By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Compliance and Assessment: Domain Objectives 5.1 Understand the importance of data privacy and protection. 5.2 Given a scenario, apply security concepts in support of organizational risk mitigation. 5.3 Explain the importance of frameworks, policies, procedures, and controls. Objective 5.1 Understand the importance of data privacy and protection Privacy vs. Security Privacy is the desire to control and the act of controlling information about you—information you consider personal. Privacy is concerned with keeping your personal information confidential and only allowing whomever you choose to access it and use it for whatever purposes you deem fit.
Privacy information includes, but is not limited to, name, address, Social Security number (SSN) or social insurance number (SIN), gender identity, date of birth, age, race, medical information, financial information, and so on. Note that some of these data elements are defined and protected by laws and regulations, but this largely depends on the country you reside in. In other countries, different data elements of your personal information are protected, or not protected, depending on the laws and regulations of those respective countries.
In certain countries governed by the General Data Privacy Regulation (GDPR), this also includes information about your religious or political beliefs, sexual orientation, and so on.
Whereas privacy is the belief that you should be able to control your information and use it or disseminate it as you see fit, security consists of the measures that go into protecting that information, as well as other types of information. While they are not the same thing, they are closely related. Measures that are used as part of security controls can also be applied to privacy. In this module, we’re going to discuss different aspects of security and privacy and how they relate to each other. What Is Privacy Data? Most laws recognize specific pieces of data as privacy data. In the United States, this includes name, address, driver’s license number, SSN, and any other data that can be specifically linked to an individual. This type of data is called personally identifiable information, or PII.
Data related to an individual’s medical conditions or care is referred to as healthcare data and is governed in the U.S. by the Health Information Portability and Accountability Act, or HIPAA.
These are the two primary privacy data types recognized in the United States. However, other individual data, such as financial data, is also considered personal.
Often you will find financial data intermixed with privacy or healthcare data, depending on how those data combinations are used. For example, if an individual is seeking medical treatment, there may be both medical data and financial data in their medical records because they must pay for any medical procedures performed, and those procedures are billed at certain rates. Individuals provide payment methods that are stored with their medical records. This could include credit card numbers or even insurance information. Nontechnical Controls You have different types of controls. Remember that a control is a security measure implemented to protect data. Nontechnical controls typically come in the form of managerial (also called administrative) or operational controls, which are primarily policies and procedures. Those are the key controls that establish what you must do when it comes to protecting privacy information. The technical controls, discussed later on in the module, dictate a large part of the methods for how you must protect privacy information (in other words, the implementation of policies and procedures). We will discuss several nontechnical and technical controls throughout this module. Data Types The words data and information are frequently used interchangeably. Technically, data is an individual fact or piece of knowledge. Only when the context is given to multiple pieces of data is it referred to as information. Information is cohesive data. For our discussion, however, we will use these terms interchangeably as well. Keep in mind that even a small, singular piece of data can be sensitive, such as a Social Security number or phone number. When combined with other pieces of data, such as a name and address, this becomes privacy information.
Data (and information) types are essentially descriptive categorizations of data; in other words, we are defining what the data relates to. As examples, data types could include privacy data, healthcare data, financial data, company proprietary data, legal data, market data, and so on. Data is defined as a type based on context and relevance.
While there is no overarching formal taxonomy of data types, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume II, “Guide for Mapping Types of Information and Information Systems to Security Categories,” provides an excellent catalog that describes many different data types.
The figure below shows an excerpt from SP 800-60 and examples of the various information types it describes. FIGURE: Information types from NIST SP 800-60 Confidentiality Remember from your earlier studies in cybersecurity that confidentiality is one of the three goals of security. Confidentiality essentially means that we want to keep information accessible only to authorized personnel and prevent access to those who were not authorized. Confidentiality can be ensured using strict access controls such as authentication, permissions, and encryption. Confidentiality can be applied to privacy because only those entities that have a valid need and authorization to access privacy information should be able to do so. Data Sovereignty Data sovereignty is a simple concept that means that any privacy data that is generated, stored, processed, transmitted, or received in a particular country is governed by the laws of that country. This actually can become complicated, as we’ll see when we discuss the legal aspects of data privacy, since the laws of one country can extend into another country if the data relating to the citizens of one country is transferred or flows into another country. Legal Requirements Legal requirements for the protection of privacy data can be very complex. They also vary between countries, and indeed, even U.S. states. Legal requirements are based on the data type but also on the different laws and regulations governing that data. Since we are discussing privacy data in particular, it’s useful to examine the legal requirements for the protection of privacy data in the United States and internationally.
