CIPT MODULE 6: PRIVACY BY DESIGN

METHODOLOGY CURRENT
EXAMINATION TEST 2023 – 2024
CONSISTING OF 200 QUESTIONS AND
VERIFIED CORRECT ANSWERS

What is the Privacy by Design Methodology? - ANSWER building

processes, products and services that embed privacy principles within
the design as a requirement. Keeping the concept of privacy as a
forethought in design allows for measurability and compliance of
privacy laws and regulations.

What is the concept of Goal setting when it comes to Privacy by

Design? - ANSWER Organizations are challenged to achieve balance
between the needs of the organization, the privacy principles
mandated by requirements and regulations, and the cultivation of
customer trust and loyalty. Privacy laws often lead to the creation or
emergence of privacy goals within an organization and can be used to
meet privacy goals through technology. For example, designing
protections for online gaming accounts as though they were financial
accounts; applying similar notification and control techniques helps
individuals better protect their information and more closely monitor
their accounts for any malicious activity. Privacy technologists are
complying with privacy laws through design, while aligning technology
with the privacy goals of an organization. This two-fold approach allows

1
for longer-term benefits for stakeholders and individuals and connects
technology with privacy expectations.

Documenting Requirements for applying privacy to a new system

design or addressing a problem. - ANSWER . Understanding privacy
requirements provides engineers the opportunity to capture critical
privacy properties prior to design, as well as other technological
commitments that meet the needs of the organization. Addressing
privacy threats and requirements during the design phase is not only
easier, but also more cost effective than addressing privacy threats and
requirements after design implementation. Privacy requirements can
be formally documented in a software requirements specification (SRS),
expressed mathematically or summarized in an Agile user story

Standard elements of a software requirements specifications - ANSWER

Requirement ID

Requirement Statement

Author

Revision Number

Release Date

Keywords

Legal Compliance

Scenario Description

Design Assumptions

2
What are the two types of requirements engineers must distinguish
between? - ANSWER Functional and Non-functional

Functional - The specific function of the intended information system; it

describes what the system will do (e.g. "The system shall provide a link
to a privacy notice at the bottom of every page.")

Non-Functional - The constraint of the system that the engineer can

trace to a functional requirement or design element. (e.g. "the system
shall not disclose personal information without authorization or
consent.")

What are Quality Attributes? - ANSWER Quality attributes are

nonfunctional requirements used to evaluate how a system is
performing. Privacy is an example of a quality attribute and can be
divided into further quality attributes.

What are the Privacy Quality Attributes - ANSWER Identifiability

Network Centricity

Confidentiality

Availability

Integrity

Mobility

What is Identifiability? (PQA) - ANSWER The extent to which a user is

identified by an authentication system.

3
Examining the combinations of quasi-identifiers (module 4) within a
system design and evaluating how personal identifiers are isolated from
each other reduces the risk of unwanted users drawing inferences that
may identify an individual. Web server log files can also be configured
to record less information from HTTP request headers, using a
pseudonym in place of a user's identity. Here, privacy technologists and
organizations need to ensure that system design aligns with the goals of
identifiability.

What is network centricity? (PQA) - ANSWER The extent to which

personal information remains local to the client.

When using an architecture where personal information needs to be

collected for the purposes of a transaction, the designer can choose to
retain the information on the client side and transfer it only to
complete the transaction. Processing toward the client rather than the
server reduces the risk of unwanted disclosure and secondary use and
gives individuals more control over their personal information. Here,
application logic must be shared across the client and server as
opposed to only centralizing processing on the server side, which may
present risks to privacy. Frequent updates may be needed as new
services are added. Other systems may be designed to disaggregate any
personal information while still making the information available. This
method may be an option with personal information that is distributed
across multiple systems. It allows individuals to have a single interface
but mitigates inappropriate use or disclosure across systems, since any
given data source may contain only a fraction of an individual's
personal information (module 4).

What is Confidentiality? PQA - ANSWER The extent to which personal

information is accessible by others.

4
Privacy technologists have choices in design as to how personal
information is accessed via mechanisms that assign permissions, log-
ins, data encryption, tokenization and aggregation (module 4).
Implementing confidentiality mechanisms requires tracking business
needs and authorization through access logs and should align with the
functions and responsibilities of the business.

What is availability? PQA - ANSWER Referred to as a security property.

Availability means data is accessible when needed by an authorized
entity within the organization or by the data subject.

If security measures are implemented for data, the designer must

decide if accessing personal information in the event of an incident is a
requirement. The scope of emergency access should be clearly mapped
out, including who has authorization, what information is available, and
how long access should be available; also, identify who is responsible
for reviews, audit logs, or approving access once the incident is over.
Data persistence must be taken into consideration as well

What is data persistence? PQA - ANSWER Data persistence is when data

is still retrievable in the form of backups, replication sites and archives,
even after it has been deleted from a production database. While data
persistence is useful in the event of a system's failure, it can pose an
accessibility risk by unwanted actors. Establishing retention
requirements at the beginning phases of design development from a
data life cycle viewpoint will help mitigate the risk of inappropriate use
of available data.

