By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Explain privacy and sensitive data concepts in relation to security. Topics: - data type classification - personally identifiable information (PII) - data owner - data controller - data processor - data custodian/steward - data privacy officer (DPO) - information life cycle - privacy impact assessment (PIA) - terms of agreement - privacy notice Sensitive Data Protection Information systems today are part of almost everything an organization does. The loss of information and information systems has a material impact on various organizational processes and functions. Privacy therefore requires careful consideration. Ensuring the confidentiality, integrity, and availability of data is at the core of an information security risk management program. Organizations are tasked with many data security and privacy practices that need to be carried out, as defined in policies related to data handling and data management.
Failure to ensure the confidentiality, integrity, and availability of data can result in the following: - Reputational damage - Identify theft - Intellectual policy theft - Regulatory fines and lawsuits Data policies, which used to govern overall IT administrative tasks, need to be based on organizational requirements and regulatory compliance. Policies for data protection should include how to classify, handle, store, and destroy data. It is important for an organization to document its security objectives. Later, it can change and adjust the policy when and as needed. An organization might have a reason to make new classifications as business goals change; when it does, it needs to make sure the changes are recorded in its documentation. Customers should also be provided with appropriate privacy notices and terms of agreement, particularly when an organization offers an electronic service and collects personal data. This is an ongoing, ever-changing process. Data protection scenarios begin with proper classification of data, based on the impact of its loss or unauthorized access. Organizational data assets might also be subject to legal discovery mandates, and a careful accounting is vital to ensure that data can be located, if requested, and that it is protected against destruction or recycling. Proper data handling also ensures that data storage media can be properly processed for reuse or disposal when appropriate. Special requirements for sensitive data might require the outright destruction of a storage device and logging of its destruction in the inventory catalog. Also read “Enterprise Security Concepts,” for a refresher on privacy-enhancing technologies, such as tokenization, data masking, and redaction. Data Sensitivity Labeling and Handling Information must be classified according to its value and level of sensitivity so that the appropriate level of security can be used and access to data can be controlled. A system of classification should be effective and easy to administer and should be uniformly applied throughout the organization. Data classification is an important component of information life cycle management. This is the process around the management of data from its creation to disposal.
A common data classification scheme includes the following classifications: - Public: Non-sensitive data that has the least, if any, negative impact on the organization. Press releases and marketing materials are two common examples. - Proprietary: Data disclosed outside the organization on a limited basis. Proprietary data often includes information that is exchanged with prospective customers and business partners, for example. Such data is usually protected by a signed nondisclosure agreement (NDA). - Private: Compartmental data used within a specific division, such as human resources. Typically, disclosure of private data does not cause the company much damage, but this data should be protected for confidentiality reasons. An example of this type of data is the year-end bonus payout for each employee. - Confidential: Data that might cause damage to the organization if it were exposed. Confidential data might be widely distributed within an organization but is typically reserved for employees only and should not be shared outside. Examples might include competitive battle cards and employee training presentations. - Sensitive: Data that would have a severe impact to an organization if it were exposed. Sensitive data typically should not be broadly shared internally or externally. Access to sensitive data should be limited and tightly controlled. The U.S. government uses a classification system with Top Secret and Secret among the most sensitive classifications. If the information in these categories fell into the wrong hands, it could have grave or severe consequences for national security. Keep in mind that data does not necessarily always stay within one classification. Information about a project under consideration might be considered sensitive until the project plans are finalized. At that point, it might require a lesser classification. As another example, consider a publicly traded company’s financial reports. Eventually, the company will publicly release its quarterly financial statements. However, while the reports are being gathered and prepared, such data is considered sensitive.
An NDA should be in place to protect proprietary data that an organization needs to share with an outside entity. The preceding discussion focuses mainly on the confidentiality of data. However, data classification should also consider the impact on integrity and availability. For example, data classified as public will likely have no confidentiality implications. However, such data is still subject to integrity and availability considerations. Financial reports available to the public could certainly have a significant impact on an organization if the integrity of that data were compromised. Furthermore, not properly making this information available could have consequences. Similarly, private data needs to be protected for integrity, availability, and confidentiality. Be sure to consider confidentiality, integrity, and availability in any scenario that involves data classification. Although public data does not require confidentiality, it might be important to consider its integrity and availability. Understanding and documenting how classifications correlate to security objectives is important. When classifications are established, they should be adhered to and closely monitored, and employees should be trained so that they understand the information classifications. Data classifications can also help when submitting discoverable information that is subject to the Federal Rules of Civil Procedure, if the organization will be involved in a lawsuit. Privacy Laws and Regulatory Compliance Particularly in light of various privacy laws regarding sensitive data about individuals, organizations have implemented processes to identify and label data that may potentially be subject to such laws and regulations. Two of the most common examples are personally identifiable information (PII) and personal health information (PHI). PII is, broadly, any data that can be used to identify an individual.
