S3-m4/5 Flashcards
Privacy
Protects the rights of an individual and gives the individual control over what information they are willing to share with others
-dictates the types of authorization granted to information
Confidentiality
-Protects unauthorized access to information gathered by the company
-protecting personal privacy and proprietary information
-is required is that the information is only accessed by system or individuals with the appropriate authority
Creating Policies and Procedures
Data Collection
Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII and proprietary information by defining:
-specific confidential data collected
-how data is collected, accessed, and retained
-incident response
-privacy in the development cycle
-sharing rules
-consequences of violation
Conducting Training
Data Collection
Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training to understand the relevant guidelines and the repercussions of violating these guidelines
Personal Identifiable Information (PII)
All data that can be used to identify an individual:
-full name/ alias
-identification numbers
-addresses
De-identifying Personal Information
Data Processing
Organizations should de-identify records by removing enough personal information such that the remaining information does not identify and individual
Using Access Enforcement
Data Storage
Organizations should control access to personal info through access control policies and access enforcement mechanisms
Implementing Access Control for Mobile Devices
Data Collection
Organizations should prohibit or strictly limit access to personal information from portable and mobile devices, such as laptops, and phones
Auditing Events
Data Collection
Organizations can monitor events that affect confidentiality of personal information, such as inappropriate access to PII
Data Transmission
Organizations should protect the confidentiality of information transmitted. This is commonly accomplished through encrypting the communication
Data Deletion/Purging
Organizations should set up the policies to determine the data sets subject to be archived or purged
Obfuscation
the process of replacing production data or sensitive information with data that is less valuable to unauthorized users
Encryption
Obfuscation
Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key
Tokenization
Obfuscation
Removes production data and replaces it with a surrogate value or token.
Masking
Obfuscation
Swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set
Symmetric Encyption
Involves a single shared or private key for encryption and decryption of data within a group.
-drawback: does not facilitate a non repudiation bc any person with the shared key can encrypt and decrypt messages
Asymmetric Encryption
Uses two keys, a public and private key. The public key is used to encrypt the message and the private key to decrypt it, or vice versa. Only the two opposite keys can be used in tandem.
-weakness is speed or operation: long keys/ complex
Hashing
Converts a message with variable lengths to a fixed length message or code called a message digest or hash value
Hashing vs Encryption
Difference is their intended use. Encryption is used fo secure data transfer to maintain confidentiality, whereas, hashing is used to maintain the integrity of the data, validating that the message is sent from the true sender
Cipher
The result of applying encryption algorithms that encode encrypted messages into an encrypted form. Results in a combo of numbers and letters that are meaningless and illegible to those without a key
Substitution Ciphers
Are algorithms that replace each character of a plaintext message with another character. Very basic ciphers imply replace one letter or number with another using a key, while more complex ciphers involve math to substitute.
Transposing Ciphers
Are encryption techniques that rearrange the letter of a message to form unreadable ciphertext, often by using a matrix to perform columnar transposition
Data Loss Prevention Systems (DLP)
Enables organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods.
-pattern matching
-word recognition
Objectives of a DLP
-implement a centralized DLP program, with collaboration from various departments, which oversee data for the entire organization
-define and create enterprise data usage policies
-evaluate the different forms of data, define levels of sensitivity
-monitor the use of sensitive data
-enforce security policies
-implement employee education programs
Network Based DLP
Scan outgoing data that meet specific criteria and are transmitted using means such email, file transfer protocols, and direct messaging
-cloud based DLP apply same protection but to a cloud
Endpoint based DLP
Scan files stored or sent to devices that might be outside of a network, such as a printer, USB drive, or any other device to which data can be transferred
Physical Security
locked cabinet and closets, security cameras and badge entry
Digital Security Controls
Encrypted hard drives, encrypted USB drives, or secure file systems that are encypted
Authorization and User Access Controls
Control mechanisms, such as role based access controls, rule based access controls, discretionary access controls
-multifactor authentication