What is integrity? PQA - ANSWER The extent to which the system

maintains a reliable state with data free from error. Integrity of
personal information ensures that data is consistently accurate,
complete and current.

5
Privacy Technologists can apply the concept of integrity when
addressing the following potential risks in design by considering how
information is collected and restored... - ANSWER Manual Entry; cross-
checks to verify the entries are correct

Restored data from backups; mechanisms to ensure that corrections to

data propagate in backup files

Limited reliance on mechanisms outside designer control or prone to

failure.

What is mobility? PQA - ANSWER The extent to which a system moves

from one location to another, as in laptop and mobile phone
capabilities

Increasing security around "bring your own device" (BYOD) programs or

using organizations' mobile devices is necessary, as well as minimizing
the amount of data that can be stored locally.

How can PTs identify information needs to ensure privacy by design? -

ANSWER Privacy by design requires a minimalist approach to
processing personal information. What is the least amount of personal
information needed to accomplish the goal? For example, when
designing for the collection of information, if privacy technologists
begin with the end in mind, they should be able to identify the purpose
that requires the collection of information and how that purpose
determines the amount of information that is necessary to collect and
use these facts to drive their design accordingly.

High-level design and implementation - ANSWER While requirements

describe the behaviors that a system should exhibit, designs describe
how the system's parts should work together to implement those
behaviors. The components of high-level design include quality
6
attributes, discussed previously in this module, technology
architectures and design representation.

What are 2 types of high level design? - ANSWER Technology

Architectures

Design Representation

What are Technology Architectures? - ANSWER A common architecture

paradigm consists of a front end and back end that works with a
specific type of architecture dependent on the purpose of the design.
Privacy affects both the front and the back ends of a design.

Privacy aspects of front-end design with Technology Architecture. -

ANSWER In the front end, designers need to ensure usability: effective
notification of privacy practices, obtaining consent, simple tutorials or
introductions to new features of a site.

Privacy aspects of back-end design with Technology Architecture -

ANSWER The back end applies privacy principles pertaining to collected
data, including when it is used, disclosed, and retained. Designers need
to consider how and where to apply the privacy principles, such as data
minimization or use limitation.

What is a design representation? - ANSWER Depending on the task a

system is supposed to perform, various system elements are used.
Designers use notations to identify and organize these elements and to
show the relationship between the elements. This includes separate
entities such as servers and program models, and process and data
models—models that show what will be done with data.

Privacy Aspects of front-end with Design Representation - ANSWER

Notations
7
- Identify and organize elements
- Show relationships

Privacy Aspects of back-end with Design Representation - ANSWER

Object Models
- Servers
- Programs

Process and data models

- Processing personal information
- Illustrating data usage

What are low-level design and implementation? - ANSWER Where high-

level design relates to how the overall scope of the larger parts of a
system design work together, low-level design is the details of the high-
level design system. Here, privacy technologists engage in improving
the quality of programming practices including how well it meets
privacy standards and requirements.

Improving of quality programing practices through coding practices

(loose coupling) and reuse of standard libraries and frameworks or
building frameworks that can be resued.

Reusing Standard APIs

Security Practices like information hiding.

Opportunities for improving programming are done via... - ANSWER

coding practices and reuse of standard libraries and frameworks.

What are the benefits of good coding practices? - ANSWER Good coding
practices improve the maintainability and security of code, which, in

8
turn, improves a programmer's ability to enhance qualities such as
privacy

What are some examples of good coding practices? - ANSWER

Information Hiding

Coupling (Loose Coupling)

What is information hiding? - ANSWER Information hiding identifies

data that has been assigned to specific levels of classification and
restricts access to that data via limited class functions. Programmers
can either restrict access to classified data or design programs to be
open, providing users with complete access and control over the data.
Strong interfaces that hide information by adding access controls,
which require users to take specific actions before accessing the data,
limit errors and misuse of data.

What is coupling - ANSWER Coupling is the interdependence between

objects within a technology ecosystem, such as software modalities.

What is loose coupling - ANSWER When programmers apply loose

coupling to a design, they also help to control the flow of information.
By tightening the coupling, objects depend on the inner working of
other objects. Loosening the coupling reduces objects' dependency on
other objects. This practice of loosening the coupling isolates
information processing to a select group of approved classes and
reduces the chance of unintentionally repurposing data. In other words,
privacy controls in one system cannot be bypassed by other systems.

What are the benefits of reusing standard libraries and frameworks? -

ANSWER Reusing existing libraries of standard application programming
interfaces (APIs) reduces the risk of defects in source code and can be
used to improve privacy standards such as confidentiality and integrity.
9
Most general-purpose programming languages include libraries for
performing a variety of security functions. These libraries can be used
to address security and privacy vulnerability in existing standards.
Examples include authentication and authorization APIs and encryption
algorithms.

