MD2 Information privacy: Regulations and compliance Flashcards
Information security vs. information privacy
Security and privacy are two terms that often get used interchangeably outside of this field. Although the two concepts are connected, they represent specific functions:
Information privacy refers to the protection of unauthorized access and distribution of data.
Information security (InfoSec) refers to the practice of keeping data in all states away from unauthorized users.
The key difference: Privacy is about providing people with control over their personal information and how it’s shared. Security is about protecting people’s choices and keeping their information safe from potential threats.
Notable privacy regulations
Three of the most influential industry regulations that every security professional should know about are:
General Data Protection Regulation (GDPR)
Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability and Accountability Act (HIPAA)
General Data Protection Regulation (GDPR)
GDPR is a set of rules and regulations developed by the European Union (EU) that puts data owners in total control of their personal information. Under GDPR, types of personal information include a person’s name, address, phone number, financial information, and medical information.
The GDPR applies to any business that handles the data of EU citizens or residents, regardless of where that business operates. For example, a US based company that handles the data of EU visitors to their website is subject to the GDPRs provisions.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of security standards formed by major organizations in the financial industry. This regulation aims to secure credit and debit card transactions against data theft and fraud.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. law that requires the protection of sensitive patient health information. HIPAA prohibits the disclosure of a person’s medical information without their knowledge and consent.
Security assessments and audits
Meeting compliance standards is usually a continual, two-part process of security audits and assessments:
A security audit: is a review of an organisation’s security controls, policies, and procedures against a set of expectations.
A security assessment: is a check to determine how resilient current security implementations are against threats.
For example, if a regulation states that multi-factor authentication (MFA) must be enabled for all administrator accounts, an audit might be conducted to check those user accounts for compliance. After the audit, the internal team might perform a security assessment that determines many users are using weak passwords. Based on their assessment, the team could decide to enable MFA on all user accounts to improve their overall security posture.