Laws and regulations often include requirements to appoint personnel in the organization who are legally accountable for the protection of privacy data stored or processed by the organization. These roles may include a data privacy officer and other individuals designated to protect privacy data (called data processors and controllers in some regulations). Normally, organizations can face legal liability, including lawsuits, fines, or even criminal charges, if they do not protect privacy data as required by law.
In addition to appointing specific roles required by law, there are some elements of privacy policy that should be addressed (at least in the United States) to meet regulatory requirements, particularly in the financial and medical areas.
These include the following: - Legal authority to collect privacy information - Purposes that collected information will be used for - Data integrity and quality - Minimization and retention of personal information - Data breach reporting - Audit of privacy systems and data access - Privacy risk management - Rights of individuals to be notified regarding data collection and use policies, to correct erroneous information, and for remedies against the collectors of such information Some of these elements of privacy policy will be discussed later in the module.
Keep in mind that although many countries have privacy laws, privacy is not treated the same all over the world; there is no consistency between countries in law or practice.
International privacy issues include the following: - “Right to privacy” is different across the world. - Use of encryption to protect private data is limited or prohibited in certain countries. - Some data elements are not considered private in some countries. - Search and seizure of potentially private data varies from country to country.
Here are just a few examples of laws designed to protect privacy data in their respective countries: - U.S. Constitution 4th Amendment: Protects privacy to the extent that unauthorized search and seizure by government entities and law enforcement is prohibited - U.S. Privacy Act of 1974: Protects PII used by the U.S. government - California Consumer Privacy Act (CCPA): Protects California citizens against privacy data misuse and gives more control to the individual - European Union’s General Data Protection Regulation: Protects individual EU citizens’ (“data subjects”) personal data - The Data Privacy Act of 2012 (Philippines) - Article 13 of the Swiss Federal Constitution (Switzerland) - Personal Information Protection and Electronic Documents Act, or PIPEDA (Canada)
Some countries do not have specific laws or regulations that cover data privacy, but it is included as part of other laws. These countries include some Middle Eastern countries (Kingdom of Saudi Arabia, Kuwait, United Arab Emirates, Bahrain, and Oman) and the People’s Republic of China (PRC). Data Classification As mentioned earlier, most of the nontechnical controls are policies and procedures. One of the most important policies you can have in your organization is data classification. Data classification determines to what level systems and data must be protected. This is based upon data sensitivity or criticality.
How critical is the data to your organization? How sensitive is it? What regulations dictate the level of protection? You don’t want to put a lot of time, money, and effort into protecting what would normally be ordinary public information or even company information that’s of little importance, such as the details of the company picnic. That data would be considered a lower sensitivity level and would not warrant very much protection. Other types of data, such as privacy data and other more sensitive data types, warrant a lot more protection. The organization should create a data classification policy to formally determine which data types are considered sensitive data and which are not as well as the level of protection those types require.
Examples of the data types and protection levels you might find in a data classification policy are shown below. Examples of Data Sensitivity and Protection Levels in a Policy Data Ownership While, ultimately, the organization is the owner of data that is generated, stored, and processed on its systems, there may be a designated data owner by policy, such as the vice president of human resources, who is in charge of ensuring that all privacy data is protected at the appropriate level. The data owner is responsible for setting access controls, including determining who has access to it, ensuring that legal requirements are met, and determining who is accountable in the event the data is disclosed, lost, or modified through unauthorized means. While the data owner is ultimately responsible and accountable, typically, on a routine daily basis, a data custodian is directly responsible for implementing the security measures to protect data. The data owner makes decisions regarding the data, and the data custodian implements those decisions. Data Retention and Retention Standards Data policies should also include data retention standards. By and large, the more data an organization retains, the more difficult it is to maintain that data securely. Organizations retain data for various business reasons, including to develop and market products and services. Data is generated as a result of business processes and transactions. This could include financial data, product or process data, marketing data, and so on. This might even include privacy-related data. Sometimes data is retained for historic or continuity reasons. Depending on the data type, organizations also are required to retain certain data to meet legal or regulatory requirements. When organizations are required by regulation to retain data, typically requirements are imposed on the organization to retain it under certain conditions, such as for a specified length of time and under what protection conditions.
