Lesson 16 Flashcards
Privacy
Privacy
•Personal data about data subjects
•Compliance with regulations
•Rights of data subjects
While data security is important, privacy is an equally vital factor. Privacy is a data
governance requirement that arises when collecting and processing personal data.
Personal data is any information about an identifiable individual person, referred
to as the data subject. Where data security controls focus on the CIA attributes of
the processing system, privacy requires policies to identify private data, ensure that
storage, processing, and retention is compliant with relevant regulations, limit access
to the private data to authorized persons only, and ensure the rights of data subjects to
review and remove any information held about them are met.
Information life cycle management
Information life cycle management •Creation/collection (classification) •Distribution/use •Retention •Disposal
An information life cycle model identifies discrete steps to assist security and privacy
policy design. Most models identify the following general stages:
• Creation/collection—data may be generated by an employee or automated system,
or it may be submitted by a customer or supplier. At this stage, the data needs to be
classified and tagged.
• Distribution/use—data is made available on a need to know basis for authorized
uses by authenticated account holders and third parties.
• Retention—data might have to be kept in an archive past the date when it is still
used for regulatory reasons.
• Disposal—when it no longer needs to be used or retained, media storing data assets
must be sanitized to remove any remnants.
Data Governance
A data governance policy describes the security controls that will be applied to protect
data at each stage of its life cycle. There are important institutional governance roles
for oversight and management of information assets within the life cycle:
Data owner
•Ultimate responsibility
Data steward
•Data quality and oversight
Data custodian
•Information systems management
Data privacy officer (DPO)
•Oversight of personally identifiable information (PII) assets
Organizational roles in privacy legislation
•Data controllers and data processors
- Data controller—the entity responsible for determining why and how data is
stored, collected, and used and for ensuring that these purposes and means are
lawful. The data controller has ultimate responsibility for privacy breaches, and is
not permitted to transfer that responsibility. - Data processor—an entity engaged by the data controller to assist with technical
collection, storage, or analysis tasks. A data processor follows the instructions of a
data controller with regard to collection or processing.
Data owner
Data owner
•Ultimate responsibility
Data steward
Data steward
•Data quality and oversight
this role is primarily responsible for data quality. This involves tasks
such as ensuring data is labeled and identified with appropriate metadata and that
data is collected and stored in a format and with values that comply with applicable
laws and regulations.
Data custodian
Data custodian
•Information systems management
this role handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and
backup/recovery measures.
Data privacy officer (DPO)
Data privacy officer (DPO)
•Oversight of personally identifiable information (PII) assets
Organizational roles in privacy legislation
•Data controllers and data processors
• Data controller—the entity responsible for determining why and how data is
stored, collected, and used and for ensuring that these purposes and means are
lawful. The data controller has ultimate responsibility for privacy breaches, and is
not permitted to transfer that responsibility.
• Data processor—an entity engaged by the data controller to assist with technical
collection, storage, or analysis tasks. A data processor follows the instructions of a
data controller with regard to collection or processing.
Data controller and processor tend to be organizational roles rather than individual
ones.
Data Classifiations
Public (unclassified)
•No confidentiality, but integrity and availability are important
Confidential (secret)
•Subject to administrative and/or technical access controls
Critical (top-secret)
Proprietary
•Owned information of commercial value
Private/personal data
•Data that can identify an individual
Sensitive
•Special categories of personal data, such as beliefs, ethnic origin, or sexual orientation
Public (unclassified)
Public (unclassified)
•No confidentiality, but integrity and availability are important
Confidential (secret)
Confidential (secret)
•Subject to administrative and/or technical access controls
the information is highly sensitive, for viewing only by
approved persons within the owner organization, and possibly by trusted third
parties under NDA.
Critical (top-secret)
Critical (top-secret)
the information is too valuable to allow any risk of its capture.
Viewing is severely restricted.
Proprietary (IP)
Proprietary (IP)
•Owned information of commercial value
Private/personal data
Private/personal data
•Data that can identify an individual
Sensitive
Sensitive
•Special categories of personal data, such as beliefs, ethnic origin, or sexual orientation
Data Types
Personally identifiable information (PII)
•Data that can be used to identify, contact, or locate an individual
Customer data
•Institutional information
•Personal information about the customer’s employees
Health information
•Medical and insurance records and test results
Financial information
•Data held about bank and investment accounts, plus information such as payroll and tax returns
Government data
•Legislative requirements
Privacy Legistlation and regulation
Legislation and regulations
•General Data Protection Regulation (GDPR)
•Rights of data subjects]
Data owners should be aware of any legal or regulatory issues that impact collection
and processing of personal data. The right to privacy, as enacted by regulations such
as the EU’s General Data Protection Regulation (GDPR), means that personal data
cannot be collected, processed, or retained without the individual’s informed consent.
