Data Protection Flashcards
Define data protections
Safeguarding information from corruption, compromise, or loss
Data classifications Types
Sensitive
Confidential
Public
Restricted
Private
Critical
Data Ownership Roles
Data Owners
Data Controllers
Data Processors
Data states:
Data at rest
Data in transit
Data in use
Securing Data Methods
Geographic Restrictions
Encryption
Hashing
Masking
Tokenization
Obfuscation
Segmentation
Permission Restriction
Importance of Data Classification
Helps allocate appropriate protection resources
Prevents over-classification to avoid excessive costs
Requires proper policies to identify and classify data
accurately
Commercial Business Classification Levels
1: Public
No impact if released; often publicly accessible data
2: Sensitive
Minimal impact if released, e.g., financial data
3: Private
Contains internal personnel or salary information
4: Confidential
Holds trade secrets, intellectual property, source code, etc.
5: Critical
Extremely valuable and restricted information
Government Classification Levels
1: Unclassified
Generally releasable to the public
2: Sensitive but Unclassified
Includes medical records, personnel files, etc.
3: Confidential
Contains information that could affect the government
4: Secret
Holds data like military deployment plans, defensive
postures
5: Top Secret
Highest level, includes highly sensitive national security
information
Define:
Data ownership
Data owner
Data controller
Data processor
Data steward
Data custodian
Privacy officer
Data ownership responsibility
Data Ownership
Process of identifying the individual responsible for
maintaining the confidentiality, integrity, availability,
and privacy of information assets
Data Owner
A senior executive responsible for labeling information
assets and ensuring they are protected with
appropriate controls
Data Controller
Entity responsible for determining data storage,
collection, and usage purposes and methods, as well as
ensuring the legality of these processes
Data Processor
A group or individual hired by the data controller to
assist with tasks like data collection and processing
Data Steward
Focuses on data quality and metadata, ensuring data is
appropriately labeled and classified, often working
under the data owner
Data Custodian
Responsible for managing the systems on which data
assets are stored, including enforcing access controls,
encryption, and backup measures
Privacy Officer
Oversees privacy-related data, such as personally
identifiable information (PII), sensitive personal
information (SPI), or protected health information (PHI),
ensuring compliance with legal and regulatory
frameworks
Data Ownership Responsibility
The IT department (CIO or IT personnel) should not be
the data owner; data
owners should be individuals from the business side
who understand the data’s content and can make
informed decisions about classification
Data at rest and encryption methods:
Data at Rest
Data stored in databases, file systems, or storage
systems, not actively moving
Encryption Methods:
1: Full Disk Encryption (FDE)
Encrypts the entire hard drive
2: Partition Encryption
Encrypts specific partitions, leaving others unencrypted
3: File Encryption
Encrypts individual files
4: Volume Encryption
Encrypts selected files or directories
5: Database Encryption
Encrypts data stored in a database at column, row, or
table levels
6: Record Encryption
Encrypts specific fields within a database record
Data in transit (in motion) and encryption methods:
Data in Transit (Data in Motion)
Data actively moving from one location to another, vulnerable to interception
Encryption methods:
1: Transport Encryption Methods
SSL (Secure Sockets Layer) and TLS (Transport Layer
Security)
Secure communication over networks, widely used in
web browsing and email
2: VPN (Virtual Private Network)
Creates secure connections over less secure networks like the internet
3: IPSec (Internet Protocol Security)
Secures IP communications by authenticating and
encrypting IP packets
Data in use and encryption methos
Data in Use
Data actively being created, retrieved, updated, or
deleted
Encryption / protection methods:
1: Encryption at the Application Level
Encrypts data during processing
2: Access Controls
Restricts access to data during processing
3: Secure Enclaves
Isolated environments for processing sensitive data
4: Mechanisms like INTEL Software Guard
Encrypts data in memory to prevent unauthorized
access
Data types
Regulated Data
- Compliance requirements
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act
(HIPAA)
PII (Personal Identification Information)
PHI (Protected Health Information)
Trade Secrets
Intellectual Property (IP)
Legal Information
Data related to legal proceedings, contracts, regulatory
compliance
* Requires high-level protection for client confidentiality and legal privilege
Financial Information
Human-Readable Data
- Understandable directly by humans (e.g., text documents,
spreadsheets)
Non-Human-Readable Data
- Requires machine or software to interpret (e.g., binary
code, machine language)
- Contains sensitive information and requires protection
Data soverignty
Digital information subject to laws of the country where
it’s located
Gained importance with cloud computing’s global data
storage
GDPR (General Data Protection Regulation)
Protects EU citizens’ data within EU and EEA borders
Compliance required regardless of data location
Non-compliance leads to significant fines
8 ways to secure data
1: Geographic Restrictions (Geofencing)
o Virtual boundaries to restrict data access based on
location
Compliance with data sovereignty laws
Prevent unauthorized access from high-risk locations
2: Encryption
Transform plaintext into ciphertext using algorithms
and keys
Protects data at rest and in transit
Requires decryption key for data recovery
3: Hashing
Converts data into fixed-size hash values
Irreversible one-way function
Commonly used for password storage
4: Masking
Replace some or all data with placeholders (e.g., “x”)
Partially retains metadata for analysis
Irreversible de-identification method
5: Tokenization
Replace sensitive data with non-sensitive tokens
Original data stored securely in a separate database
Often used in payment processing for credit card
protection
6: Obfuscation
Make data unclear or unintelligible
Various techniques, including encryption, masking, and
pseudonyms
7: Segmentation
Divide network into separate segments with unique
security controls
Prevent lateral movement in case of a breach
Limits potential damage
8 Permission Restrictions
Define data access and actions through ACLs or RBAC
Restrict access to authorized users
Reduce risk of internal data breaches
Data Loss Prevention (DLP)
o Aims to monitor data in use, in transit, or at rest to detect and prevent data theft
o DLP systems are available as software or hardware solutions
Types of DLP Systems
1: Endpoint DLP System
Installed as software on workstations or laptops
Monitors data in use on individual computers
Can prevent or alert on file transfers based on
predefined rules
2: Network DLP System
Software or hardware placed at the network perimeter
Focuses on monitoring data entering and leaving the
network
Detects unauthorized data leaving the network
3: Storage DLP System
Installed on a server in the data center
Inspects data at rest, especially encrypted or
watermarked data
Monitors data access patterns and flags policy
violations
4: Cloud-Based DLP System
Offered as a software-as-a-service solution
Protects data stored in cloud services