These conditions could include the following: - The requirement to keep the data for a specified time under the law - The requirement to destroy data after that specified time in a specific manner - The requirement to store the data in a secure manner - Strict access controls for retained data Data Minimization Data minimization is a concept that essentially means that an organization will only collect the minimum necessary amount and types of data to fulfill its purpose of providing specific services to an individual. For example, during a credit application, a company might collect relevant financial data from an individual. However, there would be no reason the company would collect nonfinancial information, beyond superficial contact information. It could not, for instance, collect information on an individual’s health. This would be collecting information beyond what is necessary to provide the individual financial services related to the credit application. Purpose Limitation Declaring a limitation of purpose serves to prevent an organization from using data, particularly privacy data, outside of an agreed-upon reason. For example, healthcare organizations may collect privacy data from individuals to support their medical care. Their privacy policy may state that they are allowed to exchange this data only with authorized healthcare providers or business associates and that it may be used to provide diagnosis, treatment, and billing for any healthcare the patient receives. The healthcare organization would be limited to only those particular uses of that data and could not use it outside of the stated purposes, such as for marketing. Nondisclosure Agreement (NDA) A nondisclosure agreement (NDA) is a legally binding contract between entities, such as two organizations, or even individuals and organizations. Essentially, one party owns or controls certain data, and the other party is agreeing that in exchange for access to that data, they will keep it secure and confidential under the conditions specified in the agreement. For example, an individual who begins work for an organization may be required to legally declare via an NDA that they will keep any data they encounter during the normal course of their work confidential, and not to release it to unauthorized personnel. An NDA could specify certain data types or could generally cover any data that an entity might be exposed to, including company-sensitive, proprietary, or even health and privacy data. NDAs can specify a certain period, or they can be written to last indefinitely. The NDA clearly states the individual’s responsibilities in protecting that data. Technical Controls Nontechnical controls are the typical managerial or programmatic controls designed to establish requirements and policy; technical controls are typically the implementation mechanisms for those policies. If the policy says that a certain data type is confidential and must be protected at a certain level, then there should be technical controls to make that happen. You may see technical controls in the form of encryption, data loss prevention (DLP) devices, databases that perform data masking and deidentification, and so on. We’re not going to go down to the heavy technical level in describing these technologies, but you should be familiar with technical controls and how they work to support data privacy and protection. Access Controls Access controls are security controls designed to manage who can read or write to sensitive data. Access controls help ensure the confidentiality of private information using the following elements: - Identification: An individual or entity asserting who they are via a username, smartcard, or another mechanism. - Strong authentication: Technologies that verify that an individual or entity is who they say they are. - Authorization: Once an individual is authenticated, they must be authorized to access specific data and perform certain actions with it. - Accountability: Holding an individual accountable for their actions with regard to data access. - Auditing: The ability to record and verify that an individual performed specific actions on a set of data, such as reading it, deleting it, or modifying it. - Nonrepudiation: The inability of an individual to claim that they did not access or perform specific actions on data. Examples of technical access controls that support these elements are object permissions, role-based access, encryption mechanisms, multifactor authentication mechanisms, and audit logs. Encryption Encryption is used to transform data from human- and machine-readable format into a form that is not easily read by either to keep it confidential. Programs use encryption algorithms and keys to encrypt data during transmission from system to system, as well as to protect it while it is being stored. The same programs decrypt (or make readable) data so that it can be used by people and computers for its intended purpose. Protected data classes, such as personal, healthcare, and financial data, use encryption to control access to that data. Only those people or machines that can access the appropriate algorithms and keys should be able to access the data once it has been encrypted. Data Loss Prevention (DLP) Data loss prevention is a group of technologies and practices designed to prevent sensitive data from leaving the confines of an organization’s network, including via e-mail, file-sharing services, or even unauthorized removable media attached to hosts. DLP can be added as a separate module for certain network security appliances, as part of host-based security, and through data labeling. Data labeling enables specially configured network security devices and policies to flag sensitive data as it attempts to leave the network and prevent it from doing so. DLP is particularly essential in environments where there is a great deal of personal or medical