Understanding Privacy and Sensitive Data Concepts in Relation to Security
This chapter covers the following topics related to Objective 5.5 (Explain privacy and sensitive data concepts in relation to security) of the CompTIA Security+ SY0-601 certification exam:
Organizational consequences of privacy and data breaches
Reputation damage
Identity theft
Fines
IP theft
Notifications of breaches
Escalation
Public notifications and disclosures
Data types (Classifications)
Public
Private
Sensitive
Confidential
Critical
Proprietary
Personally identifiable information (PII)
Health information
Financial information
Government data
Customer data
Privacy enhancing technologies
Data minimization
Data masking
Tokenization
Anonymization
Pseudo-anonymization
Roles and responsibilities
Data owner
Data controller
Data processor
Data custodian/steward
Data protection officer (DPO)
Information life cycle
Impact assessment
Terms of agreement
Privacy notice
This chapter covers organizational consequences of privacy and data breaches, including reputation damage, identity theft, fines, and IP theft. We also discuss notifications of breaches, including escalation and public notification and disclosures. The chapter continues with an overview of data types and classifications such as public, private, sensitive, confidential, critical, and proprietary. You also learn about personally identifiable information (PII), health information, financial information, government data, and customer data. In addition, you learn about privacy enhancing technologies, including data minimization, data masking, tokenization, anonymization, and pseudo-anonymization. This chapter also covers the roles and responsibilities such as data owner, data controller, data processor, data custodian/steward, and data protection officer (DPO). The chapter finishes with an explanation of the information lifecycle, impact assessment, terms of agreement, and privacy notice.
The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 35-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”
Table 35-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
---|---|
Organizational Consequences of Privacy and Data Breaches |
1 |
Notifications of Breaches |
2 |
Data Types and Asset Classification |
3–6 |
Privacy Enhancing Technologies |
7, 8 |
Roles and Responsibilities |
9 |
Information Lifecycle |
10 |
Impact Assessment |
11 |
Terms of Agreement |
12 |
Privacy Notice |
13 |
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. What term is used to describe the crown jewels of an organization?
Intellectual property
Important data
Sensitive data
None of these answers are correct.
2. Which organization requires that any publicly traded company provide a public notification and disclosure of a data breach?
FBI
SEC
CIA
All of these answers are correct.
3. Which type of data classification would cause grave damage to national security?
Top secret
Confidential
Unclassified
None of these answers are correct.
4. Which type of data classification would cause no damage to national security?
Secret
Confidential
Top secret
Unclassified
5. Unauthorized access to this type of data could cause severe damage to an organization?
Nonsensitive
Sensitive
Public
Private
6. What information can be used to distinguish or trace an individual’s identity?
PHI
PII
HIPAA
None of these answers are correct.
7. ________ is a term used to explain the concept of reducing the amount of personal information consumed by online entities.
Data masking
Data minimization
Data usage
Data processing
8. Which of the following is used to obfuscate sensitive data?
Data minimization
Data processing
Data masking
Data control
9. Which role is usually part of the management team and maintains ownership of a subset of data?
Data custodian
Data owner
Data processor
All of these answers are correct.
10. During which phase of the information lifecycle is data obtained?
Disposal
Storage
Usage
Collection
11. Which process that is required by GDPR involves identifying the risk of data compromise to an individual?
Impact assessment
Data control
Terms of agreement
All of these answers are correct.
12. Which concept adopted and required by GDPR helps protect the personal information of an individual?
Data classification
Data inspection
Data collection
Terms of agreement
13. Which document must be provided to individuals defining how their data will be used?
GDPR
Data collection
Terms of agreement
Privacy notice
When it comes to the consequences of privacy and data breaches on an organization, a few factors are typically used to determine the actual impact on the organization. Those factors include reputation damage, identity theft, fines, and intellectual property (IP) theft. Let’s take a deeper look into what each factor really means.
Reputation damage can be attributed to any kind of breach; however, many times the types of breaches that result in reputation damage involve the loss of customer data. These types of compromises typically get more press and in turn become a catalyst for reputation damage. Of course, the impact also depends on the type of organization that incurred the breach and loss of data. For instance, if an organization that is responsible for safely storing personal information about its customers has a breach disclosing that information, the situation is more significant. The resulting outcome of this kind of data breach could be identity theft for its customers. This theft, of course, would significantly affect the company’s brand reputation, which could take a long time to recover, if it ever does.
Note
In identity theft, your personal information is stolen and subsequently used to commit an act of fraud in your name. Many times this act affects credit cards, taxes, and medical records. This theft can, of course, cause severe damage to your credit and take a lot of time to restore.
