國際注冊數(shù)據(jù)隱私安全專家認(rèn)證(CDPSE):考試復(fù)習(xí)手冊
定 價:98 元
- 作者:(美)Information Systems Audit and Control Association(國際信息系統(tǒng)審計協(xié)會(ISACA))
- 出版時間:2022/3/1
- ISBN:9787121429491
- 出 版 社:電子工業(yè)出版社
- 中圖法分類:TP274
- 頁碼:184
- 紙張:
- 版次:01
- 開本:16開
CDPSE 認(rèn)證全稱為Certified Data Privacy Solutions Engineer����,旨在評估技術(shù)專業(yè)人員通過設(shè)計實現(xiàn)隱私的能力�,以使組織能夠增強隱私技術(shù)平臺和產(chǎn)品�,從而為消費者帶來利益�,建立信任,以及促進(jìn)數(shù)據(jù)隱私�。ISACA協(xié)會發(fā)現(xiàn)在眾多企業(yè)中��,負(fù)責(zé)隱私政策落地和實施的IT人員缺乏相應(yīng)的專業(yè)知識和培訓(xùn)�����。大部分現(xiàn)有的隱私保護(hù)相關(guān)認(rèn)證主要是很對企業(yè)法務(wù),這會增加法務(wù)和隱私保護(hù)落地實施的IT人員溝通成本�。因此�,ISACA 新推出了數(shù)據(jù)隱私保護(hù)工程師認(rèn)證(CDPSE)�����。該認(rèn)證不僅涉及隱私治理,更關(guān)注隱私技術(shù)控制��。同時也成功搭建起法務(wù)和技術(shù)部門之間的橋梁����。本書幫助參加CDPSE考試人員完整全面復(fù)習(xí)考試涉及內(nèi)容���, 積極備考。
ISACA(國際信息系統(tǒng)審計協(xié)會)是一家成立于1969年的非營利組織�����,總部設(shè)在美國芝加哥�。 ISACA是享譽全球的提供信息系統(tǒng)鑒證及安全�,企業(yè)IT治理與管理���,IT風(fēng)險及合規(guī)性知識、認(rèn)證��、社區(qū)��,倡導(dǎo)教育的領(lǐng)導(dǎo)組織。 ISACA在其近50年歷史中����,致力于幫助專業(yè)人員和企業(yè)實現(xiàn)技術(shù)的最大潛力。當(dāng)今世界為技術(shù)所驅(qū)動����,ISACA為全球?qū)I(yè)人員提供知識���、職業(yè)認(rèn)證并打造社群網(wǎng)絡(luò),助力其職業(yè)進(jìn)階����,推動他們所在的機構(gòu)轉(zhuǎn)型����,通過技術(shù)實現(xiàn)創(chuàng)新���。ISACA希望與全球的專業(yè)人士一起��,不斷完善信息安全與IT風(fēng)險的行業(yè)規(guī)范����,持續(xù)提升信息安全技術(shù)水平����,為政府、企業(yè)��、組織構(gòu)建堅實的信息安全屏障。ISACA全球社區(qū)中有50多萬名從事信息與網(wǎng)絡(luò)安全�、治理����、審計與鑒證、風(fēng)險與創(chuàng)新工作的人員�。ISACA旗下的CMMI則專注于企業(yè)能力成熟度的評估與改進(jìn)����。ISACA在全球80個國家設(shè)有200個分會����,并在中國開設(shè)辦公室。
ISACA(國際信息系統(tǒng)審計協(xié)會)是一家成立于1969年的非營利組織����,總部設(shè)在美國芝加哥�。 ISACA是享譽全球的提供信息系統(tǒng)鑒證及安全����,企業(yè)IT治理與管理����,IT風(fēng)險及合規(guī)性知識���、認(rèn)證、社區(qū)��,倡導(dǎo)教育的領(lǐng)導(dǎo)組織�。?ISACA?在其近50年歷史中����,致力于幫助專業(yè)人員和企業(yè)實現(xiàn)技術(shù)的最大潛力�����。當(dāng)今世界為技術(shù)所驅(qū)動���,ISACA為全球?qū)I(yè)人員提供知識���、職業(yè)認(rèn)證并打造社群網(wǎng)絡(luò),助力其職業(yè)進(jìn)階�,推動他們所在的機構(gòu)轉(zhuǎn)型��,通過技術(shù)實現(xiàn)創(chuàng)新�����。ISACA希望與全球的專業(yè)人士一起,不斷完善信息安全與IT風(fēng)險的行業(yè)規(guī)范�,持續(xù)提升信息安全技術(shù)水平�,為政府�����、企業(yè)、組織構(gòu)建堅實的信息安全屏障���。ISACA全球社區(qū)中有50多萬名從事信息與網(wǎng)絡(luò)安全、治理�、審計與鑒證����、風(fēng)險與創(chuàng)新工作的人員�����。ISACA旗下的CMMI則專注于企業(yè)能力成熟度的評估與改進(jìn)�����。ISACA在全球80個國家設(shè)有200個分會,并在中國開設(shè)辦公室�����。今天��,ISACA在全球有140,000名成員,他們的組成非常具有多元性����。這些成員在188個國家內(nèi)生活和工作�����,并涵蓋眾多專業(yè)信息技術(shù)的相關(guān)職業(yè)��,比如信息系統(tǒng)審計師、顧問�����、教導(dǎo)員���、信息系統(tǒng)安全專家、管理者��、首席信息官和內(nèi)部審計師等�。有些職業(yè)是本領(lǐng)域內(nèi)新興的��,其他為中級管理人員,另外還有許多人擔(dān)任最高級的職位�。他們幾乎遍及所有行業(yè)���,包括財政金融、公共會計�、政府與公共部門�、公用事業(yè)和制造業(yè)����。這種多元性使眾多成員能夠相互學(xué)習(xí),并在許多專業(yè)問題上廣泛交流彼此的觀點���。該特點一直被認(rèn)為是ISACA的強勢之一。
目錄
關(guān)于本手冊 .............................................................................................................................13 概述........................................................................................................................................................................................................13 本手冊的編排........................................................................................................................................................................................13 準(zhǔn)備 CDPSE 考試.................................................................................................................................................................................14 開始準(zhǔn)備................................................................................................................................................................................................14 使用《CDPSE? 考試復(fù)習(xí)手冊》......................................................................................................................................................14 考試復(fù)習(xí)手冊中的模塊 ..............................................................................................................................................................14
CDPSE 考試中的題目類型..................................................................................................................................................................15
第 1 章:
隱私治理 ..................................................................................................................................17
概述............................................................................................................................................................18 領(lǐng)域 1:考試內(nèi)容大綱.........................................................................................................................................................................18 學(xué)習(xí)目標(biāo)/任務(wù)說明...............................................................................................................................................................................18 深造學(xué)習(xí)參考資料................................................................................................................................................................................19 自我評估問題........................................................................................................................................................................................21
A 部分:治理 ............................................................................................................................................23
1.1 個人數(shù)據(jù)和信息 ..................................................................................................................................................................24
1.1.1 定義個人數(shù)據(jù)和個人信息 ......................................................................................................................................25
1.2 不同司法管轄區(qū)的隱私法律和標(biāo)準(zhǔn) ..................................................................................................................................26
1.2.1 隱私法律和法規(guī)的應(yīng)用 ..........................................................................................................................................26
1.2.2 隱私保護(hù)法律模式 ..................................................................................................................................................26
1.2.3 隱私法律和法規(guī) ......................................................................................................................................................28
1.2.4 隱私標(biāo)準(zhǔn) ..................................................................................................................................................................29
1.2.5 隱私原則和框架 ......................................................................................................................................................30
1.2.6 隱私自我監(jiān)管標(biāo)準(zhǔn) ..................................................................................................................................................31
1.3 隱私記錄 ..............................................................................................................................................................................32
1.3.1 文檔類型 ..................................................................................................................................................................33
隱私告知....................................................................................................................................................................33
同意書........................................................................................................................................................................34
隱私政策....................................................................................................................................................................34
隱私程序....................................................................................................................................................................34
處理記錄....................................................................................................................................................................35
糾正行動計劃............................................................................................................................................................35
數(shù)據(jù)保護(hù)影響評估....................................................................................................................................................36
備案通知制度............................................................................................................................................................36
個人信息清單............................................................................................................................................................36
其他類型的文檔........................................................................................................................................................37