Programmers can also build frameworks to address privacy principles

using standard protocol. Documenting and sharing these frameworks
across the organization enables them to be reused. Reusing
frameworks reduces project costs and time as well as deviation from
best practices

Most general purpose programming include... - ANSWER Libraries for

performing a variety of security functions. These libraries can be used
to address security and privacy vulnerability in existing standards.

What is the benefit from reusing Frameworks? - ANSWER Reduces

project costs and time as well as deviation from best practices.

validating the frameworks against legal and standards-based privacy

requirements reduces privacy risks and ensures that privacy is an
integral part of the design from the onset along with the required core
functionality of a product or service. Examples include: user registration
services that comply with specific regulations such as the GDPR, or
marketing services that are compliant with the CAN-SPAM Act.

What are the controls PTs must consider to minimize privacy risk? -
ANSWER Architecture -

Supervision

Security

10
Balance

What is the objective to privacy compliance architecture? - ANSWER To

reduce the identifiability of data and decentralize operations. A privacy-
by-architecture approach mitigates privacy risk by using pseudonymous
or anonmyous data and then pushing the data toward a more client or
user centric architecture.

What does supervision do for a privacy program within an

organization? - ANSWER Enables an organization to enforce privacy
policies through processes and demonstrate that other actors, such as
third parties, are compliant with those policies and processes.

What is security as a control to minimize privacy risk? - ANSWER Once a

high-level architecture has been settled on, data domains or data
shared across domains can be secured through an abstract and hide
strategy (module 4). This may mean encrypting the data at different
points of collection, depending on the system's design.

What is balance as a control to minimize privacy risk? - ANSWER

Balance utilizes the strategies of inform and control to reduce
imbalances of information and power. Within a system's architecture,
privacy technologists should consider whether the benefits are
proportional to any potential risks incurred in terms of legitimacy,
appropriateness and adequacy.

What signifies that an effective system design has been put in place? -
ANSWER - Each part constructed to meet specific requirements

- Quality attributes have been scrutinized

- Controls have been imposed.

11
Testing can now begin.

What is the significance of testing when implementing a privacy friendly

design? - ANSWER Testing may be considered the most crucial phase of
software development in regard to implementing a privacy-friendly
design

includes evaluation of some aspect of the system or component.

What are the two parts of testing? - ANSWER Verification and

Validation

What is Verification in the context of testing? - ANSWER Ensures the

resultant system performs the way it is supposed to perform

What is Validation in the context of testing? - ANSWER Ensures the

requirements satitsfy the needs of the intended user base.

What are the PHASES of Testing - ANSWER Unit Testing, Integration

Testing, System Testing

What is unit testing? - ANSWER Individual functions and system

components. Unit testing determines whether a unit, with a predefined
input, will yield an expected output.

What is integration testing? - ANSWER How components interact

between other groups of components. Ensures the function of one unit
interacts correctly with other components.

What is system testing? - ANSWER Completed portions of the whole

system. System testing ensures that an individual's information was not
exposed throughout the network traffic, files or any other part of the
system.
12
What are the benefits of Code Reviews and Audits? - ANSWER Privacy
technologists must follow good coding practices and reviews to
maintain privacy qualities of a system and assess for defects in logic or
poor practices that cannot be found in standard testing.

Code reviews provide an opportunity to involve privacy specialists with

technical backgrounds who can analyze how software implementations
affect and satisfy privacy requirements.

In addition to code reviews, routine code audits provide analysis of

source code that detect bugs, security breaches or violations within a
technology ecosystem.

How does a code review/audit typically work? - ANSWER Code reviews

are generally in-person meetings organized by the developers who
authored the code

Readers read the code out loud and offer questions to the developer,
while an independent moderator serves to mediate.

What can a privacy specialists with technology backgrounds bring to a

code review/audit? - ANSWER This type of specialist who has a
technical background and diverse experience can better engage
developers to write and organize source code that best meets the
organization's privacy needs.

Runtime behavior monitor: Key elements - ANSWER Once a system has

been fully deployed, privacy technologists must keep in mind that
analyzing usage and performance data collected from a running system
is an ongoing process.

13
However, monitoring and analyzing data during runtime can lead to the
unintentional collection of personal information.

What are the runtime behavior monitoring steps privacy technologists

can take to reduce the risk of unintentional collection? - ANSWER Log
Analysis

Defect-Tracking

API

What is Log Analysis? - ANSWER Developers may incorporate plans

within their system design to regularly sanitize, summarize, or destroy
data collected in logs to remain compliant with retention requirements.

What is defect tracking? - ANSWER When users encounter defects or

errors in a system, they may be directed to a defect tracker where they
are asked to provide certain details such as the context in which the
error occurred and what effect it had. Automated defect tracking
reporting systems may contain personal data. To address this, defect-
trackers should be designed to allow users to review their response
before submitting a report. Any personal information collected in the
report should be encrypted.