GDPR (ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-generaldata-
protection-regulation-gdpr) gives data subjects rights to withdraw consent, and to
inspect, amend, or erase data held about them.
GDPR
The right to privacy, as enacted by regulations such
as the EU’s General Data Protection Regulation (GDPR), means that personal data
cannot be collected, processed, or retained without the individual’s informed consent.
GDPR (ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-generaldata-
protection-regulation-gdpr) gives data subjects rights to withdraw consent, and to
inspect, amend, or erase data held about them.
Privacy notices
Privacy notices
•Purpose of collecting personal information
•Consent to declared uses and storage
nformed consent means that the data must be collected and processed only for
the stated purpose, and that purpose must be clearly described to the user in plain
language, not legalese. This consent statement is referred to as a privacy notice. Data
collected under that consent statement cannot then be used for any other purpose.
For example, if you collect an email address for use as an account ID, you may not send
marketing messages to that email address without obtaining separate consent for that
discrete purpose.
Purpose limitation
Purpose limitation will also restrict your ability to transfer data tothird parties.
Privacy Impact Assessment
Impact assessments
•Assess and mitigate risks from collecting personal data
Tracking consent statements and keeping data usage in compliance with the consent
granted is a significant management task. In organizations that process large amounts
of personal data, technical tools that perform tagging and cross-referencing of
personal data records will be required. A data protection impact assessment is a
process designed to identify the risks of collecting and processing personal data in the
context of a business workflow or project and to identify mechanisms that mitigate
those risks.
Data Retention
Data retention refers to backing up and archiving information assets in order to comply
with business policies and/or applicable laws and regulations. To meet compliance
and e-discovery requirements, organizations may be legally bound to retain certain
types of data for a specified period. This type of requirement will particularly affect
financial data and security log data. Conversely, storage limitation principles in privacy legislation may prevent you from retaining personal data for longer than is necessary.
This can complicate the inclusion of PII in backups and archives.
Data sovereignty
Data sovereignty
•Jurisdiction that enforces personal data processing and storage regulations
Data sovereignty refers to a jurisdiction preventing or restricting processing and
storage from taking place on systems do not physically reside within that jurisdiction.
Data sovereignty may demand certain concessions on your part, such as using locationspecific
storage facilities in a cloud service.
Geographical considerations
Geographical considerations
•Select storage locations to mitigate sovereignty issues
•Define access controls on the basis of client location
Geographic access requirements fall into two different scenarios:
• Storage locations might have to be carefully selected to mitigate data sovereignty
issues. Most cloud providers allow choice of data centers for processing and
storage, ensuring that information is not illegally transferred from a particular
privacy jurisdiction without consent.
• Employees needing access from multiple geographic locations. Cloud-based file and
database services can apply constraint-based access controls to validate the user’s
geographic location before authorizing access.
Data breach vs privacy breach
A data breach occurs when information is read or modified without authorization.
“Read” in this sense can mean either seen by a person or transferred to a network or
storage media. A data breach is the loss of any type of data, while a privacy breach
refers specifically to loss or disclosure of personal and sensitive data.
Organizational consequences of a data or privacy breatch
- Reputation damage
- Identity theft
- Fines
- IP theft
Notifications of breaches
The requirements for different types of breach are set out in law and/or in regulations.
The requirements indicate who must be notified.
Breaches can be accidental
Escalation
A breach may be detected by technical staff and if the event is considered minor, there
may be a temptation to remediate the system and take no further notification action.
This could place the company in legal jeopardy. Any breach of personal data and most
breaches of IP should be escalated to senior decision-makers and any impacts from
legislation and regulation properly considered.
Public notification and disclosure
Other than the regulator, notification might need to be made to law enforcement,
individuals and third-party companies affected by the breach, and publicly through
press or social media channels.