1.4 法律目的、同意和合法權(quán)益 ..............................................................................................................................................38
1.4.1 法律目的 ..................................................................................................................................................................38
1.4.2 同意 ..........................................................................................................................................................................38
1.4.3 合法權(quán)益 ..................................................................................................................................................................39
1.5 數(shù)據(jù)主體的權(quán)利 ..................................................................................................................................................................40
B 部分:管理 ............................................................................................................................................42
1.6 與數(shù)據(jù)有關(guān)的角色和職責(zé) ..................................................................................................................................................42
1.7 隱私培訓(xùn)和意識 ..................................................................................................................................................................46
1.7.1 內(nèi)容與交付 ..............................................................................................................................................................46
1.7.2 培訓(xùn)頻次 ..................................................................................................................................................................47
1.7.3 衡量培訓(xùn)和意識 ......................................................................................................................................................48
1.8 供應(yīng)商和第三方管理 ..........................................................................................................................................................48
1.8.1 法律要求 ..................................................................................................................................................................48
1.8.2 管理程序 ..................................................................................................................................................................49
1.9 審計流程 ..............................................................................................................................................................................51
1.10 隱私事件管理 ....................................................................................................................................................................52
C 部分:風(fēng)險管理....................................................................................................................................55
1.11 風(fēng)險管理流程.....................................................................................................................................................................55
1.12 影響隱私的存在問題的數(shù)據(jù)操作 ....................................................................................................................................56
1.12.1 漏洞 ........................................................................................................................................................................56
1.12.2 存在問題的數(shù)據(jù)操作 ............................................................................................................................................57
利用漏洞的方法........................................................................................................................................................58
1.12.3 隱私危害和問題 ....................................................................................................................................................60
常見隱私危害的示例................................................................................................................................................60
與數(shù)據(jù)處理有關(guān)的存在問題的數(shù)據(jù)操作示例........................................................................................................60
1.13 隱私影響評估 ....................................................................................................................................................................61
1.13.1 已建立的 PIA 方法 ................................................................................................................................................62
美國政府 PIA ............................................................................................................................................................62
加拿大政府 PIA ........................................................................................................................................................63
新加坡政府 DPIA .....................................................................................................................................................64
菲律賓政府 PIA ........................................................................................................................................................64
英國政府 DPIA .........................................................................................................................................................65
1.13.2 NIST 隱私風(fēng)險評估方法 ......................................................................................................................................65
1.13.3 歐盟 GDPR DPIA 方法 .........................................................................................................................................66
第 2 章:
隱私架構(gòu) .................................................................................................................................69
概述............................................................................................................................................................70 領(lǐng)域 2:考試內(nèi)容大綱.........................................................................................................................................................................70 學(xué)習(xí)目標(biāo)/任務(wù)說明...............................................................................................................................................................................71 深造學(xué)習(xí)參考資料................................................................................................................................................................................71
A 部分:基礎(chǔ)設(shè)施 ....................................................................................................................................75
2.1 自主管理型基礎(chǔ)設(shè)施,包括技術(shù)棧 .................................................................................................................................76
2.1.1 本地中心的非云替代方案 ......................................................................................................................................77
托管服務(wù)數(shù)據(jù)中心....................................................................................................................................................77
主機托管數(shù)據(jù)中心....................................................................................................................................................77
2.1.2 自主管理型基礎(chǔ)設(shè)施的優(yōu)勢 ..................................................................................................................................78
控制............................................................................................................................................................................78
開發(fā)............................................................................................................................................................................78
安全............................................................................................................................................................................78
治理............................................................................................................................................................................78
2.1.3 自主管理型基礎(chǔ)設(shè)施的局限性 ..............................................................................................................................79
成本............................................................................................................................................................................79
系統(tǒng)管理....................................................................................................................................................................79