What is an API - ANSWER Application Programming Interfaces

Application programming interfaces (APIs) can lead to the unintended
collection and exposure of personal information, for example, an API
that integrates Google Maps into websites. Developers need to take
steps to extend privacy protection to data collected via API systems and
should build notifications of how personal information may be
collected and used into their designs.

14
What are software models and how have they evolved? - ANSWER
These models define the stages of software development, determine
the conditions for transitioning to each stage, and designate roles and
responsibilities.

Originally, software was sold to users to be used on their own systems.

However, as software moved towards a more service-centered model,
it provided an avenue for threat actors, increasing the risk for attack.
Privacy legislation also began to emerge, creating a need for software
to be more secure and privacy-compliant.

What are some examples of software process models that privacy

engineers can use? - ANSWER Waterfall

Agile

These allow development to evolve with both growing technology and

evolving privacy laws.

What activities do software developers usually address? - ANSWER

Requirements Engineering

Design

Implementation

Testing

Deployment

Maintenance

15
What is requirements engineering? - ANSWER Constraints on the
system: functional and behavioral properties, privacy, performance,
reliability

What is design? - ANSWER Software designs and architecture; user

interface; functionality components; connectors

What is implementation? - ANSWER Source code needed to implement

a design and configuration process to support the system

What is testing? - ANSWER Runtime systems conform to requirements;

specific functions and usability are verified

What is deployment? - ANSWER Software installation and configuration

What is maintenance? - ANSWER Software updates, extensions and

repairs

Privacy in an IT Ecosystem - Roles to Consider - ANSWER Project

Managers

Marketing and Sales

Lawyers

Requirements Engineers

Designers

Programmers

Testers

16
Users

Administrators

Privacy in an IT Ecosystem - Role of a Project Manager - ANSWER -

Ensure adequate resources

- Effective communication during construction, deployment and

maintenance

Privacy in an IT Ecosystem - Role of Marketing and Sales - ANSWER -

Work with Customers to establish new requirements
- " promote the software in the marketplace."
- S&M should understand how software protects privacy in case
customers ask.

Privacy in an IT Ecosystem - Role of Lawyers - ANSWER - Track

regulatory issues relevant to softwares function or manner of
construction
- Monitoring emerging threats
- Communicate issues to developers who are responsible for aligning
software with legal and social norms

Privacy in an IT Ecosystem - Role of Requirements Engineers - ANSWER

Collect, analyze and mange requirements

Privacy in an IT Ecosystem - Role of Designers - ANSWER Translate

software requirements into an architecture or design. Designers are
responsible for tracing privacy related requirements, such as
anonymity, confidentiality and integrity requirements, throughout the
software architecture.

17
Privacy in an IT Ecosystem - Role of Programmers - ANSWER Translate
software into source code using best practices and standard libraries
and frameworks.

Privacy in an IT Ecosystem - Role of Testers - ANSWER Validate the

software conforms to the requirements. Testers must discover ways to
"break the system" or ways in which privacy may be violated by a
misuse or abuse of the software's functionality.

Privacy in an IT Ecosystem - Role of Users - ANSWER Operate or interact

with the software platform to perform their daily work or recreation.

- Data Subjects

- Must be provided notice, choice and control

Privacy in an IT Ecosystem - Role of Administrators - ANSWER Install

and maintain software

ensure operational assumptions behind software's design are

implemented

Physical environment or operating system

Rely on adequate documentation to ensure software is properly

installed and maintained

What is an area specialist? - ANSWER a person who serves as a

repository of knowledge and works to tailor this knowledge for the
different stakeholders.

- Collect critical regulatory requirements from lawyers

18
- validate marketing requirements are consistent with laws and social
norms

- Meet with designers to discuss best practices when translating

requirements into design specifications

- Collect user feedback and monitor privacy blogs, mailing lists, and
newspapers for new privacy incidents.

- Develops a community of practice

What is a community of practice? - ANSWER A collective process of

learning that coalesces in a share enterprise", such as reducing risks to
privacy in technology.

The Spiral Software Development Model - ANSWER Privacy must be

considered in this model at the very beginning at the CONOPs and
Requirements stage.

Risk Analysis - project risks, is the planned effort feasible? which design
alternative is best suited to solve a particular problem? Exploring other
designs.

Agile Elements - ANSWER Product owner prioritizes requirements,

called user Stories developed during an iteration called a sprint

Developers determine how much time is required to implement each

story

Area specialist can review sprint backlog to confirm the working

increment doesn't contain privacy risks

19
DevOps Elements - ANSWER Aims to more closely integrate system
development and system operation, speeding up both the
development

Continuous looping activity stream that takes feedback on system

performance, identifies a set of necessary or desired changes and
enhancements rapidly engineers these then fields them.

