Chapter 19. The Importance of Data Privacy and Protection
This chapter covers the following topics related to Objective 5.1 (Understand the importance of data privacy and protection) of the CompTIA Cybersecurity Analyst (CySA+) CS0-002 certification exam:
• Privacy vs. security: Compares these two concepts as they relate to data privacy and protection
• Non-technical controls: Describes classification, ownership, retention, data types, retention standards, confidentiality, legal requirements, data sovereignty, data minimization, purpose limitation, and non-disclosure agreement (NDA)
• Technical controls: Covers encryption, data loss prevention (DLP), data masking, deidentification, tokenization, digital rights management (DRM), geographic access requirements, and access controls
Addressing data privacy and protection issues has become one of the biggest challenges facing organizations that handle the information of employees, customers, and vendors. This chapter explores those data privacy and protection issues and describes the various controls that can be applied to mitigate them. New data privacy laws are being enacted regularly, such as the EU GDPR, that require new controls to protect data.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read the entire chapter. If you miss no more than one of these nine self-assessment questions, you might want to skip ahead to the “Exam Preparation Tasks.” Table 19-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions covering the material in those headings so that you can assess your knowledge of these specific areas. The answers to the “Do I Know This Already?” quiz appear in Appendix A.
Table 19-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
1. Which of the following relates to rights to control the sharing and use of one’s personal information?
a. Security
b. Privacy
c. Integrity
d. Confidentiality
2. Which of the following is a risk assessment that determines risks associated with PII collection?
a. MTA
b. PIA
c. RSA
d. SLA
3. Third-party personnel should be familiarized with organizational policies related to data privacy and should sign which of the following?
a. NDA
b. MOU
c. ICA
d. SLA
4. Which of the following is a measure of how freely data can be handled?
a. Sensitivity
b. Privacy
c. Secrecy
d. Criticality
5. Which of the following affects any organizations that handle cardholder information for the major credit card companies?
a. GLBA
b. PCI DSS
c. SOX
d. HIPAA
6. Which of the following affects all healthcare facilities, health insurance companies, and healthcare clearinghouses?
a. GLBA
b. PCI DSS
c. SOX
d. HIPAA
7. Which control provides data confidentiality?
a. Encryption
b. Hashing
c. Redundancy
d. Digital signatures
8. Which control provides data integrity?
a. Encryption
b. Hashing
c. Redundancy
d. Digital signatures
9. Which of the following means altering data from its original state to protect it?
a. Deidentification
b. Data masking
c. DLP
d. Digital signatures
Foundation Topics
Privacy vs. Security
Privacy relates to rights to control the sharing and use of one’s personal information, commonly called personally identifiable information (PII), as described in Chapter 15, “The Incident Response Process.” Privacy of data relies heavily on the security controls that are in place. While organizations can provide security without ensuring data privacy, data privacy cannot exist without the appropriate security controls. A privacy impact assessment (PIA) is a risk assessment that determines risks associated with PII collection, use, storage, and transmission. A PIA should determine whether appropriate PII controls and safeguards are implemented to prevent PII disclosure or compromise. The PIA should evaluate personnel, processes, technologies, and devices. Any significant change should result in another PIA review.
As part of prevention of privacy policy violations, any contracted third parties that have access to PII should be assessed to ensure that the appropriate controls are in place. In addition, third-party personnel should be familiarized with organizational policies and should sign non-disclosure agreements (NDAs).
Non-technical Controls
Non-technical controls are implemented without technology and consist of the organization’s policies and procedures for maintaining data privacy and protection. This section describes some of these non-technical controls, which are also sometimes called administrative controls. Non-technical controls are covered in detail in Chapter 3, “Vulnerability Management Activities.”
Classification
Data classification helps to ensure that appropriate security measures are taken with regard to sensitive data types and is covered in Chapter 13, “The Importance of Proactive Threat Hunting.”
Ownership
In Chapter 21, “The Importance of Frameworks, Policies, Procedures, and Controls,” you will learn more about policies that act as non-technical controls. One of those policies is the data ownership policy, which is closely related to the data classification policy (covered Chapter 13). Often, the two policies are combined because, typically, the data owner is tasked with classifying the data. Therefore, the data ownership policy covers how the owner of each piece of data or each data set is identified. In most cases, the creator of the data is the owner, but some organizations may deem all data created by a department to be owned by the department head. Another way a user may become the owner of data is by introducing into the organization data the user did not create. Perhaps the data was purchased from a third party. In any case, the data ownership policy should outline both how data ownership occurs and the responsibilities of the owner with respect to determining the data classification and identifying those with access to the data.