information, such as hospitals. DLP starts with written data-sensitivity policies, of course, that are then translated using DLP software integrated with network devices and host-based security. The software tags data with labels corresponding to the data sensitivity policy and can also be integrated with a variety of other line-of-business applications and databases. Data Masking There are several techniques used to prevent unauthorized disclosure of privacy information. However, there are instances where authorized users need to access some portions of information that could be considered private, but not necessarily all the information. For example, a database could contain information on a person that includes identifying information as well as medical or financial information. A technician could require access to certain portions of the individual’s record, but not all of it. One technique for limiting the information available to unauthorized personnel is masking. Data masking is simply the obfuscation of parts of certain data elements, such as a Social Security number. An administrative assistant might require access to the last four digits of a person’s SSN to identify that person within the context of their work, but they don’t need access to the entire SSN. In this case, the first five digits might be masked out with asterisks or blanks. Other techniques of limiting the amount of information an otherwise authorized person might have available to them include allowing them to access only certain data fields in a record, restricting what they visually see from query results of a record, restricted user interfaces, and so on. In databases that contain a great deal of information, database designers often implement security controls that include role-based access so that a person in one role would not necessarily have access to all the information in a database that someone in another role would. Deidentification Mass amounts of data are often used for different but valid purposes than was originally intended; it could be required for use in historical or trend analysis, for research purposes, and so on. For example, suppose a medical researcher needs to examine 1000 records relating to cases of influenza to determine possible common factors for females over the age of 65. Most of the time, limitations on the use of such data would prevent this from happening, since the data could be linked to an individual and violate their privacy rights. This can be solved through the process of deidentification. Deidentification is a method used to remove any data that could indicate the identity of an individual from a record. Normally deidentification involves removing names and other specific identifiers, such as geographical location more detailed than the name of the state or province, birth date (month and day), e-mail address, telephone number, and so on. The specific data that is removed may depend on the type of data and regulations that cover the data. For instance, HIPAA regulations require that data be deidentified using one of two methods: Safe Harbor, which requires removal of predetermined identifying data elements such as name, date of birth, and geographic location, and Expert Determination, which requires a recognized expert in the field of statistical analysis with a healthcare background who decides on the types of data to remove to reduce the risk of identifying an individual in a large dataset. The deidentification method can also be used by technologies to limit the amount of data that a normal authorized user can access for routine job functions, to prevent an individual from being identified through that data. Tokenization Tokenization is another method used to protect certain data elements from disclosure. Instead of displaying a user’s credit card number, for instance, a unique hash value generated on the number might be substituted in a field displayed to an authorized user of that data. This number would remain unique and could still be used to identify the record, while the actual value (in this case, the credit card number) cannot be derived from it. Digital Rights Management (DRM) Digital rights management as a technology has been used for several years to prevent pirating of digital media files. Digital files can be tagged with specific information that can protect them in several ways, including limiting how many times or for how long they can be accessed, preventing their copying or alteration, and alerting the copyright holder if an attempt is made to illegally access or copy the files. The same technologies are also useful in protecting private data. DRM can work in a couple different ways. One way is through the use of containment, where the digital file is encrypted and can only be accessed by those with the correct encryption key, personal identification number (PIN), or password. More often than not, this is a function of the program and encryption mechanism being used to access the file, which can also be configured to securely authorize users for file access. A second approach is through marking, which means that there is a watermark (discussed in the upcoming section), flag, or electronic tag embedded in the file. In the case of an electronic tag, a signal can be sent to a reading device that the file is digitally restricted for access and can prevent opening or copying the file. A potential drawback to the general use of DRM that’s of interest to privacy advocates is the fear that it could be used to take advantage of a user’s private information by changing the level of data access based on the user’s information. For instance, a copyright holder could conceivably charge more money or restrict access to an otherwise available file based on a user’s private data, such as their age, race, and so on. Watermarking Watermarking is a form of digital rights management where a file is visually or electronically