5.5 - Explain privacy and sensitive data concepts in relation to security.

Question 1

Reputation damage (Organizational consequences
of privacy and data breaches)

Answer 1

– Opinion of the organization becomes negative

– Can have impact on products/services

– Can impact stock price

Question 2

Identity theft (Organizational consequences
of privacy and data breaches)

Answer 2

– Company and/or customers info becomes public

– May require public disclosure

– Credit monitoring costs

Question 3

Fines (Organizational consequences
of privacy and data breaches)

Answer 3

– Uber
*
Data breach in 2016 wasn’t disclosed
*
Uber paid the hackers $100,000 instead
*
Lawsuit settlement was $148 million
– Equifax
*
2017 data breach
*
Government fines were approximately $700 million

Question 4

IP theft (Organizational consequences
of privacy and data breaches)

Answer 4

– Stealing company secrets

– Can put an org out of business

Question 5

Escalation (internal + external) (Notifications of breaches)

Answer 5

Internal escalation process
– Breaches r often found by technicians
– Provide a process 4 making those findings known

External escalation process
– Know when to ask 4 assistance from external resources
– Security experts can find + stop an active breach

Question 6

Public notifications and disclosures (Notifications of breaches)

Answer 6

– Refer to security breach notif laws

– All 50 US states, EU, Australia, etc.

– Delays might be allowed 4 criminal investigations

Question 7

Public (data types -> classifications)

Answer 7

• Unclassified
• No restrictions on viewing the data

Question 8

Private (data types -> classifications)

Answer 8

-Classified / Restricted / Internal use only

-Restricted access, may require a NDA

Question 9

• Sensitive (data types -> classifications)

Answer 9

• Intellectual property, PII, PHI

Question 10

Confidential (data types -> classifications)

Answer 10

• v sensitive, must be approved to view

Question 11

Critical (data types -> classifications)

Answer 11

• Data should always be available

Question 12

Proprietary (data types -> classifications)

Answer 12

– Data that is the property of an org

– May include trade secrets

– Often data unique to an organization

Question 13

PII (Personally identifiable
information) (data types -> classifications)

Answer 13

– Data that can be used to identify an individual

– Name, date of birth, mother’s maiden name, biometric info

Question 14

PHI (protected health information) (data types -> classifications)

Answer 14

– Health info associated with an individual

– Health status, health care records, payments for health care, etc

Question 15

Financial information (data types -> classifications)

Answer 15

– Internal company financial info

– Customer financial details

Question 16

Government data (data types -> classifications)

Answer 16

– Open data

– Transfer between government entities

– May be protected by law

Question 17

Customer data (data types -> classifications)

Answer 17

– Data associated wth customers

– May include usr-specific details

– Legal handling reqs

Question 18

Data minimization (Privacy enhancing technologies)

Answer 18

• seeks to reduce risk by reducing amt of sensitive info that we maintain on a regular basis

-best way = destroy data when it’s no longer necessary to meet original business purpose

-Minimal data collection
-> Only collect + retain necessary data

-Included in many regulations
->HIPAA has a “Minimum Necessary” rule
->GDPR - “Personal data shall be adequate, relevant + not excessive in relation to the purpose/s 4 which they are processed.”

-Some info may not be required

-Internal data use should be limited
->Only access data required 4 the task

Question 19

Data masking (Privacy enhancing technologies)

Answer 19

Data obfuscation
->Hide some of the OG data

-Protects PII + other sensitive data

-May only be hidden from view
->The data may still be intact in storage
->Control the view based on permissions

-Many different techniques
->Substituting, shuffling, encrypting, masking out, etc.

Question 20

Tokenization (Privacy enhancing technologies)

Answer 20

-Replace sensitive data with a non-sensitive placeholder
->SSN 266-12-1112 is now 691-61-8539

-Common wth credit card processing
->Use a temp token during payment
->A perp capturing the card #s can’t use them later

-This isn’t encryption or hashing
->OG data + token aren’t mathematically related
->No encryption overhead

Question 21

Anonymization (Privacy enhancing technologies)

Answer 21

-Make it impossible to identify individual data from a dataset
->Allows 4 data use wthout priv concerns

-Many anonymization techniques
->Hashing, masking, etc.

-Convert from detailed customer purchase data
->Remove name, address, change phone number
to ### ### ####
->Keep product name, quantity, total, + sale date

-Anonymization can’t be reversed
->No way to associate the data to a usr

Question 22

Pseudo-anonymization (Privacy enhancing technologies)

Answer 22

-Replace personal info wth pseudonyms

-Often used to maintain statistical relationships

-May be reversible
->Hide the personal data 4 daily use or in case of breach
->Convert it back 4 other processes

-Random replacement
-> James Messer > Jack O’Neill > Sam Carter > Daniel Jackson

-Consistent replacements
-> James Messer is always converted to George Hammond

Question 23

Data owners (Roles and responsibilities)

Answer 23

-Accountable 4 specific data
->often a senior officer/exec

-delegate some responsibilities to others

-rely on advice from subject matter experts

-VP of Sales owns the customer relationship data

-Treasurer owns the financial information

Question 24

Data controller (Roles and responsibilities)

Answer 24

-Manages the purposes + means by which personal data is processed

-determine reasons 4 processing personal info
-> direct the methods of processing that data

-mainly in European law

Question 25

Data processor (Roles and responsibilities)

Answer 25

-Processes data on behalf of data controller -Often a third-party or dif group -service providers that process personal info on behalf of data controller

Question 26

Data custodian/steward (Roles and responsibilities)

Answer 26

-Responsible 4 data accuracy, privacy, and sec -Associates sensitivity labels to the data -Ensures compliance wth any applicable laws + standards -Manages access rights to the data

Question 27

Data protection officer (DPO) (Roles and responsibilities)

Answer 27

-Responsible 4 the organization’s data priv -Sets policies, implements processes + procedures -individual who bears overall responsibility 4 carrying out orgs data priv efforts -chief privacy officer = common title

Question 28

Information life cycle

Answer 28

-Creation + receipt ->Create data internally/receive data from a third-party -Distribution ->Records r sorted + stored -Use ->Make business decisions, create products + services -Maintenance ->Ongoing data retrieval + data transfers -Disposition ->Archiving/disposal of data

Question 29

PIA - Privacy impact assessment

Answer 29

- Almost everything can affect priv ->New business relationships, product updates, website features, service offering -Privacy risk needs to be identified in each initiative ->How could the process compromise customer privacy? -Advantages ->Fix privacy issues b4 they become a prob ->Provides evidence of a focus on privacy ->Avoid data breach ->Shows the importance of priv to everyone

Question 30

Terms of agreement

Answer 30

– Terms of use, terms and conditions (T&C) – Legal agreement btwn service provider + usr – usr must agree to the terms to use the service

Question 31

Privacy notice

Answer 31

– May be required by law – Documents the handling of personal data – May provide additional data options + contact info

Question 32

Data stewards

Answer 32

-ppl who carry out the intent of the data controller -delegated responsibility from the data controller

Question 33

Data custodians

Answer 33

-ppl/teams who don't have controller or stewardship responsibility BUT -> r responsible 4 the secure safekeeping of info