Retention
Another policy that acts as a non-technical control is the data retention policy, which outlines how various data types must be retained and may rely on the data classifications described in the data classification policy. Data retention requirements vary based on several factors, including data type, data age, and legal and regulatory requirements. Security professionals must understand where data is stored and the type of data stored. In addition, security professionals should provide guidance on managing and archiving data securely. Therefore, each data retention policy must be established with the help of organizational personnel.
A data retention policy usually identifies the purpose of the policy, the portion of the organization affected by the policy, any exclusions to the policy, the personnel responsible for overseeing the policy, the personnel responsible for data destruction, the data types covered by the policy, and the retention schedule. Security professionals should work with data owners to develop the appropriate data retention policy for each type of data the organization owns. Examples of data types include, but are not limited to, human resources data, accounts payable/receivable data, sales data, customer data, and e-mail. Designing a data retention policy is covered more fully in the upcoming section “Retention Standards.”
Data Types
Categorizing data types is a non-technical control for ensuring data privacy and protection. To properly categorize data types, a security analyst should be familiar with some of the most sensitive types of data that the organization may possess, as described in the sections that follow.
Personally Identifiable Information (PII)
When considering technology and its use today, privacy is a major concern of users. This privacy concern usually involves three areas: which personal information can be shared with whom, whether messages can be exchanged confidentially, and whether and how one can send messages anonymously. Privacy is an integral part of any security measures that an organization takes. As part of the security measures that organizations must take to protect privacy, PII must be understood, identified, and protected. Refer to Chapter 15 for more details about protecting PII.
Personal Health Information (PHI)
PHI is a particular type of PII that an organization may possess, particularly healthcare organizations. Chapter 15 also provides more details about protecting PHI.
Payment Card Information
Another type of PII that almost all companies possess is credit card data. Holders of this data must protect it. Many of the highest-profile security breaches that have occurred have involved the theft of this data. The Payment Card Industry Data Security Standard (PCI DSS) applies to this type of data. The handling of payment card information is covered in Chapter 5, “Threats and Vulnerabilities Associated with Specialized Technology.”
Retention Standards
Retention standards are another non-technical control for ensuring data privacy and protection. To design a data retention policy, an organization should answer the following questions:
• What are the legal/regulatory requirements and business needs for the data?
• What are the types of data?
• What are the retention periods and destruction needs of the data?
The personnel who are most familiar with each data type should work with security professionals to determine the data retention policy. For example, human resources personnel should help design the data retention policy for all human resources data. While designing a data retention policy, the organization must consider the media and hardware that will be used to retain the data. Then, with this information in hand, the data retention policy should be drafted and formally adopted by the organization and/or business unit.
Once a data retention policy has been created, personnel must be trained to comply with it. Auditing and monitoring should be configured to ensure data retention policy compliance. Periodically, data owners and processors should review the data retention policy to determine whether any changes need to be made. All data retention policies, implementation plans, training, and auditing should be fully documented.
Remember that for most organizations, a one-size-fits-all solution is impossible because of the different types of data. Only those most familiar with each data type can determine the best retention policy for that data. While a security professional should be involved in the design of the data retention policies, the security professional is there to ensure that data security is always considered and that data retention policies satisfy organizational needs. The security professional should only act in an advisory role and should provide expertise when needed.
Confidentiality
The three fundamentals of security are confidentiality, integrity, and availability (CIA). Most security issues result in a violation of at least one facet of the CIA triad. Understanding these three security principles will help security professionals ensure that the security controls and mechanisms implemented protect at least one of these principles.
To ensure confidentiality, you must prevent the disclosure of data or information to unauthorized entities. As part of confidentiality, the sensitivity level of data must be determined before any access controls are put in place. Data with a higher sensitivity level will have more access controls in place than data with a lower sensitivity level. The opposite of confidentiality is disclosure. Most security professionals consider confidentiality as it relates to data on a network or devices. However, data can also exist in printed format. Appropriate controls should be put into place to protect data on a network, but data in its printed format needs to be protected, too, which involves implementing data disposal policies. Examples of controls that improve confidentiality include encryption, steganography, access control lists (ACLs), and data classification.
