Lesson 16: Summarize Data Protection and Compliance Concepts Flashcards
How does privacy differ from data sensitivity?
Privacy emphasizes individual rights, while data sensitivity classifies data based on its confidentiality and potential impact if compromised.
What are examples of regulated data?
Financial, healthcare, and personal data protected by laws like GDPR, HIPAA, and PCI DSS.
What is the importance of trade secrets?
They safeguard proprietary information for competitive advantage.
How does data format affect security measures?
Human-readable data may require content filtering, while non-human-readable data needs encryption.
What are examples of data classification schemas?
Public, Confidential, Critical, Proprietary, Sensitive, Private, and Restricted classifications.
What is data sovereignty?
Legal restrictions on storing or processing data outside jurisdictional boundaries, such as GDPR’s cross-border data rules.
What distinguishes privacy data from confidential data?
Privacy data relates to personal information.
Confidential data includes business and proprietary information.
What are the three states of data, and how are they protected?
At Rest: Encrypted and secured on storage media.
In Transit: Protected by transport protocols like TLS or IPSec.
In Use: Safeguarded in volatile memory, often using Trusted Execution Environments (TEEs).
What methods protect data?
Encryption, hashing, masking, tokenization, obfuscation, segmentation, and permission restrictions.
What is the purpose of DLP (Data Loss Prevention)?
To prevent unauthorized access and data transfer using policy servers, endpoint agents, and network agents, along with remediation methods like alerts, blocking, quarantines, or tombstones.
What is the purpose of an Acceptable Use Policy (AUP)?
It provides guidelines for appropriate and secure use of organizational resources.
How does a clean desk policy enhance security?
It prevents exposure of sensitive documents.
What role do social media policies and the code of conduct play in personnel management?
They promote professional online behavior and secure practices.
What is role-based training, and who benefits from it?
Tailored security training for end users, technical staff, and executives.
What techniques are used in security training?
Gamified CBT methods, simulations, phishing campaigns, and situational awareness exercises.
How do gamified training techniques enhance security awareness?
They engage users effectively by making learning interactive and rewarding, which improves retention of information.
Why are hybrid/remote work practices included in personnel policies?
To address unique risks associated with off-site work environments, such as unsecured networks and devices.
How is the security awareness training lifecycle structured?
- Assess needs and risks.
- Plan and design training.
- Develop engaging materials.
- Deliver interactive training.
- Evaluate effectiveness.
- Reinforce awareness with campaigns and reminders.
- Monitor and adapt to emerging risks.
What regulations and compliance standards do you need to adhere to in cyber security?
GDPR, (General Data Protection Regulation)
HIPAA, (Health Insurance Portability and Accountability Act)
CCPA, (California Consumer Privacy Act)
etc.
What are the impacts of noncompliance with regulations like GDPR or HIPAA?
Fines, reputation damage, contract terminations, and indemnification.
What does compliance monitoring and reporting look like?
There is Internal, and External compliance evaluations that can be conducted.
There is room to automate the oversight of these compliance evaluations. This ensures consistent adherence to regulations, and improving efficiency in identifying and addressing potential issues.
How should data inventories and retention be managed?
Ensure lawful processing, enforce data minimization, set retention periods, and manage deletion or anonymization securely.
What are examples of cross-border privacy requirements?
GDPR’s extraterritorial reach, which governs data regardless of processing location.
What are the roles of a data controller and data processor?
Data Controller: Determines purposes and means of processing personal data.
Data Processor: Handles data on behalf of the controller.
What rights do data subjects have under GDPR?
Access, rectification, and erasure of their data.
What steps are involved in managing privacy breaches?
Notify regulators, law enforcement, and individuals promptly in line with laws like GDPR and HIPAA.
Outline escalation procedures, public disclosures, and remediation strategies.