可擴展性....................................................................................................................................................................79
系統(tǒng)可用性................................................................................................................................................................79
2.1.4 關(guān)鍵隱私問題 ..........................................................................................................................................................80
系統(tǒng)權(quán)限和訪問........................................................................................................................................................80
日志記錄....................................................................................................................................................................80
監(jiān)控和警報................................................................................................................................................................81
隱私法律審查............................................................................................................................................................81
2.2 云計算 ..................................................................................................................................................................................82
2.2.1 云數(shù)據(jù)中心 ..............................................................................................................................................................82
2.2.2 云計算的基本特征 .................................................................................................................................................83
2.2.3 云服務(wù)模型 ..............................................................................................................................................................83
2.2.4 責(zé)任共擔(dān)模型 ..........................................................................................................................................................84
2.2.5 云計算的優(yōu)勢 ..........................................................................................................................................................86
成本............................................................................................................................................................................86
安全............................................................................................................................................................................86
可擴展性....................................................................................................................................................................86
向上/下擴展(縱向擴展) .............................................................................................................................86
向外/內(nèi)擴展(橫向擴展) .............................................................................................................................87
擴展方法 ..........................................................................................................................................................87
數(shù)據(jù)可訪問性............................................................................................................................................................87
2.2.6 云計算的局限性 ......................................................................................................................................................87
失去控制....................................................................................................................................................................87
成本............................................................................................................................................................................88
互聯(lián)網(wǎng)依賴/停機時間...............................................................................................................................................88
安全與隱私................................................................................................................................................................88
2.3 終端 ......................................................................................................................................................................................88
2.3.1 實現(xiàn)終端安全性的方法 ..........................................................................................................................................89
2.4 遠(yuǎn)程訪問 ..............................................................................................................................................................................90
2.4.1 虛擬私有網(wǎng)絡(luò) ..........................................................................................................................................................90
問題............................................................................................................................................................................90
風(fēng)險............................................................................................................................................................................90
用戶憑證風(fēng)險 ..................................................................................................................................................90
惡意軟件和病毒 ..............................................................................................................................................90
拆分隧道 ..........................................................................................................................................................90
2.4.2 桌面共享 ..................................................................................................................................................................91
問題和風(fēng)險................................................................................................................................................................91
2.4.3 特權(quán)訪問管理 ..........................................................................................................................................................91
2.5 系統(tǒng)加固 ..............................................................................................................................................................................92
B 部分:應(yīng)用程序和軟件 ........................................................................................................................94
2.6 安全開發(fā)生命周期 ..............................................................................................................................................................94
2.6.1 隱私與安全開發(fā)生命周期的階段 ..........................................................................................................................94
需求收集....................................................................................................................................................................95
設(shè)計和編碼................................................................................................................................................................95
測試和發(fā)布................................................................................................................................................................95
維護(hù)............................................................................................................................................................................96
2.6.2 隱私設(shè)計 ..................................................................................................................................................................96
2.7 應(yīng)用程序和軟件加固 ..........................................................................................................................................................97
2.7.1 加固最佳實踐 ..........................................................................................................................................................98
2.8 API 和服務(wù) ..........................................................................................................................................................................99
2.8.1 API............................................................................................................................................................................99
2.8.2 Web 服務(wù) ................................................................................................................................................................100
