1.5 Understanding Legal and Regulatory Issues Pertaining to Security

Question 1

Name What Makes an Asset Unnattratice to Potential Attackers.

Answer 1

Not Worthwhile | Too time-consuming | Too expensive

Question 2

What are Some Questions and Organization Needs to Ask Themselves Regarding Data Security?

Answer 2

How is/Are our Information/Assets Protected? | What issues are pertaining to information security for our organization on a Global context? | What does the current threat landscape look like?

Question 3

Who can the Security Function Interact With to Best Understand Legal and Regulatory Issues at a Global Context?

Answer 3

Compliance and Legal Functions

Question 3

What do Trade Secrets Protect? Is Disclosure Required in a Breach? How long is the Asset Protected? What does it Protect Against?

Answer 3

Business Information | No | Potentially Infinite |Misappropriation

Example: Coca-Cola Recipe

Question 3

What are the Goals of Intellectual Property Laws?

Answer 3

Simply, to encourage the creation of intellectual goods, such as inventions and artistic works, designs, and symbols, and to protect them.

Question 4

What do Patents Protect? Is Disclosure Required in a Breach? How long is the Asset Protected? What does it Protect Against?

Answer 4

Functional Innovations and Novel ideas/inventions | Yes | Set period of time | Making, Using, or selling an invention

Example: Coca-Cola Bottling Machine

Question 5

What do Copyrights Protect? Is Disclosure Required in a Breach? How long is the Asset Protected? What does it Protect Against?

Answer 5

Expression of an Idea emobided in a fixed medium, such as song, movies, and books | Yes | Set period of time | Copying or substantially similar work

Example: Coca-Cola Jingle

Question 6

What do Trademarks Protect? Is Disclosure Required in a Breach? How long is the Asset Protected? What does it Protect Against?

Answer 6

Color, Sound, Symbols, Etc. Are used to distinguish one product from another | Yes | Potentially Infinite | Creating Confusion

Example: Coca-Cola Logo

Question 7

What are Import/Export Controls?

Answer 7

Country-Based rules and laws implemented to manage which products, technologies, and information can move in and out of the countries.

Question 8

What is the purpose of Import/Export controls?

Answer 8

Protect National Security, Inidividual Privacy, and economic well-being.

Question 9

What is the Wassenaar Arrangement and how does Encryption fit in?

Answer 9

Used to specify Imports/Exports on ‘dual-use’ technology. Meaning, technology used by civilians and the military. | Used to manage the risk encryption poses, while facilitating trade. Allows certain countries to exchange and use cryptography systems of any strength, while preventing the acquisition of these items by terrorists.

Question 10

What is the International Traffic and Arms Regulations (ITAR)

Answer 10

Created by the US to ensure control over any export of items such as missles, rockets, and bombs as well as anything else on the United States Munitions LIst (USML)

Question 11

What US agency is responsible for overseeing the International Traffic and Arms Regulations (ITAR)?

Answer 11

Department of Defense, Directorate of Defense Trade Controls (DDTC)

Question 12

What is the Export Administration Regulations (EAR)? Who is responsible?

Answer 12

Focuses on commerically available items such as computers, lasers, and marine items. As well as items that are for commercial use, but available to the military. | Overseen by the US Department of Commence, Bureau of Industry and Security (BIS).

Question 13

What is the purpose of Transborder Data Flow, Data residency, and Data Localisation Laws?

Answer 13

To require specific data remain within a countries physical borders. Addresses challenges with sharing data across international borders.

Question 14

What data is primarily associated with Transborder Laws and who is Accountable?

Answer 14

Primarily, personal data. The purpose is to protect individuals personal state, local, and regional data. The organization owning the data is accountable for customers’ personal data.

Question 15

When Might an Organization Consider Transborder Data Laws?

Answer 15

When sharing information with providers in third-party countries that may have weaker laws. This includes sharing data with cloud providers hosting in neighboring countries.

Question 16

How does the General Data Protection Regulation (GDPR), enacted in 2018, address customer data security in terms of transborder data sharing scenarios?

Answer 16

GDPR is a data localization policy that states European Customer Data be stored and processed only within the physical borders of the European Union.

Question 17

After Consulting with the Legal Function, who is in Charge of Ensuring Data is Protected in Accordance with International Data Laws?

Answer 17

The Security Function is responsible for applying appropriate controls that meet regional data protection standards.

Question 18

What is the Definition of Privacy?

Answer 18

Privacy is the State or Condition of being free from being observed or disturbed by other people.

Question 19

Who all is Affected when Customer’s Personally Identifiable Information (PII) is Disclosed?

Answer 19

Both the user of the exposed data and the organization responsible for protecting that data.