Depending on the industry where the compromise takes place, it can also result in fines. For instance, the health-care industry regulations fall under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Noncompliance with these regulations carries large fines and can even result in jail time for the individuals responsible.
Regardless of what industry you are responsible for protecting, the ultimate goal is to protect your intellectual property. This is, of course, the organization’s crown jewels and can be in many different forms. For a company that develops software, the crown jewels are the source code of the product it is selling. Even a company that produces food products has intellectual property it is trying to protect, such as a secret recipe.
When a breach happens, specific procedures should be followed based on the regulations of the state where the organization does business. Security breach notification laws require the compromised organization to notify all individuals impacted by the data breach of the personal information that was disclosed. Each state has different legislation enacted to enforce this notification. The intention of such a notification is to provide the impacted individuals with enough information that they will be able to mitigate the possible risk imposed by the data breach. Some of the laws include a requirement for public notifications and disclosures. For instance, the US Securities and Exchange Commission (SEC) requires that any publicly traded company provide a public notification and disclosure of a data breach. Many factors define the actual process of escalation when it comes to data breaches. As discussed, these can include the type of industry, the location of the company doing business, and other factors. An organization should take all these factors into consideration when developing an incident response plan. One of the first factors that should be taken into account is the actual data type.
To protect an asset, an organization first needs to understand how important that asset is. For example, the unauthorized disclosure of the source code of a product might be more impactful on an organization than the disclosure of a public configuration guide. The first step in implementing an access control process is to classify assets or data based on the potential damage a breach to the confidentiality, integrity, or availability of that asset or data could cause.
This process is called asset or data classification, and there are several ways to classify assets. For example, military and governmental organizations commonly use the following classification definitions:
Top Secret: Unauthorized access to top secret information would cause grave damage to national security.
Secret: Unauthorized access to secret information would cause severe damage to national security.
Confidential: Unauthorized access to confidential information would cause damage to national security.
Unclassified: Unauthorized access to unclassified information would cause no damage to national security.
The commercial sector has more variety in the way data classification is done—more specifically, to the label used in the classification. Here are some commonly used classification labels in the commercial sector:
Confidential or Proprietary: Unauthorized access to confidential or proprietary information could cause grave damage to the organization. Examples of information or assets that could receive this type of classification include source code and trade secrets.
Private: Unauthorized access to private information could cause severe damage to the organization. Examples of information or assets that could receive this type of classification are human resource information (for example, employee salaries), medical records, and so on.
Sensitive: Unauthorized access to sensitive information could cause some damage to the organization. Examples of information or assets that could receive this type of classification are internal team email, financial information, and so on.
Public: Unauthorized access to public information does not cause any significant damage.
Critical: This is data that is critical to the continued function of a business. Loss of this type of data would result in significant monetary loss.
Although the classification schema will differ from one company to another, it is important that all departments within a company use the schema consistently. For each label, there should be a clear definition identifying when that label should be applied and what damage would be caused by unauthorized access. Because the classification of data may also be related to specific times or other contextual factors, the asset-classification process should include information on how to change data classification.
Table 35-2 summarizes the typical classification schemas for the two types of organizations discussed in this section.
Table 35-2 Classification Schema
Military/Government Classification |
Commercial Classification |
Damage Degree |
---|---|---|
Top Secret |
Confidential |
Grave damage |
Secret |
Private |
Severe damage |
Confidential |
Sensitive |
Damage |
Unclassified |
Public |
Nonsignificant damage |
The United States government and many regulations require organizations to identify personally identifiable information (PII) and protected health information (PHI) and handle them in a secure manner. Unauthorized release or loss of such data could result in severe fines and penalties for the organization. Given the importance of PII and PHI, regulators and the government want to oversee the usage more efficiently.
According to the Executive Office of the President, Office of Management and Budget (OMB) and the US Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.” The following are a few examples:
Individual’s name
Social Security number
Biological or personal characteristics, such as an image of distinguishing features, fingerprints, X-rays, voice signature, retina scan, and the geometry of the face
Date and place of birth
Mother’s maiden name
Credit card numbers
Bank account numbers
Driver license number
Address information, such as email addresses or street addresses, and telephone numbers for businesses or personal use
TIP
The source of PII can be from many different industries. These include financial information collected by organizations such as banks and insurance companies. It can also be a result of government data that was collected by a specific government entity such as the Internal Revenue Service or Department of Defense. Of course, the most common source is customer data. This data is typically collected by online retail organizations.