For example, the Health Insurance Portability and
Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring
breach notification to the affected individuals, the Secretary of the US Department
of Health and Human Services, and, if more than 500 individuals are affected, to
the media
Data Sharing and Privacy Terms of Agreement
Service level agreement (SLA)
•Require access controls and risk assessment to protect data
Interconnection security agreement (ISA)
•Requirements to interconnect federal systems with third-party systems
Non-disclosure agreement (NDA)
•legal basis for protecting information assets
Data sharing and use agreement
•Specify terms for the way a dataset can be analyzed
•Proscribe use of reidentification techniques
Service level agreement (SLA)
Service level agreement (SLA)
•Require access controls and risk assessment to protect data
Interconnection security agreement (ISA)
Interconnection security agreement (ISA)
•Requirements to interconnect federal systems with third-party systems
Non-disclosure agreement (NDA)
Non-disclosure agreement (NDA)
•legal basis for protecting information assets
Data sharing and use agreement
Data sharing and use agreement
•Specify terms for the way a dataset can be analyzed
•Proscribe use of reidentification techniques
Data at rest
- In some sort of persistent storage media
- Encrypt the data, using techniques such as whole disk encryption, database encryption, and file-or folder-level encryption
- Apply permissions—Access Control Lists (ACLs)—to ensure only authorized users can read or modify the data
Data in transit (or data in motion)
- Transmitted over a network
* Protected by transport encryption, such as TLS or IPSec
Data in use
- Present in volatile memory, such as system RAM or CPU registers and cache
- Malicious intruder with rootkit access to the computer may be able to access it
- Trusted execution environments/enclaves
Data exfiltration methods
Data exfiltration methods •Removable media •Transferring over the network •Communicating data over the phone or by video •Taking a picture or video of text data
Unauthorized copying or retrieval of data from a system is referred to as
data exfiltration. Data exfiltration attacks are one of the primary means for attackers
to retrieve valuable data, such as personally identifiable information (PII) or payment
information
Ordinary countermeasures to data exfiltration
- Ensure that all sensitive data is encrypted at rest
- Create and maintain offsite backups of data
- Ensure that systems storing or transmitting sensitive data are implementing access controls
- Restrict the types of network channels that attackers can use
- Train users about document confidentiality and the use of encryption to store and transmit data securely
Data loss prevention (DLP)
Data loss prevention (DLP) products automate the discovery and
classification of data types and enforce rules so that data is not viewed or transferred
without a proper authorization.
Components of Data loss prevention (DLP)
- Policy server
- Endpoint agents
- Network agents
• Policy server—to configure classification, confidentiality, and privacy rules and
policies, log incidents, and compile reports.
• Endpoint agents—to enforce policy on client computers, even when they are not
connected to the network.
• Network agents—to scan communications at network borders and interface with
web and messaging servers to enforce policy.
Cloud-based DLP
Most DLP solutions can extend the protection
mechanisms to cloud storage services, using either a proxy to mediate access or the
cloud service provider’s API to perform scanning and policy enforcement.
Remediation •Alert only •Block •Quarantine •Tombstone
• Alert only—the copying is allowed, but the management system records an incident
and may alert an administrator.
• Block—the user is prevented from copying the original file but retains access to it.
The user may or may not be alerted to the policy violation, but it will be logged as an
incident by the management engine.
• Quarantine—access to the original file is denied to the user (or possibly any user).
This might be accomplished by encrypting the file in place or by moving it to a
quarantine area in the file system.
• Tombstone—the original file is quarantined and replaced with one describing the
policy violation and how the user can release it again.
Rights Management Services
EXAMPLE: Microsoft provides an Information Rights Management (IRM) feature in their Office
productivity suite
- Assign file permissions for different document roles
- Restrict printing and forwarding of documents
- Restrict printing and forwarding of email messages
Privacy Enhancing Technologies
Data minimization
•Only collect sufficient data to perform the specific purpose that consent was obtained for
Deidentification
•Removing personal information from shared data sets
Anonymization
•Irreversible deidentification techniques
Pseudo-anonymization
•Reidentification is possible using a separate data source
Reidentification attacks
•K-anonymous information
Database Deidentification Methods
Deidentification methods are usually implemented as part of the database
management system (DBMS) hosting the data. Sensitive fields will be tagged for
deidentification whenever a query or report is run.
Data masking
•Whole or partial redaction of strings
•Format-preserving masks
•Irreversible
Tokenization
•Replacing field value with a random token
•Token stored in a separate data source (vault)
•Reversible with access to the vault
Aggregation/banding
Hashing and salting
•Indexing method
•Discarding original data for identifier
Data Masking
- Whole or partial redaction of strings
- Format-preserving masks
- Irreversible
Tokenization
Tokenization
•Replacing field value with a random token
•Token stored in a separate data source (vault)
•Reversible with access to the vault
Aggregation/banding
Another deidentification technique is to generalize the data, such as substituting a
specific age with a broader age band.
Hashing and Salting
Hashing is used for two main purposes within a database:
• As an indexing method to speed up searches and provide deidentified references to
records.
• As a storage method for data such as passwords where the original plaintext does
not need to be retained.
A salt is an additional value stored with the hashed data field. The purpose of salt is
to frustrate attempts to crack the hashes.