Figure eight

The velocity of DevOps can present

Examples of Privacy Specialized Lifecycles - ANSWER Privacy

Management Reference Model and Methodology

Organization for the Advancement of Structured Information Standards

(OASIS)

Preparing Industry to Privacy-by-Design by supporting its Application

and Research (PRIPARE) - privacy and security by design methodology
funded by the European commission.

Privacy Enginnering Methods aimed at specific engineering activities -

ANSWER LINDDUN threat modeling method developed at KU

Privacy Risk Assessment Methodology (PRAM) NIST

Dependencies for choosing the right framework or combination of

Methods - ANSWER "Which method or combination of methods makes
the most sense will be highly contextual and dependent on system and
environmental characteristics, including the extent to which the system
may be considered complex and the process standards and supporting
tools of the organization engineering it."
20
"The Institute of Electrical and Electronics Engineers (IEEE)" software
engineering defect model - ANSWER Defect - A flaw in the
requirements, design or implementation that can lead to a fault

Fault - An incorrect step, process or data definition in a computer

program

Error - The difference between a computed, observed or measured

value or condition and the true, specified or theoretically correct value
or condition

Failure - inability of a system or component to perform its required

functions within specified performance requirements

Harm - The actual or potential ill effect or danger to an individual's

personal privacy, sometimes called a hazard.

What is a functional violation of privacy occur? - ANSWER When a

system cannot perform a necessary function to ensure individual
privacy.

Difference between Objective and Subjective Harms - ANSWER

Subjective - Perception of an unwanted observation without know if it
will or will not occur

Objective - Unanticipated or coerced use of information concerning a

person against that person.

What are Daniel Solov's four risk categories of Privacy Harm? - ANSWER
Information Collection, Information Processing, Information
Dissemination and Invasion

21
What is Programmatic Risk? - ANSWER -The risk of project costs and
schedule overruns (example)

What is technical risk? - ANSWER Risks associated with specific

technologies

Options on Conventional Risk Management - ANSWER 1.) Accepting the

Risk as is
2.) Transferring risk to another entity
3.) mitigating the risk by introducing an appropriate privacy control or a
system design change.
4.) Avoiding the risk

Why is risk avoidance not always the best option? - ANSWER Because it
can be impractical or impossible in many situations.

Risk Model Alignments - ANSWER Memorize Chart

Fair Information Practices Principles - ANSWER Memorize them

Read information about the NIST Privacy Model - ANSWER

Subjective/Objective Dichotomy - ANSWER "Ryan Calo's

subjective/objective dichotomy (S/OD) focuses on privacy harms, which
he argues fall into two categories: Subjective harms are grounded in
individual perception (irrespective of its accuracy) of unwanted
observation, while objective harms arise out of external actions that
include the unanticipated or coerced use of that person's information."

ISO Privacy Risk Management Framework - ANSWER ISO 31000

"This framework proceeds in six steps: (1) characterization; (2) threat,

vulnerability and event identification; (3) risk assessment; (4) risk
22
response determination; (5) risk control implementation and (6)
monitoring and reviewing."

What is Characteriztion? (Privacy Risk Management Framework) -

ANSWER The first stage of any privacy risk management framework
involves characterizing the system that is the target of privacy threats
in a way that renders it amenable to privacy risk analysis. This includes
identifying the purpose of the system, what and how personal
information flows throughout and is processed by the system, and what
technologies are in place to support this system.

Primary Actor, Secondary Actor Example

Name - Personalized Customer Promotions

Description - The system shall share a customer's product purchase
with people in their social network, called friends
Primary Actor - Friends in the customer's social network
Precondition - The customer has purchased a product
Trigger - The customer's friend visits a product previously purchased by
the customer

Thread Vulnerability and Event Identification - ANSWER "In practice,

vulnerabilities and events tend to be more commonly used than
threats."

-Events become risks when associated with some notion of likelihood of

impact

Risk Assessments Information - ANSWER Page 112

23
Elements of Risk Response Determination - ANSWER Accept the Risk -
"If the risk is low, then it may be reasonable and necessary to accept
the risk. In Table 2-1, if the disclosure reveals only consumer reviews
about products, then privacy risk of identification may be -. "

Transfer the Risk

Mitigate the Risk

Avoid the Risk

What are the main element of Risk Control Implementation? - ANSWER

Administrative Controls, Technical Controls, Physical Controls.

What are some examples of Administrative Controls? - ANSWER -

Appointing a privacy officer who is responsible for organization-wide
privacy practices
-Developing and documenting privacy and security procedures
-Conducting personnel training in privacy
-Creating an inventory of personal information to track data practices

What are some examples of Technical Controls? - ANSWER -

Implementing access control mechanisms
-Auditing information access
-Encrypting Sensitive Data
-Managing Individual Consent
-Posting Privacy Notices

What is the NIST Privacy Control IP-1 - ANSWER Consent

Requires the system to provide individuals a mechanism to authorize
the collection of their personal information, where feasible

24
What is Monitor and Review? - ANSWER A component of Risk Control
Implementation
-Periodic Reviews
-Automatic triggers
-ex. before modifying any consent mechanism or before adding new
tables to a personal information database.
-Also a need to monitor the existing set of controls.
-

What is Requirements Engineering for Privacy? - ANSWER

Requirements describe constraints on software systems and their
relationship to precise specifications that change over time and accross
software families.