HIPAA requires health-care organizations and providers to adopt certain security regulations for protecting health information. The Privacy Rule calls this information “protected health information,” or PHI. This information includes, but is not limited to, the following:
Individual’s name (that is, patient’s name)
All dates directly linked to an individual, including date of birth, death, discharge, and administration
Telephone and fax numbers
Email addresses and geographic subdivisions such as street addresses, zip codes, and county
Medical record numbers and health plan beneficiary numbers
Certificate numbers or account numbers
Social Security number
Driver license number
Biometric identifiers, including voice or fingerprints
Photos of the full face or recognizable features
Any unique number-based code or characteristic
The individual’s past, present, and future physical or mental health or condition
The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual
In today’s world, privacy is very hard to come by. Our everyday lives are on the Internet—some more than others, some by choice and some not. Everyone has a digital footprint. Our information is out there on the Internet regardless of how hard we work to protect it. Accepting that fact is the first step in enabling yourself to address a personal privacy incident. In this section, we discuss privacy enhancing technologies.
Data minimization is a term used to explain a concept or approach to privacy design. The overall concept of data minimization is simply to minimize the amount of your personal information that is consumed by online entities. Data minimization is a privacy tool that is used in many different ways. For instance, a website may choose to not store your personal information if it is not needed—as opposed to many that store it and even resell it for a profit. Additionally, it can be used to develop policies regarding the amount of time the data that is collected about you is actually maintained before being permanently deleted. Individuals can also use tools that will clear information from applications such as web browsers. As you know, web browsers collect a large amount of data, which could in turn be compromised. Minimizing this data reduces the risk of such a compromise.
Another privacy enhancing technology concept is data masking. The goal of data masking is to protect or obfuscate sensitive data. This goal must be achieved while not rendering the data unusable in any way. An example of data masking being used in a real-world environment would be data that is displayed on terminal screens in banks or doctors’ offices. Social Security numbers can be masked to show only the last four digits so that they can be used for verification purposes while not exposing the full Social Security number. A similar form of data obfuscation that is used in privacy enhancing technology is tokenization. The approach of tokenization is to utilize a token to replace or obscure the data in a reversable manner.
Anonymization is one of the most critical concepts in privacy enhancing technology. The value of data to an adversary is based on how that data can be used for monetary or other tactical purposes. Being able to correlate various data obtained by adversaries can provide them with the ability to expose an individual or organization. Anonymizing the data allows for it to be used for legitimate purposes while not exposing the identity of the data owner. An example of the need for data anonymization is in the health-care industry. The idea of data anonymization is to decouple the actual sensitive data from the individual to minimize the impact of compromise. In many cases, the actual deployment of anonymization is more in line with pseudo-anonymization, where the data is not completely anonymized. An example would be where the nonsensitive data is not anonymized and is able to be used for other business purposes.
Note
Redaction is often used as a method of obfuscating data. The methods involve replacing some or all of the sensitive data for security and privacy. An example of this is the use of an asterisk when viewing a password field on an application.
The previous sections described the pillars of an access control process and emphasized the importance of correctly classifying data and assets. Who decides whether a set of data should be considered confidential? Who is ultimately responsible in the case of unauthorized disclosure of such data?
Because data is handled by several people at different stages, it is important that an organization build a clear role and responsibility plan. By doing so, the organization maintains accountability and responsibility, reducing confusion and ensuring that security requirements are balanced with the achievement of business objectives.
Regardless of the user’s role, one of the fundamental principles in security is that maintaining the safekeeping of information is everyone’s responsibility.
The following key concepts are related to security roles and responsibilities:
The definition of roles is needed to maintain clear responsibility and accountability.
Protecting the security of information and assets is everyone’s responsibility.
The following roles are commonly used within an organization, although they might be called something different, depending on the organization. Additionally, depending on the size of the organization, an individual might be assigned more than one role.
Executives and senior management: They have the ultimate responsibility over the security of data and assets. They should be involved in and approve access control policies.
Data owner: The data owner, also called the information owner, is usually part of the management team and maintains ownership of and responsibility for a specific piece or subset of data. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, periodically review classification and access rights, and understand the risk associated with the information.
Data custodian/steward: The data custodian/steward is the individual who performs day-to-day tasks on behalf of the data owner. This person’s main responsibility is to ensure that the information is available to the end user and that security policies, standards, and guidelines are followed.
Data controller: The data controller is the individual who has the greatest responsibility for data privacy protection. This person’s main responsibility is to control how the data is used by applying specific procedures for the data processes.
Data processor: The data processor is the individual who processes the data from the data controller. The data processer must follow the processes put in place by the data controller on how the data is to be used.
System owner: The system owner is responsible for the security of the systems that handle and process information owned by different data owners. This person’s responsibility is to ensure that the data is secure while it is being processed by the system he or she owns. The system owner works closely with the data owner to determine the appropriate controls to apply to data.
