“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 35-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

1. What term is used to describe the crown jewels of an organization?

1. Intellectual property

2. Important data

3. Sensitive data

4. None of these answers are correct.

2. Which organization requires that any publicly traded company provide a public notification and disclosure of a data breach?

1. FBI

2. SEC

3. CIA

4. All of these answers are correct.

3. Which type of data classification would cause grave damage to national security?

1. Top secret

2. Confidential

3. Unclassified

4. None of these answers are correct.

4. Which type of data classification would cause no damage to national security?

1. Secret

2. Confidential

3. Top secret

4. Unclassified

5. Unauthorized access to this type of data could cause severe damage to an organization?

1. Nonsensitive

2. Sensitive

3. Public

4. Private

6. What information can be used to distinguish or trace an individual’s identity?

1. PHI

2. PII

3. HIPAA

4. None of these answers are correct.

7. ________ is a term used to explain the concept of reducing the amount of personal information consumed by online entities.

1. Data masking

2. Data minimization

3. Data usage

4. Data processing

8. Which of the following is used to obfuscate sensitive data?

1. Data minimization

2. Data processing

3. Data masking

4. Data control

9. Which role is usually part of the management team and maintains ownership of a subset of data?

1. Data custodian

2. Data owner

3. Data processor

4. All of these answers are correct.

10. During which phase of the information lifecycle is data obtained?

1. Disposal

2. Storage

3. Usage

4. Collection

11. Which process that is required by GDPR involves identifying the risk of data compromise to an individual?

1. Impact assessment

2. Data control

3. Terms of agreement

4. All of these answers are correct.

12. Which concept adopted and required by GDPR helps protect the personal information of an individual?

1. Data classification

2. Data inspection

3. Data collection

4. Terms of agreement

13. Which document must be provided to individuals defining how their data will be used?

1. GDPR

2. Data collection

3. Terms of agreement

4. Privacy notice

Foundation Topics

Organizational Consequences of Privacy and Data Breaches

When it comes to the consequences of privacy and data breaches on an organization, a few factors are typically used to determine the actual impact on the organization. Those factors include reputation damage, identity theft, fines, and intellectual property (IP) theft. Let’s take a deeper look into what each factor really means.

Reputation damage can be attributed to any kind of breach; however, many times the types of breaches that result in reputation damage involve the loss of customer data. These types of compromises typically get more press and in turn become a catalyst for reputation damage. Of course, the impact also depends on the type of organization that incurred the breach and loss of data. For instance, if an organization that is responsible for safely storing personal information about its customers has a breach disclosing that information, the situation is more significant. The resulting outcome of this kind of data breach could be identity theft for its customers. This theft, of course, would significantly affect the company’s brand reputation, which could take a long time to recover, if it ever does.

Depending on the industry where the compromise takes place, it can also result in fines. For instance, the health-care industry regulations fall under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Noncompliance with these regulations carries large fines and can even result in jail time for the individuals responsible.

Regardless of what industry you are responsible for protecting, the ultimate goal is to protect your intellectual property. This is, of course, the organization’s crown jewels and can be in many different forms. For a company that develops software, the crown jewels are the source code of the product it is selling. Even a company that produces food products has intellectual property it is trying to protect, such as a secret recipe.

Notifications of Breaches

When a breach happens, specific procedures should be followed based on the regulations of the state where the organization does business. Security breach notification laws require the compromised organization to notify all individuals impacted by the data breach of the personal information that was disclosed. Each state has different legislation enacted to enforce this notification. The intention of such a notification is to provide the impacted individuals with enough information that they will be able to mitigate the possible risk imposed by the data breach. Some of the laws include a requirement for public notifications and disclosures. For instance, the US Securities and Exchange Commission (SEC) requires that any publicly traded company provide a public notification and disclosure of a data breach. Many factors define the actual process of escalation when it comes to data breaches. As discussed, these can include the type of industry, the location of the company doing business, and other factors. An organization should take all these factors into consideration when developing an incident response plan. One of the first factors that should be taken into account is the actual data type.

