Romney C12: Confidentiality & Privacy Flashcards
Basic objective information security
preserving the confidentiality of the organization’s intellectual property & similar information share with it by its business partners
Objectives of confidentiality and privacy
protect sensitive information from unauthorized access and disclosure
4 basic actions to protect C&P
- Identify & classify the information to be protected
- Encrypt the information
- Control access to the information
- Train employees to properly handle the information
4 basic Actions:
1. Identify & classify information to be protected
- identify where such information resides & who has access to it
- classify the information in terms of its value to the organization
4 basic actions:
Protecting sensitive information with encryption
to protect information in transit over the internet
additional layer of protection
4 basic actions:
Protecting sensitive information with encryption
to protect information in transit over the internet
additional layer of protection
4 basic actions:
Protecting sensitive information with encryption
to protect information in transit over the internet
additional layer of protection
only protect when it is stored or being transmitted not during processing
4 basic actions:
3. Controlling access to sensitive information
additional digital physical access controls through:
- Information rights management (IRM)
- data loss prevention (DLP)
- digital watermark
- data masking
- tokenization
Information Rights Management (IRM)
Offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print etc) that individuals granted access to that resource can perform
Some IRM has the capability to limit access privileges to a specific period of time and to remotely erase protected files
Data Loss Protection
Software that works like antivirus program in reverse, blocking outgoing messages (email, IM, etc) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect
Digital watermark
code embedded in documents that enables an organization to identify confidential information that has been disclosed
Data masking
protecting privacy by replacing sensitive personal information with fake data. Also called tokenization
Tokenization
another word for data masking`
Training
- employees need to know what info they can share with outsiders
- employees need to be taught how to protect sensitive data
Privacy Regulations: The EU’s GDPR & U.S Laws
- Europeans Union’s General Data Privacy Regulation is the strictest & most far-reaching privacy regulations
- imposes huge fines (up to 4% of global revenues) for issues such as not properly obtaining consent to collect and use personal information or not being able to document that the organization has taken proactive approach to protecting privacy.
Other laws and regulations
– California Consumer Privacy Act (C CP A) of 2018
– Health Insurance Portability and Accountability Act
(H I P A A)
– Health Information Technology for Economic and
Clinical Health Act (H I T E C H)
– Financial Services Modernization Act
Generally Accepted Privacy Principles (AICPA and CICA)
- Management
- Notice
- Choice and consent
- Collection
- Use, retention, disposal
- Access
- Disclosure to 3rd parties
- Security
- Quality
- Monitoring & enforcement
GAPP: 1. management
Organizations need to establish a set of procedures and policies for protecting the privacy of personal info they collect from customers/obtain from 3rd parties
Assign responsibility and accountability for implementing those policies to a specific person
GAPP: 2. Notice
provide notice about its privacy policies and practices at or before the time it collects personal info from customers,
notice should clearly explain what info is being collected, the reasons for its collections and how it will be used.
GAPP: 3. Choice and Consent
explain choices available to people and obtain their consent prior the collection and use of their personal info.
opt out: implicit consent because companies can assume it’s okay to collect and use customers’ personal information unless they explicitly object
opt in: explicit consent because organizations cannot collect and use customers’ personal info unless they explicitly agree to allow such actions
GAPP: 4. Collection:
Collect need info only to fulfill the purpose stated in its privacy policies
-concern: use of cookies on websites
cookies: a text file created by a website and stored on a visitors hard disk. Store info what the user has done on the site.
GAPP: 5. use, retention and disposal
use customers’ personal info only in the manner described in their stated privacy policies and retain that info only as long as it is needed to fulfill a legitimate business purpose.
when info is no longer useful, must be disposed in a secure manner.
GAPP: 6. Access
should provide individuals with the ability to access, review, and correct the personal information stored about them
GAPP: 7. Disclosure to 3rd parties
should disclose their customers’ personal info to third parties only in the situations and manners described in the organization privacy policies and only to third parties who provide the same level of privacy protection
