Lesson 16

Question 1

Privacy

Answer 1

Privacy
•Personal data about data subjects
•Compliance with regulations
•Rights of data subjects

While data security is important, privacy is an equally vital factor. Privacy is a data
governance requirement that arises when collecting and processing personal data.
Personal data is any information about an identifiable individual person, referred
to as the data subject. Where data security controls focus on the CIA attributes of
the processing system, privacy requires policies to identify private data, ensure that
storage, processing, and retention is compliant with relevant regulations, limit access
to the private data to authorized persons only, and ensure the rights of data subjects to
review and remove any information held about them are met.

Question 2

Information life cycle management

Answer 2

Information life cycle management
•Creation/collection (classification)
•Distribution/use
•Retention
•Disposal

An information life cycle model identifies discrete steps to assist security and privacy
policy design. Most models identify the following general stages:

• Creation/collection—data may be generated by an employee or automated system,
or it may be submitted by a customer or supplier. At this stage, the data needs to be
classified and tagged.

• Distribution/use—data is made available on a need to know basis for authorized
uses by authenticated account holders and third parties.
• Retention—data might have to be kept in an archive past the date when it is still
used for regulatory reasons.

• Disposal—when it no longer needs to be used or retained, media storing data assets
must be sanitized to remove any remnants.

Question 3

Data Governance

Answer 3

A data governance policy describes the security controls that will be applied to protect
data at each stage of its life cycle. There are important institutional governance roles
for oversight and management of information assets within the life cycle:

Data owner
•Ultimate responsibility

Data steward
•Data quality and oversight

Data custodian
•Information systems management

Data privacy officer (DPO)
•Oversight of personally identifiable information (PII) assets

Organizational roles in privacy legislation
•Data controllers and data processors

• Data controller—the entity responsible for determining why and how data is
  stored, collected, and used and for ensuring that these purposes and means are
  lawful. The data controller has ultimate responsibility for privacy breaches, and is
  not permitted to transfer that responsibility.
• Data processor—an entity engaged by the data controller to assist with technical
  collection, storage, or analysis tasks. A data processor follows the instructions of a
  data controller with regard to collection or processing.

Question 4

Data owner

Answer 4

Data owner

•Ultimate responsibility

Question 5

Data steward

Answer 5

Data steward
•Data quality and oversight

this role is primarily responsible for data quality. This involves tasks
such as ensuring data is labeled and identified with appropriate metadata and that
data is collected and stored in a format and with values that comply with applicable
laws and regulations.

Question 6

Data custodian

Answer 6

Data custodian
•Information systems management

this role handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and
backup/recovery measures.

Question 7

Data privacy officer (DPO)

Answer 7

Data privacy officer (DPO)

•Oversight of personally identifiable information (PII) assets

Question 8

Organizational roles in privacy legislation

•Data controllers and data processors

Answer 8

• Data controller—the entity responsible for determining why and how data is
stored, collected, and used and for ensuring that these purposes and means are
lawful. The data controller has ultimate responsibility for privacy breaches, and is
not permitted to transfer that responsibility.

• Data processor—an entity engaged by the data controller to assist with technical
collection, storage, or analysis tasks. A data processor follows the instructions of a
data controller with regard to collection or processing.

Data controller and processor tend to be organizational roles rather than individual
ones.

Question 9

Data Classifiations

Answer 9

Public (unclassified)
•No confidentiality, but integrity and availability are important

Confidential (secret)
•Subject to administrative and/or technical access controls

Critical (top-secret)

Proprietary
•Owned information of commercial value

Private/personal data
•Data that can identify an individual

Sensitive
•Special categories of personal data, such as beliefs, ethnic origin, or sexual orientation

Question 10

Public (unclassified)

Answer 10

Public (unclassified)

•No confidentiality, but integrity and availability are important

Question 11

Confidential (secret)

Answer 11

Confidential (secret)
•Subject to administrative and/or technical access controls

the information is highly sensitive, for viewing only by
approved persons within the owner organization, and possibly by trusted third
parties under NDA.

Question 12

Critical (top-secret)

Answer 12

Critical (top-secret)
the information is too valuable to allow any risk of its capture.
Viewing is severely restricted.

Question 13

Proprietary (IP)

Answer 13

Proprietary (IP)

•Owned information of commercial value

Question 14

Private/personal data

Answer 14

Private/personal data

•Data that can identify an individual

Question 15

Sensitive

Answer 15

Sensitive

•Special categories of personal data, such as beliefs, ethnic origin, or sexual orientation

Question 16

Data Types

Answer 16

Personally identifiable information (PII)
•Data that can be used to identify, contact, or locate an individual

Customer data
•Institutional information
•Personal information about the customer’s employees

Health information
•Medical and insurance records and test results

Financial information
•Data held about bank and investment accounts, plus information such as payroll and tax returns

Government data
•Legislative requirements

Question 17

Privacy Legistlation and regulation

Answer 17

Legislation and regulations
•General Data Protection Regulation (GDPR)
•Rights of data subjects]

Data owners should be aware of any legal or regulatory issues that impact collection
and processing of personal data. The right to privacy, as enacted by regulations such
as the EU’s General Data Protection Regulation (GDPR), means that personal data
cannot be collected, processed, or retained without the individual’s informed consent.
GDPR (ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-generaldata-
protection-regulation-gdpr) gives data subjects rights to withdraw consent, and to
inspect, amend, or erase data held about them.