Legal Requirements
Legal requirements are a form of non-technical controls that can mandate technical controls. In some cases, the design of controls will be driven by legal requirements that apply to the organization based on the industry or sector in which it operates. In Chapter 15 you learned the importance of recognizing legal responsibilities during an incident response. Let’s examine some of the laws and regulations that may come into play.
The United States and European Union (EU) both have established laws and regulations that affect organizations that operate within their area of governance. While security professionals should strive to understand laws and regulations, security professionals may not have the level of knowledge and background to fully interpret these laws and regulations to protect their organization. In these cases, security professionals should work with legal representation regarding legislative or regulatory compliance.
Security analysts must be aware of the laws and, at a minimum, understand how the laws affect the operations of their organization. For example, a security professional working for a healthcare facility would need to understand all security guidelines in HIPAA and PPACA, described next. The following are the most significant laws that may affect an organization and its security policy:
• Sarbanes-Oxley Act (SOX): Also known as the Public Company Accounting Reform and Investor Protection Act of 2002, affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.
• Health Insurance Portability and Accountability Act (HIPAA): Also known as the Kennedy-Kassebaum Act, affects all healthcare facilities, health insurance companies, and healthcare clearinghouses. It is enforced by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HSS). It provides standards and procedures for storing, using, and transmitting medical information and healthcare data. HIPAA overrides state laws unless the state laws are stricter. It amends the Patient Protection and Affordable Care Act (PPACA), commonly known as Obamacare.
• Gramm-Leach-Bliley Act (GLBA) of 1999: Affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing financial information with third parties. This act directly affects the security of PII.
• Computer Fraud and Abuse Act (CFAA) of 1986: Affects any entities that engage in hacking of “protected computers,” as defined in the act. It was amended in 1989, 1994, and 1996; in 2001 by the USA PATRIOT Act (listed below); in 2002; and in 2008 by the Identity Theft Enforcement and Restitution Act. A “protected computer” is a computer used exclusively by a financial institution or the U.S. government or used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Due to the inter-state nature of most Internet communication, any ordinary computer has come under the jurisdiction of the law, including cell phones. The law includes several definitions of hacking, including knowingly accessing a computer without authorization; intentionally accessing a computer to obtain financial records, U.S. government information, or protected computer information; and transmitting fraudulent commerce communication with the intent to extort.
• Federal Privacy Act of 1974: Affects any computer that contains records used by a federal agency. It provides guidelines on collection, maintenance, use, and dissemination of PII about individuals that is maintained in systems of records by federal agencies on collecting, maintaining, using, and distributing PII.
• Federal Intelligence Surveillance Act (FISA) of 1978: Affects law enforcement and intelligence agencies. It was the first act to give procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between “foreign powers” and “agents of foreign powers” and applied only to traffic within the United States. It was amended by the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008.
• Electronic Communications Privacy Act (ECPA) of 1986: Affects law enforcement and intelligence agencies. It extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications. It was amended by the Communications Assistance to Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act of 2001, and the FISA Amendments Act of 2008.
• Computer Security Act of 1987: Superseded in 2002 by FISMA (listed below), the first law to require a formal computer security plan. It was written to protect and defend the sensitive information in the federal government systems and provide security for that information. It also placed requirements on government agencies to train employees and identify sensitive systems.
• United States Federal Sentencing Guidelines of 1991: Affects individuals and organizations convicted of felonies and serious (Class A) misdemeanors. It provides guidelines to prevent sentencing disparities that existed across the United States.
• Communications Assistance for Law Enforcement Act (CALEA) of 1994: Affects law enforcement and intelligence agencies. It requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities. This allows federal agencies to monitor all telephone, broadband Internet, and voice over IP (VoIP) traffic in real time.
• Personal Information Protection and Electronic Documents Act (PIPEDA): Affects how private-sector organizations collect, use, and disclose personal information in the course of commercial business in Canada. The act was written to address EU concerns about the security of PII in Canada. The law requires organizations to obtain consent when they collect, use, or disclose personal information and to have personal information policies that are clear, understandable, and readily available.
• Basel II: Affects financial institutions. It addresses minimum capital requirements, supervisory review, and market discipline. Its main purpose is to protect against risks that banks and other financial institutions face.
• Federal Information Security Management Act (FISMA) of 2002: Affects every federal agency. It requires federal agencies to develop, document, and implement an agencywide information security program.