Question 20

How are Organizations Affected by Irresponsible PII Disclosure?

Answer 20

Risk of Liability, Fines, Reputational Loss, and a combination thereof.

Question 21

What Type of Data is Considered ‘Personal Data’?

Answer 21

Any combination of data that can be used to identify an inidivudal.

Question 22

Name the 4 Types of Personal Data that, when combined with Intellectual Property, Make up Sensitive Data.

Answer 22

Personal Information (PI) | Personally Identifiable Information (PII) | Personal Health Information (PHI) | Sensitive Personal Information (SPI)

Question 23

How can Direct and Indirect Identifies Determine if Data is PII?

Answer 23

Direct Identifies alone relates to an individuals identitym such as name or government ID. Indirect Identifiers include data that alone cannot be used to identify an individual, but a combination of them could.

Question 24

Gives Examples of Direct and Indirect Identifiers. (Bonus: Give Online Identifies)

Answer 24

Direct: Name, SSN, Account Numbers, Biometric Data, Certificate Numbers, Phone Numbers | Indirect: Age, Gender, Ethnicity, State, Zip Code. | Online: Email, Cookies, IP Address

Question 25

What 3 types of ‘Owners’ are there?

Answer 25

Data Owners, Process Owners, and System Owners.

All are accountable for what they own.

Question 26

What Must a Data Owner Provide Data Custodians to Ensure Data is Protected?

Answer 26

Clearly defined responsibilites, Input on how to protect data, tools and training/resources to protec the data.

Question 27

What must a Data Processor Have to Succeede?

Answer 27

Clearly defined responsibility to process data on behalf of the controller/owner.

Question 28

What is considered the Data Subject?

Answer 28

The individual whom the personal data relates to.

‘Relates’ is not the same as ‘belongs’. The data ‘belongs’ to the org.

Question 29

What are aspects of the General Data Protection Regulation (GDPR) principles?

Answer 29

A single set of rules will apply to all EU member states | Eash state has a ‘Supervisory Authority (SA)’ to investigate complaints | Data subjects have a right to lodge complaints with an SA | Privacy Breaches must be reported in 72 hours | Seven Principles Describe Lawful Processing of personal data

Question 30

What 7 Principles outlined in the GDPR describe lawful processing of data?

Answer 30

Lawfulness, Fairness, and Transparency | Purpose Limitation | Data Minimization | Accuracy | Storage Limitation | Integrity and Confidentiality (Security) | Accountability

Question 31

What are examples of Key Privacy Regulations in the US?

Answer 31

Gramm-Leach Bliley Act (GLBA) | Health Insurance Portability and Accountability Act (HIPAA) | Sarbanes-Oxley Act (SOX) | Children’s Online Privacy and Protections Act (COPPA) | California Privacy Rights Acts of 2020

Question 32

What are examples of Key Privacy Regulations in Canada?

Answer 32

Personal Information Protection and Electronic Documents Acts (PIPEDA)

Question 33

What are examples of Key Privacy Regulations in Argentina?

Answer 33

Personal Data Protection Law Number 25,326 (PDPL)

Question 34

What are examples of Key Privacy Regulations in South Korea?

Answer 34

Personal Information Protection Act (PIPA)

Question 35

What are examples of Key Privacy Regulations in Australia?

Answer 35

Australian Pirvacy Principles (APPs) | Privacy Act

Question 36

What is the Organization for Economic Cooperation and Development (OCED)?

Answer 36

An international organization that is focused on international standards and policies, and finding solutions to social, environmental, and economic challenges.

This includes privacy.

Question 37

The OECD has developed _ _ _ _ _ to help harmonize national privacy legislation while upholding hunman rights, and prevents interruptions in internation flows of data.

This is what countries with weak international data laws can use.

Answer 37

Guidelines

Question 38

TRUE or FALSE:
OCED guidelines are NOT mandatory for organizations to comply with international data exchange.

Answer 38

TRUE: These guidelines are merely ‘best-practice’ ideologies for developing an organzations journey to compliance and privacy requirements.

Question 39

What are the Organization for Econonomic Cooperation and Development (OECD) privacy guidelines?

Answer 39

Collection Limitation Principle | Data Quality Principle | Purpose Specification Principle | Use Limitation Principle| Security Safeguard Principle | Openness Principle | Individual Participation Principle |Accountability Principle

Question 40

What is the OECD Collection Limitation Principle?

Answer 40

Limit collection of personal data to only what is needed to provide the service. Obtian personal data lawfully and, where appropriate, with consent of the data subject.

Question 41

What is the OECD Data Quality Principle?

Answer 41

Personal Data should be relevant, accurate, complete, and kept up to data.

Question 42

What is the OECD Purpose Specification Principle?