Question 18

GDPR

Answer 18

The right to privacy, as enacted by regulations such
as the EU’s General Data Protection Regulation (GDPR), means that personal data
cannot be collected, processed, or retained without the individual’s informed consent.
GDPR (ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-generaldata-
protection-regulation-gdpr) gives data subjects rights to withdraw consent, and to
inspect, amend, or erase data held about them.

Question 19

Privacy notices

Answer 19

Privacy notices
•Purpose of collecting personal information
•Consent to declared uses and storage

nformed consent means that the data must be collected and processed only for
the stated purpose, and that purpose must be clearly described to the user in plain
language, not legalese. This consent statement is referred to as a privacy notice. Data
collected under that consent statement cannot then be used for any other purpose.
For example, if you collect an email address for use as an account ID, you may not send
marketing messages to that email address without obtaining separate consent for that
discrete purpose.

Question 20

Purpose limitation

Answer 20

Purpose limitation will also restrict your ability to transfer data tothird parties.

Question 21

Privacy Impact Assessment

Answer 21

Impact assessments
•Assess and mitigate risks from collecting personal data

Tracking consent statements and keeping data usage in compliance with the consent
granted is a significant management task. In organizations that process large amounts
of personal data, technical tools that perform tagging and cross-referencing of
personal data records will be required. A data protection impact assessment is a
process designed to identify the risks of collecting and processing personal data in the
context of a business workflow or project and to identify mechanisms that mitigate
those risks.

Question 22

Data Retention

Answer 22

Data retention refers to backing up and archiving information assets in order to comply
with business policies and/or applicable laws and regulations. To meet compliance
and e-discovery requirements, organizations may be legally bound to retain certain
types of data for a specified period. This type of requirement will particularly affect
financial data and security log data. Conversely, storage limitation principles in privacy legislation may prevent you from retaining personal data for longer than is necessary.
This can complicate the inclusion of PII in backups and archives.

Question 23

Data sovereignty

Answer 23

Data sovereignty
•Jurisdiction that enforces personal data processing and storage regulations

Data sovereignty refers to a jurisdiction preventing or restricting processing and
storage from taking place on systems do not physically reside within that jurisdiction.
Data sovereignty may demand certain concessions on your part, such as using locationspecific
storage facilities in a cloud service.

Question 24

Geographical considerations

Answer 24

Geographical considerations
•Select storage locations to mitigate sovereignty issues
•Define access controls on the basis of client location

Geographic access requirements fall into two different scenarios:
• Storage locations might have to be carefully selected to mitigate data sovereignty
issues. Most cloud providers allow choice of data centers for processing and
storage, ensuring that information is not illegally transferred from a particular
privacy jurisdiction without consent.

• Employees needing access from multiple geographic locations. Cloud-based file and
database services can apply constraint-based access controls to validate the user’s
geographic location before authorizing access.

Question 25

Data breach vs privacy breach

Answer 25

A data breach occurs when information is read or modified without authorization.
“Read” in this sense can mean either seen by a person or transferred to a network or
storage media. A data breach is the loss of any type of data, while a privacy breach
refers specifically to loss or disclosure of personal and sensitive data.

Question 26

Organizational consequences of a data or privacy breatch

Answer 26

• Reputation damage
• Identity theft
• Fines
• IP theft

Question 27

Notifications of breaches

Answer 27

The requirements for different types of breach are set out in law and/or in regulations.
The requirements indicate who must be notified.

Breaches can be accidental

Question 28

Escalation

Answer 28

A breach may be detected by technical staff and if the event is considered minor, there
may be a temptation to remediate the system and take no further notification action.
This could place the company in legal jeopardy. Any breach of personal data and most
breaches of IP should be escalated to senior decision-makers and any impacts from
legislation and regulation properly considered.

Question 29

Public notification and disclosure

Answer 29

Other than the regulator, notification might need to be made to law enforcement,
individuals and third-party companies affected by the breach, and publicly through
press or social media channels.

For example, the Health Insurance Portability and
Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring
breach notification to the affected individuals, the Secretary of the US Department
of Health and Human Services, and, if more than 500 individuals are affected, to
the media

Question 30

Data Sharing and Privacy Terms of Agreement

Answer 30

Service level agreement (SLA)
•Require access controls and risk assessment to protect data

Interconnection security agreement (ISA)
•Requirements to interconnect federal systems with third-party systems

Non-disclosure agreement (NDA)
•legal basis for protecting information assets

Data sharing and use agreement
•Specify terms for the way a dataset can be analyzed
•Proscribe use of reidentification techniques

Question 31

Service level agreement (SLA)

Answer 31

Service level agreement (SLA)

•Require access controls and risk assessment to protect data

Question 32

Interconnection security agreement (ISA)