• Economic Espionage Act of 1996: Affects companies that have trade secrets and any individuals who plan to use encryption technology for criminal activities. This act covers a multitude of issues because of the way it was structured. A trade secret does not need to be tangible to be protected by this act. Per this law, theft of a trade secret is now a federal crime, and the United States Sentencing Commission must provide specific information in its reports regarding encryption or scrambling technology that is used illegally.
• USA PATRIOT Act of 2001: Formally known as Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, it affects law enforcement and intelligence agencies in the United States. Its purpose is to enhance the investigatory tools that law enforcement can use, including e-mail communications, telephone records, Internet communications, medical records, and financial records. When this law was enacted, it amended several other laws, including FISA and the ECPA of 1986. The USA PATRIOT Act does not restrict private citizens’ use of investigatory tools, although there are some exceptions—for example, if the private citizen is acting as a government agent (even if not formally employed), if the private citizen conducts a search that would require law enforcement to have a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to help the government.
• Health Care and Education Reconciliation Act of 2010: Affects healthcare and educational organizations. This act increased some of the security measures that must be taken to protect healthcare information.
• Employee Privacy Issues and Expectation of Privacy: Employee privacy issues must be addressed by all organizations to ensure that the organizations are protected from costly legal penalties that result from data breaches. However, organizations must give employees the proper notice of any monitoring that might be used. Organizations must also ensure that the monitoring of employees is applied in a consistent manner. Many organizations implement a no-expectation-of-privacy policy that the employee must sign after receiving the appropriate training. This policy should specifically describe any unacceptable behavior. Companies should also keep in mind that some actions are protected by the Fourth Amendment. Security professionals and senior management should consult with legal counsel when designing and implementing any monitoring solution.
• European Union: The EU has implemented several laws and regulations that affect security and privacy. The EU Principles on Privacy include strict laws to protect private data. The EU’s Data Protection Directive provides direction on how to follow the laws set forth in the principles. The EU created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy. The following are some of the guidelines as updated by the General Data Protection Regulation (GDPR). Personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are
• If the data subject has given consent to the processing of his or her personal data
• To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract
• To comply with a data controller's legal obligations
• To protect the vital interests of a data subject or another individual
• To perform a task in the public interest or in official authority
• For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)
Note
Do not confuse the terms safe harbor and data haven. According to the EU, a safe harbor is an entity that conforms to all the requirements of the EU Principles on Privacy. A data haven is a country that fails to legally protect personal data, with the main aim being to attract companies engaged in the collection of the data.
The EU Electronic Security Directive defines electronic signature principles. In this directive, a signature must be uniquely linked to the signer and to the data to which it relates so that any subsequent data change is detectable. The signature must be capable of identifying the signer.
Data Sovereignty
Data sovereignty is the concept that data stored in digital format is subject to the laws of the country in which the data is located. Affecting this concept are the differing privacy laws and regulations issued by nations and governing bodies. This concept is further complicated by the deploying of cloud solutions.
Many countries have adopted legislation that requires customer data to be kept within the country in which the customer resides. But organizations are finding it increasingly difficult to ensure that this is the case when working with service providers and other third parties. Organizations should consult with the service-level agreements (SLAs) with these providers to verify compliance.
Keep in mind, however, that the laws of multiple countries may affect the data. For instance, suppose an organization in the United States is using a data center in the United States but the data center is operated by a company from France. The data would then be subject to both U.S. and EU laws and regulations.
Another factor would be the type of data being stored, as different types of data are regulated differently. Healthcare data and consumer data have vastly separate laws that regulate the transportation and storage of data.
Security professionals should answer the following questions:
• Where is the data stored?
• Who has access to the data?
• Where is the data backed up?
• How is the data encrypted?
The answers to these four questions will help security professionals design a governance strategy for their organization that will aid in addressing any data sovereignty concerns. Remember that the responsibility to meet data regulations falls on both the organization that owns the data and the vendor providing the data storage service, if any.
Data Minimization
Organizations should minimize the amount of personal data they store to what is necessary. An important principle in the European Union’s General Data Protection Regulation (GDPR) is data minimization. Data processing should only use as much data as is required to successfully accomplish a given task. By reducing the amount of personal data, the attack surface is also reduced.
Purpose Limitation
Another key principle in the European Union’s GDPR that is finding wide adoption is that of purpose limitation. Personal data collected for one purpose cannot be repurposed without further consent from the individual. For example data collected to track a disease outbreak cannot be used to identify individuals.