More specifically, the U.S. Office of Management and Budget defines PII as “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
To be considered PII, information must be specifically associated with an individual person. Gender and state of residence, for example, don’t by themselves identify an individual. Information that is either provided anonymously or not associated with its owner before collection is not considered PII. Unique information, such as a personal profile, a unique identifier, biometric information, and an IP address that is associated with PII, can be considered PII. The definition of PII is not anchored to any single category of information or technology. An organization must train employees to recognize that non-PII data can become PII data whenever additional information is made publicly available (in any medium and from any source) so that, when combined with other available information, it could be used to identify an individual. Organizations should require all employees and contractors to complete privacy training annually, beginning within a set number of days after the start of employment. PII is information about a person that contains some unique identifier from which the identity of the person can be determined. Examples of PII include name, address, phone number, fax number, email address, financial profile, Social Security number, and credit card information. PII is not limited to these examples and includes any other personal information that is linked or linkable to an individual. PHI applies to specific organizations that create and collect health information, as covered under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule regulates the use and disclosure of PHI for organizations. Organizations must understand their responsibilities regarding such data and must also know the practices they must abide by. For example, PHI must be protected for 50 years after an individual’s death. In addition, the Privacy Rule specifically requires that the covered entities abide by the following regarding PHI: - Organizations must disclose PHI to individuals within 30 days, upon request. - Individuals must be notified of uses regarding their PHI. - A patient’s written authorization is required before PHI is disclosed for treatment or payment. - Organizations must take reasonable steps to ensure the confidentiality of communications with individuals. - Reasonable efforts must be made to disclose minimal information to achieve its purpose. - Disclosures of PHI must be tracked, and privacy and policy procedures must be documented. Many other privacy and regulatory requirements affect the safeguarding and handling of personal information. In the United States, examples include the Gramm–Leach–Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act. Related examples include the General Data Protection Regulation (GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA). As of May 2018, GDPR strengthens and unifies data protection for individuals within the European Union. Although GDPR is a law in the European Union, it has wide range globally because many organizations operate globally and have customers around the world. PIPEDA is a Canadian law that governs the collection and use of personal information. For many organizations, privacy policies mandate detailed requirements to assure privacy and spell out significant legal penalties for noncompliance. As a result, organizational privacy policies will play a big role in helping to drive compliance. A privacy policy must contain the following features: - A list of the categories of PII the operator collects - A list of the categories of third parties with which the operator might share such PII - A description of the process by which consumers can review and request changes to their PII collected by the operator - A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy Data Roles and Responsibilities All data in your organization should have assigned data roles. This starts with data ownership. The data owner is responsible for determining how much risk to accept. On the surface, data ownership might seem to be a simple matter. However, one look at a transaction that involves third parties proves otherwise. When an employee purchases an airline ticket for business travel, processing intermediaries such as payment systems, ticket processors, and online booking tools assert a right to capture and distribute travel data. These intermediaries might also make data available to third-party aggregators. The question of rightful ownership remains murky. Depending on who you ask, the data being collected could belong to the organization, the booking agency, or the airline. The organization must decide who will be permitted to access data and how those parties can use it. To protect organizational data, when the organization enters any third-party agreement, the topic of data ownership and data aggregation must be addressed. Some cloud services offer data ownership agreements that specifically identify the data owner and outline ownership of relevant data. When assessing data ownership, especially when the organization is using a cloud provider, consider the following: - A determination of what is relevant data - Provisions for exercising rights of ownership over the data - Access to the organization’s environments - Costs associated with exercising rights of ownership over the data - Contract term and termination conditions - Liability of the cloud provider Data classification and appropriate data ownership are key elements in an organization’s security policy. These concepts must be extended to third-party entities to properly protect data that belongs to the organization. A key component of any security program is clearly defined roles and responsibilities.