Requirements can be express in a;

-Software requirements specification (SRS)
-Mathematical Model
-Agile User Story

Cost is lower if defect is found early rather than later

Main aspects of Documenting Requirements - ANSWER A step in the

requirements engineering process

-Functional and non-functional requirements

- Can be reuseable across multiple systems
-

Who are Requirements Designers? - ANSWER Individuals who translate

requirements into system designs to fulfill requirements.
-EX. May distinguish between different types of consent.
-Explicit vs. Passive
-How to store a record of consent
25
What are functional requirements? - ANSWER A component of
documenting requirements
-describe a specific function of the intended information system
-"The system shall encrypt credit card numbers using AES256 bit
encryption"
-"The system shall provide a link to a privacy notice at the bottom of
every page."

What are non-functional requirements - ANSWER Component of

documenting requirements.
-describe a constraint or property of the system that an engineer can
trace to functional requirements or design elements.
-"The system shall not disclose personal information without
authorization or consent."
-"The system shall clearly communicate any privacy preferences to the
data subject."

Example of of an Instantiated Requirements Template part 1 - ANSWER

Example of of an Instantiated Requirements Template part 2 - ANSWER

Aspects of an SRS - ANSWER Requirements Template

-Technical Glossary such as agent and personal inforamation.
-Designers can ask questions such as if the same approach should be
taken for all types of PI or differing for more sensitive types of
information

Key Elements of specifying privacy requirements using visual models -

ANSWER -Process Diagrams and information flows
-Permission Matricies
-State Diagrams

26
These are used to make relationships between the objects of discourse.

Acquiring and Eliciting Requirements - ANSWER A sub-component of

requirements engineering. Working with SMEs and stakeholders to help
build requirements.

Interviews

Case Studies

Focus groups

Extracting and mining text documents such as contracts, laws,

newspapers and blogs.

Use NIST Framework or FIPPs

Can use laws and regs but these require analysis to infer requirements.

What is NIST Control AR-8 - ANSWER Organizations must keep an

accurate accounting of disclosures of information held in each system
of records under [Their] control

Can be used as a method to elicit requirements

What are Legal Standards? - ANSWER Can be used as a mechanism to

acquire and elicit requirements

-Refer to non-functional requirements or properties that cut across a

systems design and functionality.

-May/Must in legal requirements indicate discressionary requirements

27
-

Managing Privacy Requirements Using Trace Matricies - ANSWER

Requirement implemented by the design requirments

many to many relationships

What is Requirements Analysis? What are the components of Analysing

Privacy Requirements? - ANSWER Describes the activities to identify
and improve the quality of requirements by analysing the system and
development enviornment for completness and consistency.

-Ensure nonone/nothing was overlooked

-No inconsistencies.
-Develop privacy completness arguments.
-

How develop privacy completness arguments - ANSWER -Fill gaps

-Some omissions can lead to privacy harms
-Stepwise analysis - ensure that a finite list of concerns has been
reviewed in its entirety.
-IS TRACING COMPLETE? -
-Goal Based analysis can be applied to privacy polices to identify
protections, which are statements that aim to protect a users privacy,
and vulnerabilities.
-Protections and vulnerabilities need to be traced to other downstream
software artifacts to promote alignment between the privacy policy and
system functionality.
-IS THE LIFECYCLE COMPLETE?
-Consider commpleteness at each stage of the data lifecycle.
-Selecting Data Elements and tracing them back to stages in lifecycle.
IS OUR LEGAL INTERPRETATION COMPLETE?
-Analyzing key words like if and when.
28
-Apply to a broader class of stakeholders than legally required.
PRECLUDE PRECONDITIONS ASSUME EXCEPTIONS
Nevada security law - only have to notify data subjects if the data was
not ecrypted - PT may assume the exception. Also called Encryption
SafeHarbor
GROUND LEGAL TERMS IN THE DOMAIN
-Legal terms determine when a privacy regulation applies
-Flexability of termonology in legal codes.
REFINE BY REFRAINMENT
REVEAL THE REGULATORY GOAL

What is a Secure Sockets Layer? - ANSWER SSL - Security feature used

to encrypt communications, such as access to gmail.

How to Identify Privacy Threats? - ANSWER Thread Modeling -

Considers negative outcomes based on a particualr threat agent or type
of agent.

Review Daniel Solov's harms - ANSWER The LINDDUN privacy specific

threat modeling methodology has been inspired by the stride
methodolody for security threat modeling.