Answer 32

Interconnection security agreement (ISA)

•Requirements to interconnect federal systems with third-party systems

Question 33

Non-disclosure agreement (NDA)

Answer 33

Non-disclosure agreement (NDA)

•legal basis for protecting information assets

Question 34

Data sharing and use agreement

Answer 34

Data sharing and use agreement
•Specify terms for the way a dataset can be analyzed
•Proscribe use of reidentification techniques

Question 35

Data at rest

Answer 35

• In some sort of persistent storage media
• Encrypt the data, using techniques such as whole disk encryption, database encryption, and file-or folder-level encryption
• Apply permissions—Access Control Lists (ACLs)—to ensure only authorized users can read or modify the data

Question 36

Data in transit (or data in motion)

Answer 36

• Transmitted over a network

* Protected by transport encryption, such as TLS or IPSec

Question 37

Data in use

Answer 37

• Present in volatile memory, such as system RAM or CPU registers and cache
• Malicious intruder with rootkit access to the computer may be able to access it
• Trusted execution environments/enclaves

Question 38

Data exfiltration methods

Answer 38

Data exfiltration methods
•Removable media
•Transferring over the network
•Communicating data over the phone or by video
•Taking a picture or video of text data

Unauthorized copying or retrieval of data from a system is referred to as
data exfiltration. Data exfiltration attacks are one of the primary means for attackers
to retrieve valuable data, such as personally identifiable information (PII) or payment
information

Question 39

Ordinary countermeasures to data exfiltration

Answer 39

• Ensure that all sensitive data is encrypted at rest
• Create and maintain offsite backups of data
• Ensure that systems storing or transmitting sensitive data are implementing access controls
• Restrict the types of network channels that attackers can use
• Train users about document confidentiality and the use of encryption to store and transmit data securely

Question 40

Data loss prevention (DLP)

Answer 40

Data loss prevention (DLP) products automate the discovery and
classification of data types and enforce rules so that data is not viewed or transferred
without a proper authorization.

Question 41

Components of Data loss prevention (DLP)

Answer 41

• Policy server
• Endpoint agents
• Network agents

• Policy server—to configure classification, confidentiality, and privacy rules and
policies, log incidents, and compile reports.

• Endpoint agents—to enforce policy on client computers, even when they are not
connected to the network.

• Network agents—to scan communications at network borders and interface with
web and messaging servers to enforce policy.

Question 42

Cloud-based DLP

Answer 42

Most DLP solutions can extend the protection
mechanisms to cloud storage services, using either a proxy to mediate access or the
cloud service provider’s API to perform scanning and policy enforcement.

Question 43

Remediation
•Alert only
•Block
•Quarantine
•Tombstone

Answer 43

• Alert only—the copying is allowed, but the management system records an incident
and may alert an administrator.

• Block—the user is prevented from copying the original file but retains access to it.
The user may or may not be alerted to the policy violation, but it will be logged as an
incident by the management engine.

• Quarantine—access to the original file is denied to the user (or possibly any user).
This might be accomplished by encrypting the file in place or by moving it to a
quarantine area in the file system.

• Tombstone—the original file is quarantined and replaced with one describing the
policy violation and how the user can release it again.

Question 44

Rights Management Services

Answer 44

EXAMPLE: Microsoft provides an Information Rights Management (IRM) feature in their Office
productivity suite

• Assign file permissions for different document roles
• Restrict printing and forwarding of documents
• Restrict printing and forwarding of email messages

Question 45

Privacy Enhancing Technologies

Answer 45

Data minimization
•Only collect sufficient data to perform the specific purpose that consent was obtained for

Deidentification
•Removing personal information from shared data sets

Anonymization
•Irreversible deidentification techniques

Pseudo-anonymization
•Reidentification is possible using a separate data source

Reidentification attacks
•K-anonymous information

Question 46

Database Deidentification Methods

Answer 46

Deidentification methods are usually implemented as part of the database
management system (DBMS) hosting the data. Sensitive fields will be tagged for
deidentification whenever a query or report is run.

Data masking
•Whole or partial redaction of strings
•Format-preserving masks
•Irreversible

Tokenization
•Replacing field value with a random token
•Token stored in a separate data source (vault)
•Reversible with access to the vault

Aggregation/banding

Hashing and salting
•Indexing method
•Discarding original data for identifier

Question 47

Data Masking

Answer 47

• Whole or partial redaction of strings
• Format-preserving masks
• Irreversible

Question 48

Tokenization

Answer 48

Tokenization
•Replacing field value with a random token
•Token stored in a separate data source (vault)
•Reversible with access to the vault

Question 49

Aggregation/banding

Answer 49

Another deidentification technique is to generalize the data, such as substituting a
specific age with a broader age band.

Question 50

Hashing and Salting

Answer 50

Hashing is used for two main purposes within a database:
• As an indexing method to speed up searches and provide deidentified references to
records.
• As a storage method for data such as passwords where the original plaintext does
not need to be retained.

A salt is an additional value stored with the hashed data field. The purpose of salt is
to frustrate attempts to crack the hashes.