marked to identify that it came from a certain location or is the property of a particular person or organization. Digital watermarking could be used to identify the source of a digital file containing privacy information, such as a hospital, clinic, or bank. Digital watermarking can also be used to embed a digital signature or other identifying information in a file to ensure its integrity. Geographic Access Requirements Yet another measure used to protect privacy information is the use of geographic restrictions on specific data. This can take many forms. First, it’s not uncommon to restrict data to only certain hosts or IP addresses within an organization or network. This is relatively easy to do through technical access controls. To access a patient’s medical record, for example, a healthcare technician may be required to log in from a specific host or at a specific location, such as a records department. The problem with this is that in this increasingly mobile world we live in, doctors and other professionals frequently walk around to visit patients, or even travel to different departments or clinics that are geographically separated, using laptops, tablets, and even mobile phones. When privacy data is accessed on mobile devices, using technical controls such as network access control, encryption for data both in transit and in storage, strong authentication, the use of virtual private networks, and so on, is critical. The second aspect of geographic access restrictions could even be the access of data between different countries. There could be nontechnical and technical controls designed and implemented to prevent access to data from an entity in one country on an individual in another country. In instances where an authorized entity must access data on an individual in another country, they must meet strict requirements, among them legal requirements imposed by regulations such as the GDPR. Such regulations impose additional requirements on the access and use of private data by entities in a different country. This restriction not only applies to privacy or other sensitive data; it can be seen in other forms of information as well. For example, access to content protected under DRM, such as movies or other recorded media, is often restricted to certain countries. This practice is known as geo-blocking, and it limits the geographic locations in which digital content is available. The technologies used to implement this process are the same as those that help protect private information and include watermarking as well as implementing technology to prevent information from being accessed on untrusted devices, especially in certain countries or locations. REVIEW Objective 5.1: Understand the importance of data privacy and protection In this module, we discussed the importance of protecting privacy data. Privacy data could cover a variety of personal data, including personally identifying information, medical data, and financial data. Privacy is the desire to keep and the act of keeping personal data from unauthorized access and controlling how that data is used. Security is the measures taken to protect privacy data. Security uses both nontechnical and technical controls. Nontechnical controls include the creation and enforcement of policies protecting data at a level determined by its type and sensitivity level. Not all data is protected at the same level; it depends on the sensitivity of the data as well as any legal requirements to protect the data. Legal requirements for data protection vary across the world, as do the different data elements that define privacy data. A data classification or sensitivity policy should be developed and enforced by the organization. A data owner is someone who is legally held responsible and accountable for data protection. Organizational governance, including laws, regulations, and internal policies, should determine data retention policies and standards. Certain types of data are required to be retained for certain periods and using specified protection levels. Data sovereignty refers to subjecting any data created or processed in a specific country to the laws of that country. Data minimization refers to the practice of collecting and using only the minimum amount of privacy data required to fulfill a specific purpose. Organizations are often legally required to use data only for the purposes specified in their data protection policies or the law, and any use outside of those specified purposes is illegal. Nondisclosure agreements are typically required when employees or other entities access protected data, such as privacy information. These agreements state that employees or other entities may not disclose protected data to unauthorized personnel. Technical controls include a variety of access controls designed to prevent unauthorized access to data. Access controls can include strong authentication, authorization through permissions, and encryption. Encryption is used to protect data both in transit and at rest. Data loss prevention technologies are designed to keep protected data from leaving the confines of an organization or its infrastructure. Data masking is a technique used to visibly hide certain data elements to prevent unauthorized disclosure. Deidentification removes certain data elements to prevent privacy data from being linked to an individual. Tokenization removes sensitive data elements but replaces them with a hash generated from the data element. Digital rights management is used to protect privacy data by tagging or watermarking the data to determine its source, integrity, and identifying information as well as to prevent it from being copied in an unauthorized manner. Sometimes data is restricted to only being accessible from specific geographic locations, including specified hosts, IP addresses, or even countries.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.