Data Types and Asset Classification

To protect an asset, an organization first needs to understand how important that asset is. For example, the unauthorized disclosure of the source code of a product might be more impactful on an organization than the disclosure of a public configuration guide. The first step in implementing an access control process is to classify assets or data based on the potential damage a breach to the confidentiality, integrity, or availability of that asset or data could cause.

This process is called asset or data classification, and there are several ways to classify assets. For example, military and governmental organizations commonly use the following classification definitions:

• Top Secret: Unauthorized access to top secret information would cause grave damage to national security.

• Secret: Unauthorized access to secret information would cause severe damage to national security.

• Confidential: Unauthorized access to confidential information would cause damage to national security.

• Unclassified: Unauthorized access to unclassified information would cause no damage to national security.

The commercial sector has more variety in the way data classification is done—more specifically, to the label used in the classification. Here are some commonly used classification labels in the commercial sector:

• Confidential or Proprietary: Unauthorized access to confidential or proprietary information could cause grave damage to the organization. Examples of information or assets that could receive this type of classification include source code and trade secrets.

• Private: Unauthorized access to private information could cause severe damage to the organization. Examples of information or assets that could receive this type of classification are human resource information (for example, employee salaries), medical records, and so on.

• Sensitive: Unauthorized access to sensitive information could cause some damage to the organization. Examples of information or assets that could receive this type of classification are internal team email, financial information, and so on.

• Public: Unauthorized access to public information does not cause any significant damage.

• Critical: This is data that is critical to the continued function of a business. Loss of this type of data would result in significant monetary loss.

Although the classification schema will differ from one company to another, it is important that all departments within a company use the schema consistently. For each label, there should be a clear definition identifying when that label should be applied and what damage would be caused by unauthorized access. Because the classification of data may also be related to specific times or other contextual factors, the asset-classification process should include information on how to change data classification.

Table 35-2 summarizes the typical classification schemas for the two types of organizations discussed in this section.

Personally Identifiable Information and Protected Health Information

The United States government and many regulations require organizations to identify personally identifiable information (PII) and protected health information (PHI) and handle them in a secure manner. Unauthorized release or loss of such data could result in severe fines and penalties for the organization. Given the importance of PII and PHI, regulators and the government want to oversee the usage more efficiently.

PII

According to the Executive Office of the President, Office of Management and Budget (OMB) and the US Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.” The following are a few examples:

• Individual’s name

• Social Security number

• Biological or personal characteristics, such as an image of distinguishing features, fingerprints, X-rays, voice signature, retina scan, and the geometry of the face

• Date and place of birth

• Mother’s maiden name

• Credit card numbers

• Bank account numbers

• Driver license number

• Address information, such as email addresses or street addresses, and telephone numbers for businesses or personal use

TIP

The source of PII can be from many different industries. These include financial information collected by organizations such as banks and insurance companies. It can also be a result of government data that was collected by a specific government entity such as the Internal Revenue Service or Department of Defense. Of course, the most common source is customer data. This data is typically collected by online retail organizations.

PHI

HIPAA requires health-care organizations and providers to adopt certain security regulations for protecting health information. The Privacy Rule calls this information “protected health information,” or PHI. This information includes, but is not limited to, the following:

• Individual’s name (that is, patient’s name)

• All dates directly linked to an individual, including date of birth, death, discharge, and administration

• Telephone and fax numbers

• Email addresses and geographic subdivisions such as street addresses, zip codes, and county

• Medical record numbers and health plan beneficiary numbers

• Certificate numbers or account numbers

• Social Security number

• Driver license number

• Biometric identifiers, including voice or fingerprints

• Photos of the full face or recognizable features

• Any unique number-based code or characteristic

• The individual’s past, present, and future physical or mental health or condition

• The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual

Privacy Enhancing Technologies

In today’s world, privacy is very hard to come by. Our everyday lives are on the Internet—some more than others, some by choice and some not. Everyone has a digital footprint. Our information is out there on the Internet regardless of how hard we work to protect it. Accepting that fact is the first step in enabling yourself to address a personal privacy incident. In this section, we discuss privacy enhancing technologies.