What are Anti-Goals - ANSWER A method of threat modeling.

Attackers own goals of a malicious obstacles to a system.
1.) Identify the anti-goals that obstruct relevant privacy goals; such as
CIA.
2.) Identify the attackers agents who would benefit from each anti-goal
3.) for each attacker agent and anti-goal pair, elicit the attackers higher
level goal that explains why they would want to achieve this anti-
goal.(how? why?
4.) Derive anti-models that identify the attacker, object of the attack
and

29
5.) Operationalize the anti-model in terms of potential capabilities that
the attacke agent may use in this scenario.

Main Components of High Level Design - ANSWER Designs begin to

describe how the system is supposed to implement those behaviors.
Unifying Modeling Language -

Reflect Privacy by Design

What is a Unifying Modeling Language (UML) - ANSWER Provides object

oriented diagrams, sequence diagrams, state diagrams and more for
describing composition and temporal relationships between elements
in a design.

Common IT Architectures: Front-End - ANSWER The part of the system

that the user experiences.

Converting user responses into something understandable by the

system and converting system responses into something
understandable by the user.

Common IT Architectures : Back-End - ANSWER Database and any

intertmediary serices that encapsulate the database and are not
directly connected to the user's experience constitute the back end

Products, orders, accounts and so on.

Front-End Design User components - ANSWER Videos and tutorials to

help users understand

One time introductions and conceptual tips to help the user navigate
through privacy settings.

30
Back end design user components - ANSWER Purpose, how long, whom
data is shared, use limitation, data minization.

What is client server architecture? - ANSWER Program that runs on a

local computer, server program runs on a remote computer.

Advantage is it allows the service to store computer data on the client

side for the purpose of completing the transactions.

Because the web is asynchronous, the HTTP does not maintian shareed
data between the client and server and each request is independent.

Cookies - Session identifers

Risk if client is insecure and/or storage of this data is not clear to the
user.

What is service oriented architecture? - ANSWER decouple services

from large scale servers.

reuse and separation of concerns and for increasingly larger systems,

improved load balancing by allowing designers to replicate services
across multiple machines

What is peer-to-peer architecture? - ANSWER Extreme alternative to

client and server based.

Directory services to find other peers.

BitTorrent

Improved performance and speed because no intermediaries.

31
Plugin-based architecture. - ANSWER Allows third party developers to
extent the users experience with new programs

Risks emerge when the user has a direct relationship with these
platforms

Mobile phone acessability risks.

FTC enforcement - read about it.

What is Cloud Based computing? - ANSWER Shift of client based

services or services typically run on a companies intranet to an off-site
third-party.

IaaS PaaS Saas

Privacy challenge arrises since users must reliquish their control to a

third party to protect their data.

What are Federated Architutures and Systems? - ANSWER Multiple

distibuted dataabses

virtual data warehouse

tracking and survellice are the privacy risk

Design Representations. - ANSWER Object Models - describe descrete

entities

Process Models - data flow diagrams

Entity Relationship -

32
High-Level and Low Level Architcures such as UML

Database Schemas

Component and Connector (C&C) diagrams

Example of a UML Diagram - ANSWER Figure 2-15

Example of a database schema - ANSWER Figure 2-16

What are process models? - ANSWER Flowcharts

Similar to DSAR process

What is Model Based Systems Engineering (MBSE)? - ANSWER Enables

the construction of a single interegrated representation of a system
under development.

Supports all lifecycle phases

typically performed using supporting tools

UML and SysML

What are Design Patterns? - ANSWER Describe reoccuring problems

through a shared solution that can be used repediately.

Pattern Name - easy reference

Problem description - problem t solve and when it applies

Solution - elements of design, relationships, roles and how initeract,

can be a template
33
Consequences - results of applying the pattern, tradeoffs,

What are Privacy Design Strategies? - ANSWER General approaches

which might be implemented in any of several different ways.

More specific solutions. Patterns are more broad strategies are more
specific.

Minimize

Hide

Seperate

Aggregate

Inform

Control

Enforce

Demonstrate

What is Trade-Space Analysis? - ANSWER Often instances where no

obvious design choice exists.

Data Sanitation vs. Utility graph.

Biometrics
Types of biometrics - Fingerprint vs. Retinal vs. Facial

34
What are Quality Attributes? (Book) - ANSWER Crosscutting concerns
that cannot be addressed by a single function.

Privacy is an example of a quality attribute.

Identifiability, Network Centricity (PI remains local to client, federated

systems, desired if client is insecure), Confidentiality, Availability (i.e.
HIPAA emergency access), Integrity (accuracy, Completeness), Mobility,

NIST Privacy Engineering Objectives - ANSWER Predictability

(assumptions of the system), Manageability (administer Deletion,
Access Etc..), Disassociability (minimization, unlinable, anonmyuzation,
aggreggated)

Low-Level Design and Implementation - ANSWER More granular than

High Level Design -

Coding Practices

SCM and CVS

Good Coding Practices and Code Reviews

Elements of Good Coding Practices - ANSWER Object Oriented

Programming Language that supports information hiding and loose
coupling

Information Hiding - Encapsulating Data in classes and restricting access

to the data through limited class functions and methods that operate
on that data.