Non-disclosure agreement (NDA)
In Chapter 15 you learned about various types of intellectual property, such as patents, copyrights, and trade secrets. Most organizations that have trade secrets attempt to protect them by using NDAs. An NDA must be signed by any entity that has access to information that is part of a trade secret. Anyone who signs an NDA will suffer legal consequences if the organization is able to prove that the signer violated it.
Technical Controls
Technical controls are implemented with technology and include items such as firewalls, access lists (ACLs), permissions on files and folders, and devices that identify and prevent threats. After it understands the threats, an organization needs to establish likelihoods and impacts, and it needs to select controls that, while addressing a threat, do not cost more than the cost of the realized threat. The review of these controls should be an ongoing process.
Encryption
In Chapter 8, “Security Solutions for Infrastructure Management,” you learned about encryption and cryptography. These technologies comprise a technical control that can be used to provide the confidentiality objective of the CIA triad. Information assets can be protected from being accessed by unauthorized parties by encrypting data at rest (while stored) and data in transit (when crossing a network). As you also learned, cryptography in the form of hashing algorithms can also provide a way to asses data integrity.
Data Loss Prevention (DLP)
Chapter 12, “Implementing Configuration Changes to Existing Controls to Improve Security,” described data loss prevention (DLP) systems. As you learned, DLP systems are used to prevent data exfiltration, which is the intentional or unintentional loss of sensitive data from the network. DLP comprises a strong technical control that protects both integrity and confidentiality.
Data Masking
Data masking means altering data from its original state to protect it. You already learned about two forms of masking, encryption (storing the data in an encrypted form) and hashing (storing a hash value, generated from the data by a hashing algorithm, rather than the data itself). Many passwords are stored as hash values.
The following are some other methods of data masking:
• Using substitution tables and aliases for the data
• Redacting or replacing the sensitive data with a random value
• Averaging or taking individual values and averaging them (adding them and then dividing by the number of individual values) or aggregating them (totaling them and using only the total value)
Deidentification
Data deidentification or data anonymization is the process of deleting or masking personal identifiers, such as personal names, from a set of data. Deidentification is often done when the data is being used in the aggregate, such as when medical data is used for research. It is a technical control that is used as one of the main approaches to ensuring data privacy protection.
Tokenization
Tokenization is another form of data hiding or masking in that it replaces a value with a token that is used instead of the actual value. For example, tokenization is a new emerging standard for mobile transactions; numeric tokens are used to protect cardholders’ sensitive credit and debit card information. This is a great security feature that substitutes the primary account number with a numeric token that can be processed by all participants in the payment ecosystem. Figure 19-1 shows the use of tokens in a credit card transaction using a smartphone.
Figure 19-1 Tokenization
Digital Rights Management (DRM)
Hardware manufacturers, publishers, copyright holders, and individuals use digital rights management (DRM) to control the use of digital content. DRM often also involves device controls. First-generation DRM software controls copying. Second-generation DRM software controls executing, viewing, copying, printing, and altering works or devices.
The U.S. Digital Millennium Copyright Act (DMCA) of 1998 imposes criminal penalties on those who make available technologies whose primary purpose is to circumvent content protection technologies. DRM includes restrictive license agreements and encryption. DRM protects computer games and other software, documents, e-books, films, music, and television.
In most enterprise implementations, the primary concern is the DRM control of documents by using open, edit, print, or copy access restrictions that are granted on a permanent or temporary basis. Solutions can be deployed that store the protected data in a central or decentralized model. Encryption is used in the DRM implementation to protect the data both at rest and in transit.
Today’s DRM implementations include the following:
• Directories:
• Lightweight Directory Access Protocol (LDAP)
• Active Directory (AD)
• Custom
• Permissions:
• Open
• Modify
• Clipboard
• Additional controls:
• Expiration (absolute, relative, immediate revocation)
• Version control
• Change policy on existing documents
• Watermarking
• Online/offline
• Auditing
• Ad hoc and structured processes:
• User initiated on desktop
• Mapped to system
• Built into workflow process
Document DRM
Organizations implement DRM to protect confidential or sensitive documents and data. Commercial DRM products allow organizations to protect documents and include the capability to restrict and audit access to documents. Some of the permissions that can be restricted using DRM products include reading and modifying a file, removing and adding watermarks, downloading and saving a file, printing a file, or even taking screenshots. If a DRM product is implemented, the organization should ensure that the administrator is properly trained and that policies are in place to ensure that rights are appropriately granted and revoked.