Data minimization is a term used to explain a concept or approach to privacy design. The overall concept of data minimization is simply to minimize the amount of your personal information that is consumed by online entities. Data minimization is a privacy tool that is used in many different ways. For instance, a website may choose to not store your personal information if it is not needed—as opposed to many that store it and even resell it for a profit. Additionally, it can be used to develop policies regarding the amount of time the data that is collected about you is actually maintained before being permanently deleted. Individuals can also use tools that will clear information from applications such as web browsers. As you know, web browsers collect a large amount of data, which could in turn be compromised. Minimizing this data reduces the risk of such a compromise.

Another privacy enhancing technology concept is data masking. The goal of data masking is to protect or obfuscate sensitive data. This goal must be achieved while not rendering the data unusable in any way. An example of data masking being used in a real-world environment would be data that is displayed on terminal screens in banks or doctors’ offices. Social Security numbers can be masked to show only the last four digits so that they can be used for verification purposes while not exposing the full Social Security number. A similar form of data obfuscation that is used in privacy enhancing technology is tokenization. The approach of tokenization is to utilize a token to replace or obscure the data in a reversable manner.

Anonymization is one of the most critical concepts in privacy enhancing technology. The value of data to an adversary is based on how that data can be used for monetary or other tactical purposes. Being able to correlate various data obtained by adversaries can provide them with the ability to expose an individual or organization. Anonymizing the data allows for it to be used for legitimate purposes while not exposing the identity of the data owner. An example of the need for data anonymization is in the health-care industry. The idea of data anonymization is to decouple the actual sensitive data from the individual to minimize the impact of compromise. In many cases, the actual deployment of anonymization is more in line with pseudo-anonymization, where the data is not completely anonymized. An example would be where the nonsensitive data is not anonymized and is able to be used for other business purposes.

Roles and Responsibilities

The previous sections described the pillars of an access control process and emphasized the importance of correctly classifying data and assets. Who decides whether a set of data should be considered confidential? Who is ultimately responsible in the case of unauthorized disclosure of such data?

Because data is handled by several people at different stages, it is important that an organization build a clear role and responsibility plan. By doing so, the organization maintains accountability and responsibility, reducing confusion and ensuring that security requirements are balanced with the achievement of business objectives.

Regardless of the user’s role, one of the fundamental principles in security is that maintaining the safekeeping of information is everyone’s responsibility.

The following key concepts are related to security roles and responsibilities:

• The definition of roles is needed to maintain clear responsibility and accountability.

• Protecting the security of information and assets is everyone’s responsibility.

The following roles are commonly used within an organization, although they might be called something different, depending on the organization. Additionally, depending on the size of the organization, an individual might be assigned more than one role.

• Executives and senior management: They have the ultimate responsibility over the security of data and assets. They should be involved in and approve access control policies.

• Data owner: The data owner, also called the information owner, is usually part of the management team and maintains ownership of and responsibility for a specific piece or subset of data. Part of the responsibility of this role is to determine the appropriate classification of the information, ensure that the information is protected with controls, periodically review classification and access rights, and understand the risk associated with the information.

• Data custodian/steward: The data custodian/steward is the individual who performs day-to-day tasks on behalf of the data owner. This person’s main responsibility is to ensure that the information is available to the end user and that security policies, standards, and guidelines are followed.

• Data controller: The data controller is the individual who has the greatest responsibility for data privacy protection. This person’s main responsibility is to control how the data is used by applying specific procedures for the data processes.

• Data processor: The data processor is the individual who processes the data from the data controller. The data processer must follow the processes put in place by the data controller on how the data is to be used.

• System owner: The system owner is responsible for the security of the systems that handle and process information owned by different data owners. This person’s responsibility is to ensure that the data is secure while it is being processed by the system he or she owns. The system owner works closely with the data owner to determine the appropriate controls to apply to data.

• Security administrator: The security administrator manages the process for granting access rights to information. This includes assigning privileges, granting access, and monitoring and maintaining records of access.

• End user: This role is for the final users of the information. They contribute to the security of the information by adhering to the organization’s security policy.

Besides these roles, several others can be seen in larger organizations, including the following:

• Security officer: This person is in charge of the design, implementation, management, and review of security policies and organizing and coordinating information security activities.