Security administrator: The security administrator manages the process for granting access rights to information. This includes assigning privileges, granting access, and monitoring and maintaining records of access.
End user: This role is for the final users of the information. They contribute to the security of the information by adhering to the organization’s security policy.
Besides these roles, several others can be seen in larger organizations, including the following:
Security officer: This person is in charge of the design, implementation, management, and review of security policies and organizing and coordinating information security activities.
Data protection officer (DPO): The data protection officer is an organizational leadership role that is responsible for the overall protection and adherence to data protection processes within the organization. This is a role that is required by General Data Protection Regulation (GDPR) in the European Union (EU).
Information systems security professional: This person is responsible for drafting policies, creating standards and guidelines related to information security, and providing guidance on new and existing threats.
Auditor: This person is responsible for determining whether owners, custodians, and systems are compliant with the organization’s security policies and providing independent assurance to senior management.
The GDPR defines the information lifecycle in four different phases:
Collection of data
Storage of data
How data is used
Disposal of data
Although the steps of the information lifecycle are sometimes named differently based on the source, the phases themselves are still the same.
The collection of data is the phase where the data is consumed by the data processor. GDPR states that when collecting data, there must be a defined consent from the data owner as well as a clear definition of how the data will be used. The overall intent of this is to follow the principle of collecting only data that is necessary and not overcollecting.
After the data is collected, of course, it must go somewhere. It must be stored or maintained in some way. This is the next phase of the information lifecycle: storing and securing the collected data. Defining things like where the data is stored and how long it should be stored are important aspects of this phase of the information lifecycle. GDPR requires that the organization collecting the data maintains the accountability of the security of that data.
Of course, if data is being collected and stored, it should be for a specific purpose. That is the next phase of the information lifecycle: how the data that was collected is actually used. Part of this phase is defining who has access to the data and what they can use it for.
The final phase of the information lifecycle is the disposal of the data. If you do not specifically define how and when the data is to be disposed of, it might linger out there forever, which increases the likelihood of the data being compromised at some point. This is a concept discussed in more detail in Chapter 15, “Understanding the Importance of Physical Security Controls.”
Before data is collected, stored, secured, and disposed of throughout the information lifecycle, it is important to understand how that data, if compromised, could impact the privacy of the individuals whose data it holds. To accomplish this, an organization should complete an impact assessment on any new projects that are to be instated where data will be collected as well as any time the scope of the data use will change. These impact assessments are also sometimes called Privacy Impact Assessments (PIA) or Data Privacy Impact Assessments (DPIA). The result of an impact assessment should produce some kind of report that will identify specific high risks to the data subjects and provide recommendations on how that risk can be minimized.
Another privacy concept that has been adopted by the GDPR is the terms of agreement. In many cases, it is called the data processing agreement. The overall purpose of the data processing agreement is to protect the personal information and the individuals the data is about. The agreement is actually a legal contract that is agreed upon by any entities that will fit the role of data processor in the information lifecycle.
Along with the agreement of how data will be collected, utilized, and processed by an organization, the organization must also provide notification to the individuals it is collecting data from or about. Again, this is a requirement for the General Data Protection Regulation. GDPR ensures that individuals are notified about how their data is being used. This is done via a privacy notice. The notice itself is a document sent from the collecting organization stating how it is conforming to data privacy principles.
Use the features in this section to study and review the topics in this chapter.
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 35-3 lists a reference of these key topics and the page number on which each is found.
Table 35-3 Key Topics for Chapter 35
Key Topic Element |
Description |
Page Number |
---|---|---|
Section |
Organizational Consequences of Privacy and Data Breaches |
940 |
Section |
Data Types and Asset Classification |
941 |
Classification Schema |
942 |
|
Section |
Personally Identifiable Information |
943 |
Section |
Protected Health Information |
944 |
Section |
Privacy Enhancing Technologies |
944 |
Paragraph |
Roles and responsibilities |
946 |
Section |
Information Lifecycle |
947 |
Define the following key terms from this chapter, and check your answers in the glossary:
intellectual property (IP) theft
public notifications and disclosures
personally identifiable information (PII)
Answer the following review questions. Check your answers with the answer key in Appendix A.
1. Unauthorized access to ______ information could cause severe damage to the organization.
2. A compromise of __________ data could cause grave damage to national security?
3. Telephone and fax numbers are a form of which type of information?
4. Medical records are a form of which type of information?
5. The term ___________ is used to explain reducing the amount of data as a privacy tool.
6. What form of data obfuscation is performed by replacing data in a reversable manner?
7. What is the role of the individual who has the greatest responsibility in data privacy?
8. What leadership role in an organization is responsible for the overall protection and adherence to the data protection process?
18.223.119.17