2.9 跟蹤技術(shù) ............................................................................................................................................................................100
2.9.1 跟蹤技術(shù)的類型 ....................................................................................................................................................101
Cookie ......................................................................................................................................................................101 跟蹤像素..................................................................................................................................................................102 數(shù)字指紋識別/瀏覽器指紋識別.............................................................................................................................103
GPS 跟蹤 .................................................................................................................................................................103
射頻識別..................................................................................................................................................................103
C 部分:技術(shù)隱私控制..........................................................................................................................104
2.10 通信和傳輸協(xié)議 ..............................................................................................................................................................104
2.10.1 通信協(xié)議的類型 ..................................................................................................................................................105
2.10.2 局域網(wǎng) ..................................................................................................................................................................105
LAN 拓?fù)浣Y(jié)構(gòu)與協(xié)議 ............................................................................................................................................105
LAN 組件 ................................................................................................................................................................106
2.10.3 TCP/IP 及其與 OSI 參考模型的關(guān)系.................................................................................................................107
TCP/IP 互聯(lián)網(wǎng)萬維網(wǎng)服務(wù) .....................................................................................................................................107
無線局域網(wǎng) ..............................................................................................................................................................110
2.10.4 傳輸層安全協(xié)議 ..................................................................................................................................................110
2.10.5 安全外殼 ..............................................................................................................................................................112
2.11 加密��、哈希運算和去身份識別 .......................................................................................................................................112
2.11.1 加密 ......................................................................................................................................................................112
對稱算法 ..................................................................................................................................................................113
非對稱算法 ..............................................................................................................................................................114
量子密碼學(xué) ..............................................................................................................................................................115
2.11.2 去身份識別 ..........................................................................................................................................................115
2.11.3 哈希運算 ..............................................................................................................................................................115
消息的完整性和哈希運算算法 ..............................................................................................................................115
數(shù)字簽名 ..................................................................................................................................................................116
數(shù)字信封 ..................................................................................................................................................................117
2.11.4 加密系統(tǒng)的應(yīng)用 ..................................................................................................................................................117
IP 安全協(xié)議 .............................................................................................................................................................118
安全多功能互聯(lián)網(wǎng)郵件擴展協(xié)議 ..........................................................................................................................118
2.12 密鑰管理...........................................................................................................................................................................118
2.12.1 證書 ......................................................................................................................................................................118
2.12.2 公鑰基礎(chǔ)設(shè)施 ......................................................................................................................................................119
PKI 加密 ..................................................................................................................................................................119
2.13 監(jiān)控和日志記錄...............................................................................................................................................................119
2.13.1 監(jiān)控 ......................................................................................................................................................................120
2.13.2 日志記錄 ..............................................................................................................................................................120
2.13.3 隱私和安全日志記錄 ..........................................................................................................................................121
2.14 身份和訪問管理 ..............................................................................................................................................................122
2.14.1 系統(tǒng)訪問權(quán)限 ......................................................................................................................................................122
2.14.2 強制和自主訪問控制 ..........................................................................................................................................123
2.14.3 信息安全和外部相關(guān)方 ......................................................................................................................................124
識別與外部各方相關(guān)的風(fēng)險..................................................................................................................................124
滿足與客戶相關(guān)的安全要求..................................................................................................................................125
滿足第三方協(xié)議中的安全要求..............................................................................................................................125
人力資源安全和第三方 ................................................................................................................................127
篩選 ................................................................................................................................................................128
訪問權(quán)限的取消 ............................................................................................................................................128
第 3 章:
數(shù)據(jù)生命周期 .......................................................................................................................131
概述..........................................................................................................................................................132 領(lǐng)域 3:考試內(nèi)容大綱.......................................................................................................................................................................132 學(xué)習(xí)目標(biāo)/任務(wù)說明.............................................................................................................................................................................132 深造學(xué)習(xí)參考資料..............................................................................................................................................................................133