• Data protection officer (DPO): The data protection officer is an organizational leadership role that is responsible for the overall protection and adherence to data protection processes within the organization. This is a role that is required by General Data Protection Regulation (GDPR) in the European Union (EU).

• Information systems security professional: This person is responsible for drafting policies, creating standards and guidelines related to information security, and providing guidance on new and existing threats.

• Auditor: This person is responsible for determining whether owners, custodians, and systems are compliant with the organization’s security policies and providing independent assurance to senior management.

Information Lifecycle

The GDPR defines the information lifecycle in four different phases:

1. Collection of data

2. Storage of data

3. How data is used

4. Disposal of data

Although the steps of the information lifecycle are sometimes named differently based on the source, the phases themselves are still the same.

The collection of data is the phase where the data is consumed by the data processor. GDPR states that when collecting data, there must be a defined consent from the data owner as well as a clear definition of how the data will be used. The overall intent of this is to follow the principle of collecting only data that is necessary and not overcollecting.

After the data is collected, of course, it must go somewhere. It must be stored or maintained in some way. This is the next phase of the information lifecycle: storing and securing the collected data. Defining things like where the data is stored and how long it should be stored are important aspects of this phase of the information lifecycle. GDPR requires that the organization collecting the data maintains the accountability of the security of that data.

Of course, if data is being collected and stored, it should be for a specific purpose. That is the next phase of the information lifecycle: how the data that was collected is actually used. Part of this phase is defining who has access to the data and what they can use it for.

The final phase of the information lifecycle is the disposal of the data. If you do not specifically define how and when the data is to be disposed of, it might linger out there forever, which increases the likelihood of the data being compromised at some point. This is a concept discussed in more detail in Chapter 15, “Understanding the Importance of Physical Security Controls.”

Impact Assessment

Before data is collected, stored, secured, and disposed of throughout the information lifecycle, it is important to understand how that data, if compromised, could impact the privacy of the individuals whose data it holds. To accomplish this, an organization should complete an impact assessment on any new projects that are to be instated where data will be collected as well as any time the scope of the data use will change. These impact assessments are also sometimes called Privacy Impact Assessments (PIA) or Data Privacy Impact Assessments (DPIA). The result of an impact assessment should produce some kind of report that will identify specific high risks to the data subjects and provide recommendations on how that risk can be minimized.

Terms of Agreement

Another privacy concept that has been adopted by the GDPR is the terms of agreement. In many cases, it is called the data processing agreement. The overall purpose of the data processing agreement is to protect the personal information and the individuals the data is about. The agreement is actually a legal contract that is agreed upon by any entities that will fit the role of data processor in the information lifecycle.

Privacy Notice

Along with the agreement of how data will be collected, utilized, and processed by an organization, the organization must also provide notification to the individuals it is collecting data from or about. Again, this is a requirement for the General Data Protection Regulation. GDPR ensures that individuals are notified about how their data is being used. This is done via a privacy notice. The notice itself is a document sent from the collecting organization stating how it is conforming to data privacy principles.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 35-3 lists a reference of these key topics and the page number on which each is found.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

intellectual property (IP) theft

reputation damage

identity theft

fines

public notifications and disclosures

escalation

confidential

proprietary

sensitive

public

critical

personally identifiable information (PII)

protected health information (PHI)

financial information

government data

customer data

health information

data minimization

data masking

tokenization

anonymization

pseudo-anonymization

data owner

data custodian/steward

data controller

data processor

data protection officer (DPO)

information lifecycle

impact assessment

terms of agreement

privacy notice

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. Unauthorized access to ______ information could cause severe damage to the organization.

2. A compromise of __________ data could cause grave damage to national security?

3. Telephone and fax numbers are a form of which type of information?

4. Medical records are a form of which type of information?

5. The term ___________ is used to explain reducing the amount of data as a privacy tool.

6. What form of data obfuscation is performed by replacing data in a reversable manner?

7. What is the role of the individual who has the greatest responsibility in data privacy?

8. What leadership role in an organization is responsible for the overall protection and adherence to the data protection process?