Answer 42

Purpose for collection personal data should be clearly defined at time of collection.

Question 43

What is the OECD Security Safeguards Principle?

Answer 43

Personal data should be protected by reasonable safeguards agaisnt loss, unauthorized access, destruction, use, modification, etc. Essentially, security controls must be in place to ensure privacy via security.

Question 44

What is the OECD Use Limitation Principle?

Answer 44

Personal data should only be used based on puprose for which it was collected and with consent of the data subject, or by authority of law. They can only use it for a specific purpose unless required by superceding authority of law.

Question 45

What is the OECD Openness Principle?

Answer 45

Culture of the organization collecting personal data should be one of openness, transparency, and honesty about how the data is being used and in what context.

Question 46

What is the OECD Individual Participation Principle?

Answer 46

When a data subject provides their personal data to an organization they should have the right to obtain their data from the data controller, as well as havew their data removed. Basically, the data subject should have the chance to participate or choose whether to share their personal information or withold it.

Question 47

What is the OECD Accountability Principle?

Answer 47

A data controller should be accountable for compying with other principles. Basically, the organization that collects the personal data is now accountable for the protection of that information.

Question 48

What is a Privacy Impact Assessment (PIA)?

Answer 48

PIA is a process undertaken on behalf of an organization to determine if personal data is being protected appropriately and to mitigate existing risks to personal data.

Data Protection Impact Assessment (DPIA) is similar.

Question 49

Why should a Privacy Impact Assessment (PIA) be performed?

Answer 49

To identify/evaluate risks relating a privacy breach | Identify what controls should be applied to mitigate privacy risks | Offer organizational compliance to privacy legislations

Question 50

What are the 8 steps required to conduct a Privacy Impact Assessment (PIA)?

Answer 50

1. Identify the need for DPIA through legislative guidelines and local law | 2. Describe the Data Processing | 3. Assess Necessity and Proportionality |
2. Consult Interested Parties | 5. Identify and Assess Risk | 6. Identify and Mitigate the Risks | 7. Sign off and records outcomes | 8. Monitor and Review.

Question 51

How is a need for a Data Privacy Impact Assessment (DPIA) Determined?

Answer 51

Organizations should use existing legislative guidelines, like GDPR and federal/state laws, to determine if a DPIA is required. If unsure, best to err on the side of caution.

Question 52

What two steps are required when describing Data Processing?

Answer 52

1. Answer general questions such as: How is data being collected/used? Where is data being gathered? How much data is being gathered, and for how many data subjects? Is this data being stored with third parties? What are the purposes of processing? Are the interest of the data controller legitimate? | 2. Considered information gathered, and the what,how, and why, of the data processing activities in relation to the goals of the project.

Question 53

What questions should be asked during the “Assess Necessity and Proportionality” stage of DPIA?

Answer 53

Determine if existing data processing activities are relevant to the goals and objectives of the project. Ask questions such as: Does a legal basis for collected personal data exist? Do data subjects have the right to opt out or in with relation to their personal data? Dose a precedent exist for the collecitng and processing of data? How are the rights of data subjects protected?

Question 54

What parties should be consulted during the DPIA process?

Answer 54

The Data Protection Officer, Project Stakeholders, and Data Subjects (or their legal representatives)

Question 55

What are examples of risks you should identify and assess during a DPIA?

Answer 55

Is data being stored in an unsafe location? Are appropriate access control lists being utilized? What data retention policies are currently in place?

Question 56

After risk is has been identified in a DPIA, what should some goals be to measure and mitigate risks?

Answer 56

Protect personal data from unauithorized internal and external access, remove data that is no longer required (Through data retention policies and processes), Maintain visibility over data, Automate remediation action when and where possible for sake of data removal, cleanup, and classification.

Question 57

Once risks and their mitigations are identified during the DPIA process, who must sign off on all documented findings?

Answer 57

The relevant parties should be notified, including the data protection officer, senior management, process and project stakeholders, and data subjects.

Question 58

What steps are conducted during the ‘Monitor and Review’ step of a DPIA?

Answer 58

Continue monitoring activites involving data belonging to data subjects. Ongoing review of processes and operations, and all facets of a business that involve handling of personal data.

Question 59

According to General Data Protection Regulations (GDPR), what 4 steps must be included in a Data Privacy Impact Assessment (DPIA)?

Answer 59

1. A systematic description of the envisoned processes and their purpose of the operations, including legitimate interests pursued by the controller. | 2. An assessment of the necessity and proportionality of the processing operation in relation to the purpose | 3. An assessment of risks to the rights and freedoms of data subjects | 4. The measures envisioned to protect data subjects data privacy and the demonstration of a compliance and purpose in relation to the purpose of use with information from the data subject.