chuàng)建數(shù)據(jù)清單..........................................................................................................................................................141 計劃 ................................................................................................................................................................141 決定 ................................................................................................................................................................141 填充 ................................................................................................................................................................142 發(fā)布 ................................................................................................................................................................142 3.1.2 數(shù)據(jù)分類 ................................................................................................................................................................142 3.2 數(shù)據(jù)質(zhì)量 ............................................................................................................................................................................143 3.2.1 數(shù)據(jù)質(zhì)量維度 ........................................................................................................................................................143 3.3 數(shù)據(jù)流和使用圖 ................................................................................................................................................................145 3.3.1 數(shù)據(jù)血緣 ................................................................................................................................................................147 3.4 數(shù)據(jù)使用限制 ....................................................................................................................................................................147 3.5 數(shù)據(jù)分析 ............................................................................................................................................................................148 3.5.1 用戶行為分析 ........................................................................................................................................................149 B 部分:數(shù)據(jù)持久化 ..............................................................................................................................150 3.6 數(shù)據(jù)最小化 ........................................................................................................................................................................151 3.7 數(shù)據(jù)遷移 ............................................................................................................................................................................152 3.7.1 數(shù)據(jù)轉(zhuǎn)換 ................................................................................................................................................................152 3.7.2 完善遷移方案 ........................................................................................................................................................153 回退(回滾)方案..................................................................................................................................................154 3.7.3 數(shù)據(jù)遷移后 ............................................................................................................................................................154 3.8 數(shù)據(jù)存儲 ............................................................................................................................................................................155 3.9 數(shù)據(jù)倉庫 ............................................................................................................................................................................156 3.9.1 提取、轉(zhuǎn)換、加載 ................................................................................................................................................156 分級層......................................................................................................................................................................157 表示層......................................................................................................................................................................157 3.9.2 其他注意事項 ........................................................................................................................................................157 3.10 數(shù)據(jù)保留和歸檔 ..............................................................................................................................................................157 3.11 數(shù)據(jù)銷毀...........................................................................................................................................................................158 3.11.1 數(shù)據(jù)匿名化 ..........................................................................................................................................................159 3.11.2 刪除 ......................................................................................................................................................................159 3.11.3 加密粉碎 ..............................................................................................................................................................159 3.11.4 消磁 ......................................................................................................................................................................159 3.11.5 銷毀 ......................................................................................................................................................................159 附錄 A:CDPSE 考試常規(guī)信息 ...................................................................................161 認證要求..............................................................................................................................................................................................161 成功完成 CDPSE 考試.......................................................................................................................................................................161 數(shù)據(jù)隱私經(jīng)驗......................................................................................................................................................................................161 考試介紹..............................................................................................................................................................................................161 報名參加 CDPSE 考試.......................................................................................................................................................................161 CDPSE 計劃再次通過 ISO/IEC 17024:2012 認證 ..........................................................................................................................162 預(yù)約安排考試日期..............................................................................................................................................................................162 考試入場..............................................................................................................................................................................................162 安排時間 ....................................................................................................................................................................................163 考試評分 ....................................................................................................................................................................................163 附錄 B:CDPSE 工作實務(wù) ...........................................................................................165 詞匯表 ...................................................................................................................................169
你還可能感興趣
我要評論
|