A 部分:數(shù)據(jù)目的 ..................................................................................................................................137
3.1 數(shù)據(jù)清單和分類 ................................................................................................................................................................140
3.1.1 數(shù)據(jù)清單 ................................................................................................................................................................140
創(chuàng)建數(shù)據(jù)清單..........................................................................................................................................................141
計劃 ................................................................................................................................................................141
決定 ................................................................................................................................................................141
填充 ................................................................................................................................................................142
發(fā)布 ................................................................................................................................................................142
3.1.2 數(shù)據(jù)分類 ................................................................................................................................................................142
3.2 數(shù)據(jù)質(zhì)量 ............................................................................................................................................................................143
3.2.1 數(shù)據(jù)質(zhì)量維度 ........................................................................................................................................................143
3.3 數(shù)據(jù)流和使用圖 ................................................................................................................................................................145
3.3.1 數(shù)據(jù)血緣 ................................................................................................................................................................147
3.4 數(shù)據(jù)使用限制 ....................................................................................................................................................................147
3.5 數(shù)據(jù)分析 ............................................................................................................................................................................148
3.5.1 用戶行為分析 ........................................................................................................................................................149
B 部分:數(shù)據(jù)持久化 ..............................................................................................................................150
3.6 數(shù)據(jù)最小化 ........................................................................................................................................................................151
3.7 數(shù)據(jù)遷移 ............................................................................................................................................................................152
3.7.1 數(shù)據(jù)轉(zhuǎn)換 ................................................................................................................................................................152
3.7.2 完善遷移方案 ........................................................................................................................................................153
回退(回滾)方案..................................................................................................................................................154
3.7.3 數(shù)據(jù)遷移后 ............................................................................................................................................................154
3.8 數(shù)據(jù)存儲 ............................................................................................................................................................................155
3.9 數(shù)據(jù)倉庫 ............................................................................................................................................................................156
3.9.1 提取、轉(zhuǎn)換�、加載 ................................................................................................................................................156
分級層......................................................................................................................................................................157
表示層......................................................................................................................................................................157
3.9.2 其他注意事項 ........................................................................................................................................................157
3.10 數(shù)據(jù)保留和歸檔 ..............................................................................................................................................................157
3.11 數(shù)據(jù)銷毀...........................................................................................................................................................................158
3.11.1 數(shù)據(jù)匿名化 ..........................................................................................................................................................159
3.11.2 刪除 ......................................................................................................................................................................159
3.11.3 加密粉碎 ..............................................................................................................................................................159
3.11.4 消磁 ......................................................................................................................................................................159
3.11.5 銷毀 ......................................................................................................................................................................159
附錄 A:CDPSE 考試常規(guī)信息 ...................................................................................161 認(rèn)證要求..............................................................................................................................................................................................161 成功完成 CDPSE 考試.......................................................................................................................................................................161 數(shù)據(jù)隱私經(jīng)驗......................................................................................................................................................................................161 考試介紹..............................................................................................................................................................................................161 報名參加 CDPSE 考試.......................................................................................................................................................................161
CDPSE 計劃再次通過 ISO/IEC 17024:2012 認(rèn)證 ..........................................................................................................................162
預(yù)約安排考試日期..............................................................................................................................................................................162
考試入場..............................................................................................................................................................................................162
安排時間 ....................................................................................................................................................................................163
考試評分 ....................................................................................................................................................................................163
附錄 B:CDPSE 工作實務(wù) ...........................................................................................165
詞匯表 ...................................................................................................................................169
書單推薦