Programmers can design a class to be open container that provides

other developers complete access and control over their data.
35
Programmers can employe loose coupling to reduce information flows.
Coupling tightens when objects depend on the inner workings of other
projects. By Loosening coupling, a programmer reduces dependencies
among objects. (reduces risk linkihood of developers unintentionally
repurposing data.

Special Codes to annotate source code with privacy attributions. This

includes using programming assertions that state compile time and
runtime assumptions about privacy controls.

Code Review Meetings

What is a Code Review Meeting? Parts? - ANSWER 3-5 developers

(reader, moderator, developer

2 hours max

Include privacy area specialists

Area specialists can introduce alternatives

Reusing Standard Libraries and Frameworks - ANSWER APIs can reduce

defect in source code

APIs can improve confidentiality and integrity of in support of privacy

General Purpose Programming Languages

C++ and Java

Web-Based Scripting Languages

PHP, Python

36
Standard libraries for performing critical security apps

What are some examples of Libraries available to solve standard

privacy and security problems? - ANSWER Authentication and
authorization APIs, including fine-grained and role-based access
control.

Encryption and algorithms, including standard implementations for

3DES, AES

Public Key Cryptography, including key and X.509 certificate

management

Secure communications, including SSL and Transport Layer Security

(TLS)

True of False - Companies cannot build their own libraries for

addressing privacy principles - ANSWER False - Companies can do this
following a standard protocol

Programming framework libraries - internally developed best practices.

WHat are the benefits? - ANSWER They should be documented

shared

reused across the organization's products and services

Review with in-house legal

review with area specialists

Reduces project costs

37
Reduces privacy risks

Reduces incorrect interpretations of privacy requirements

What are some examples of opportunities for developing privacy-

enabling frameworks? - ANSWER User Registration designed to comply
with specific regulations, such as COPPA or the GDPR.

Privacy Notice Mechanisms, including reuseable web-based links and

email notification services.

Marketing services that are compliant with the CAN-SPAM

Report generation services for law enforcement and other requests

based electronic commications privay act of 1986 (ECPA)

Testing Validation and Verification. - ANSWER Perhaps the most crucial

phase of the software development process with regard to managing
privacy concerns.

IEEE definition of TEST - an activity in which a system or component is

executed under specifed conditions, the results are observed or
recorded, and an evaluation is made of some aspect of the system or
component.

Testing Consists of 2 sets of activies

- Verification - ensures that a resultant system performs according to its
requirements
- Validation - Ensures that those requirements themselves satisfy the
orginional needs of the user base for whom the system was developed

Phases;
Unit Testing - Individual Functions and system components
38
Integration Testing - interactions between groups of components

System testing - completed portions of the whole system.

Acceptance Testing - Requirements Validation

Regression Testing - Ensure changes made to an existing system do not

affect other components of the system.

True of False - Testing often occurs alongside many of the other phases
of the development lifecycle - ANSWER True - Noteably implementation
and Deployment

What is alpha and beta testing? - ANSWER Inviting users to participate

in a trial use of the sysem.

Raises privacy issues about their data and their expectaions for how the
data will be used.

What is log analysis, issue tracking and testing of APIs? - ANSWER

Occurs once testing has concluded

allows other software and remote services to communicate with a

system.

Common Types of Testing - ANSWER Unit Testing

Integration Testing

System Testing

What is Unit Testing? - ANSWER Focused on system components

39
smallest cohesive or self-contained pieces of the implementation

Object Classes and Object Oriented Programming, Subroutines or

procedures in procedural programming

A single web page or a database script embedded in a web page

Deterine wheather the unit will yeild an expected output

What is Integration Testing? - ANSWER Focused on testing individual

units as members of a sub-system

More complex transactions that can be tested against more complex

requirements that describe large behaviors of the system.

What is System Testing? - ANSWER The complete system

security, performance and stress testing

Privacy requirements that relate to the gross behavior of the system

can also be tested (ie system cannot expose a users personal
information)

Can trace findings back to the set of system components

System testing can feature attempts to "Break" the system

Unit, Integration and System Testing vs. Acceptance Testing - ANSWER

UIS testing verifies the privacy requirements were implemented
correctly. Acceptance testing VALIDATES that the system reflects the
correct privacy requirements.

40
What is acceptance testing?
Involves the users of the system or those charged with representing
those users
- Consider different types of users
- Consider indirect stakeholders

During Acceptance testing, review data subjects expectations.

- Alpha & Beta Testing, Focus Groups, employees independent of the
development team (be careful of employee bias)
-

41