Data Protection Methods

Question 1

Randomized Masking

Answer 1

Swapping subject identifying data around between columns and rows so no one can be identified but data can still be used in aggregate. Can’t be reversed since there is no key.

Question 2

Pseudonymization

Answer 2

Swaps identifying data with a code/subject ID or pseudonym. The mapping of code to personal information is kept in a separate database. Can be reversed using the key.

Question 3

Tokenization

Answer 3

An authorizing party creates a code or token to represent sensitive data for a specific limited purpose. Example is credit card token where the credit card token created by the card company is used and the actual card number is not disclosed to the POS system.

Question 4

Anonymization

Answer 4

Removal of personal information from data set.

Question 5

Data Roles (7)

Answer 5

Owner: responsible for data including classification and assigning protections to it. Decides appropriate use, security controls for systems storing the data, who has access.

Asset/System Owners: Develops security plan in collaboration with Owner. Ensures users receive security training. Helps identify security controls with owner. May be the same person as the Data Owner.

Business/Mission Owner: can be the same or overlap with the System Owner. It owns the business process that may include multiple system that have other System and Data owners.

Data Processors/Controllers: Processes data for a data controllers.

Data Custodians: Are delegated tasks of protecting data by Data owners. Handle day to day tasks

Administrators: Staff with elevated access used to make administrative changes to systems.

Users/Subjects: Someone/thing that has access to computing systems and data.