Music DRM
DRM has been used in the music industry for some time now. Subscription-based music services, such as Napster, use DRM to revoke a user’s access to downloaded music once their subscription expires. While technology companies have petitioned the music industry to allow them to sell music without DRM, the industry has been reluctant to do so.
Movie DRM
While the movie industry has used a variety of DRM schemes over the years, two main technologies are used for the mass distribution of media:
• Content Scrambling System (CSS): Uses encryption to enforce playback and region restrictions on DVDs. This system can be broken using Linux’s DeCSS tool.
• Advanced Access Content System (AACS): Protects Blu-ray and HD DVD content. Hackers have been able to obtain the encryption keys to this system.
This industry continues to make advances to prevent hackers from creating unencrypted copies of copyrighted material.
Video Game DRM
Most video game DRM implementations rely on proprietary consoles that use Internet connections to verify video game licenses. Most consoles today verify the license upon installation and allow unrestricted use from that point. However, to obtain updates, the license will again be verified prior to download and installation of the update.
E-Book DRM
E-book DRM is considered to be the most successful DRM deployment. Both Amazon’s Kindle and Barnes and Nobles’ Nook devices implement DRM to protect electronic forms of books. Both of these companies have released mobile apps that function like the physical e-book devices.
Today’s implementation uses a decryption key that is installed on the device. This means that the e-books cannot be easily copied between e-book devices or applications. Adobe created the Adobe Digital Experience Protection Technology (ADEPT) that is used by most e-book readers except Amazon’s Kindle. With ADEPT, AES is used to encrypt the media content, and RSA encrypts the AES key.
Watermarking
Digital watermarking is another method used to deter unauthorized use of a document. Digital watermarking involves embedding a logo or trademark in documents, pictures, or other objects. The watermark deters people from using the materials in an unauthorized manner.
Geographic Access Requirements
At one time, cybersecurity professionals knew that all the network users were safely in the office and behind a secure perimeter created and defended with every tool possible. That is no longer the case. Users now access your network from home, wireless hotspots, hotel rooms, and all sorts of other locations that are less than secure.
When you design authentication, you can consider the physical location of the source of an access request. A scenario for this might be that Alice is allowed to access the Sales folder at any time from the office but only from 9 a.m. to 5 p.m. from her home and never from elsewhere.
Authentication systems can also use location to identify requests to authenticate and access a resource from two different locations in a very short amount of time, one of which could be fraudulent.
Finally, these systems can sometimes make real-time assessments of threat levels in the region where a request originates. Geofencing is the application of geographic limits to where a device can be used. It depends on the use of Global Positioning System (GPS) or radio frequency identification (RFID) technology to create a virtual geographic boundary.
Access Controls
Chapter 8 covered identity and access management systems in depth. Along with encryption, access controls are the main security controls implemented to ensure confidentiality. In Chapter 21, “The Importance of Frameworks, Policies, Procedures, and Controls,” you will learn how access controls fit into the set of controls used to maintain security.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 19-2 lists a reference of these key topics and the page numbers on which each is found.
Table 19-2 Key Topics in Chapter 19
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
privacy, Sarbanes-Oxley Act (SOX)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA) of 1999
Computer Fraud and Abuse Act (CFAA)
Federal Intelligence Surveillance Act (FISA) of 1978
Electronic Communications Privacy Act (ECPA) of 1986
United States Federal Sentencing Guidelines of 1991
Personal Information Protection and Electronic Documents Act (PIPEDA)
Federal Information Security Management Act (FISMA) of 2002
Economic Espionage Act of 1996
Health Care and Education Reconciliation Act of 2010
employee privacy issues and expectation of privacy
digital rights management (DRM)
U.S. Digital Millennium Copyright Act (DMCA) of 1998
Content Scrambling System (CSS)
Advanced Access Content System (AACS)
Review Questions
1. Data should be classified based on its ________ to the organization.
2. List at least two considerations when assigning a level of criticality.
3. Match the following terms with their definitions.
4. A ________________ policy outlines how various data types must be retained and may rely on the data classifications described in the data classification policy.
5. According to the GPDR, personal data may not be processed unless there is at least one legal basis to do so. List at least two of these legal bases.
6. Match the following terms with their definitions.
7. _________________ means altering data from its original state to protect it.
8. List at least one method of data masking.
9. Match the following terms with their definitions.
10. _________________ is the application of geographic limits to where a device can be used.