Pertaining specifically to the data, you should be familiar with three primary roles: - Data owner: The data owner often is responsible for a specific information asset and is often a senior person within a department or division. For example, the vice president of human resources could be the data owner for all employee data. The data owner is responsible for determining the classification level of the data. - Data custodian/steward: The data custodian is responsible for implementing the data classification and security controls, given the classification determined by the data owner. The data custodian is also known as the data steward. - Data privacy officer: The data privacy officer (DPO) is responsible for legal compliance with data privacy regulations and manages data protection risk that relates to ensuring the proper management of personal and protected information. For example, in addition to the requirements mentioned in the previous section, HIPAA also requires covered entities to designate a privacy officer. The GDPR has further defined two additional roles: the data controller and the data processor. GDPR defines the data controller as “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” This role is essentially the manager of personal data. An individual who process personal data on behalf of the data controller is known as a data processor. Data owners determine the level of classification for their data, and data custodians/stewards implement the classification and security controls for the data. Data Retention and Disposal Sensitive and privacy-related data (including log files, physical records, security evaluations, and other operational documentation) should be managed according to an organization’s retention and disposal policies. These should include specifications for access authorization, term of retention, and requirements for disposal. Depending on the relative level of data sensitivity, retention and disposal requirements may become extensive and detailed. Industry best practices and laws can also affect the retention and storage of data, log files, and audit logs. For example, in the United States, the Federal Rules of Civil Procedure (FRCP) have implications for data retention policies. They govern the conduct and procedure of all civil actions in federal district courts. Organizations can face issues related to the discovery, preservation, and production of digitally stored information. For example, if an organization is sued by a former employee for wrongful termination, the department might be compelled during the discovery phase of the suit to produce all documents related to that individual’s work performance. This used to mean personnel records and copies of any written correspondence (such as memos and letters) concerning the performance of that employee. Previously, debate sometimes arose over what constitutes a document, given that most records now reside in electronic format. The FRCP establishes that electronic data is clearly subject to discovery. It goes further and says that all data is subject to discovery, regardless of storage format or location; email, instant messaging, mobile devices, and voice mail, for example, are all subject to discovery. Consideration must be given to the burden placed on organizations when they are required to produce data, as well as the economics and advantage of data retained. Consider the Payment Card Industry Data Security Standard (PCI DSS) requirements governing the use and storage of credit card data. An organization that processes and stores credit card data is likely to be subject to these regulations. However, choosing to forgo the burden by outsourcing credit card processing and not storing the data could impact personalized business and other value-added services the company could offer its clients. By limiting the collection of personal information to the least amount necessary to conduct business, an organization limits potential negative consequences in case of a data breach involving PII. Organizations should consider the types, categories, and total amount of PII used, collected, and maintained. When PII is no longer relevant or necessary, it should be properly destroyed in accordance with any litigation holds and the Federal Records Act. Organizations should also ensure that retired hardware has been properly sanitized before disposal. When organizations choose to capture and retain sensitive data, privacy-enhancing technologies should be employed to protect the data and ensure privacy. This includes minimizing the types of data collected and stored to only that which is necessary. Otherwise, data should be protected by controls such as data masking, tokenization, and anonymization. Data retention policies should consider the requirements surrounding retention of data. In lieu of any requirements, the policies need to balance the needs for proper safeguarding and potential legal burdens against the value of retaining the data. At a minimum, these policies should clearly describe which data is retained and for how long. Proper disposal and disposal techniques are covered in depth in the guide, “Physical Security Controls.” Privacy Impact Assessment A privacy impact assessment (PIA) is needed for any organization that collects, uses, stores, or processes personal information. This includes, for example, the data of employees, partners, and customers. Specific types of sensitive data include PII and PHI. The PIA is an important first step in identifying such information assets. A privacy threshold assessment can determine whether a system contains such information. This assessment is required before an organization analyzes impact and determines how to best protect the information. A privacy threshold assessment can be as simple as distributing a questionnaire to system and application owners. The assessment might consist of an assortment of specific data fields for the owner to select.
Examples could include name, Social Security number, gender, citizenship, place of birth, address, phone number, credit card number, driver’s license number, race, income, and banking information.
As demonstrated earlier, an analysis of the impact of loss or disclosure is needed. A common consequence might be regulatory fines. In fact, all 50 states have laws requiring notification of breaches involving personally identifiable information. Consider, though, that other consequences might be worse. For example, imagine the consequences of the unauthorized disclosure of personnel information for operatives working undercover for a federal agency. Assessing threat actors begins with identifying their relationship to the organization as internal or external. Quiz questions:1. Your organization uses the private and public labels to classify data, as the internal security policy details how data should be protected based on the classification label. The decision was made to add an additional “proprietary” label. Which is the most likely reason this was done? A. To create more searchable data B. To provide better data classification C. To clarify data that should not be shared outside the organization D. To reduce costs2. Which one of the following is responsible for implementing the data classification and security controls? A. Data owner B. Data custodian C. Data privacy officer D. Data controller3. Which data classification type contains data that would have a severe impact to the organization were it exposed, that should not be broadly shared internally or externally, and that should be tightly controlled? B. Proprietary C. Confidential D. Sensitive Answer 1: B. This additional level of classification will help differentiate how data should be protected. While it could help make data more searchable, the question indicates that it’s related to the policy for how data should be protected. Thus, answer A is incorrect. Answer C is incorrect because proprietary data may still be shared outside the organization. Answer D is also incorrect because there may arguably be an indirect cost reduction as a result, but this is not the most appropriate choice, given the question. Answer 2: B. The data custodian is responsible for implementing the data classification and security controls, given the classification determined by the data owner. The data custodian is also known as the data steward. Answers A, C, and D are incorrect. The owner is responsible for determining the classification level of the data. The data privacy officer (DPO) is responsible for legal compliance with regulations. The controller is the manager of personal data according to General Data Protection Regulation (GDPR). Answer 3: D. Data that is classified as sensitive would have a severe impact to an organization if it were exposed. It typically should not be broadly shared internally or externally. Access to sensitive data should be limited and tightly controlled. Answer A is incorrect. Public data is non-sensitive data that has the least, if any, negative impact on the organization. Answer B is incorrect. Proprietary data often includes information that is exchanged with prospective customers and business partners. Answer C is incorrect. Confidential data might cause damage to the organization if it were exposed. It might be widely distributed within an organization but is typically reserved for employees only and should not be shared outside.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.