Chapter 16

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 34

Lesson 16

Explaining Data Privacy and Protection Concepts


Topic 16A
Explain Privacy and Data Sensitivity Concepts

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 2.1 Explain the importance of security concepts in an enterprise


environment
• 5.3 Explain the importance of policies to organizational security
• 5.5 Explain privacy and sensitive data concepts in relation to security

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Privacy and Sensitive Data Concepts
• Security
• Confidentiality, integrity, and availability (CIA) attributes
• Data must be kept securely within a processing and storage system that enforces
CIA attributes.
• Privacy - Privacy is a data governance requirement that arises when collecting
and processing personal data.
• Personal data about data subjects
• Compliance with regulations
• Rights of data subjects
• Information life cycle management
• Creation/collection (classification)
• Distribution/use
• Retention
• Disposal
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
• Creation/collection—data may be generated by an employee or
automated system, or it may be submitted by a customer or supplier. At
this stage, the data needs to be classified and tagged.

• Distribution/use—data is made available on a need to know basis for


authorized uses by authenticated account holders and third parties.

• Retention—data might have to be kept in an archive past the date when it


is still used for regulatory reasons.

• Disposal—when it no longer needs to be used or retained, media storing


data assets must be sanitized to remove any remnants.
Data Roles and Responsibilities

• Oversight and management of a range of information assets


within the organization
• Data owner
• Ultimate responsibility
• Data steward
• Data quality and oversight
• Data custodian
• Information systems management
• Data privacy officer (DPO)
• Oversight of personally identifiable information (PII) assets
• Organizational roles in privacy legislation
• Data controllers and data processors

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
• Data owner—a senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity, and availability of the information asset. The owner is responsible
for labeling the asset and ensuring that it is protected with appropriate controls (access
control, backup, retention, and so forth). The owner also typically selects a steward and
custodian and directs their actions and sets the budget and resource allocation for
sufficient controls.
• Data steward—primarily responsible for data quality. This involves tasks such as ensuring
data is labeled and identified with appropriate metadata and that data is collected and
stored in a format and with values that comply with applicable laws and regulations.
• Data custodian—handles managing the system on which the data assets are stored. This
includes responsibility for enforcing access control, encryption, and backup/recovery
measures.
• Data Privacy Officer (DPO)—this role is responsible for oversight of any personally
identifiable information (PII) assets managed by the company. The privacy officer ensures
that the processing, disclosure, and retention of PII complies with legal and regulatory
frameworks.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Data controller—the entity responsible for determining why and how
data is stored, collected, and used and for ensuring that these purposes
and means are lawful. The data controller has ultimate responsibility for
privacy breaches, and is not permitted to transfer that responsibility. •

Data processor—an entity engaged by the data controller to assist with


technical collection, storage, or analysis tasks. A data processor follows
the instructions of a data controller with regard to collection or
processing.

Data controller and processor tend to be organizational roles rather than


individual ones.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Data classification and typing schemas tag data assets so that they can
be managed through the information life cycle. A data classification schema is a
decision tree for applying one or more tags or labels to each data asset.
• Public (unclassified)
• No confidentiality, but integrity and
availability are important
• Confidential (secret)
• Subject to administrative and/or
technical access controls
• Critical (top-secret)
• Proprietary
• Owned information of commercial
value
• Private/personal data
• Data that can identify an individual
• Sensitive
• Special categories of personal data,
such as beliefs, ethnic origin, or
sexual orientation Screenshot used with permission from Microsoft.
• Public (unclassified)—there are no restrictions on viewing, presents no risk
to an organization if it is disclosed but does present a risk if it is modified or
not available.
• Confidential (secret)—the information is highly sensitive, for viewing only by
approved persons within the owner organization, and possibly by trusted third
parties under NDA.
• Critical (top secret)—the information is too valuable to allow any risk of its
capture. Viewing is severely restricted.
• Proprietary—Proprietary or intellectual property (IP) is information created
and owned by the company, typically about the products or services.
• Private/personal data—Information that relates to an individual identity.
• Sensitive—(personal data) As defined by the EU's General Data Protection
Regulations (GDPR), sensitive personal data includes religious beliefs,
political opinions, trade union membership, gender, sexual orientation, racial
or ethnic origin, genetic data, and health information

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Data Types

• Personally identifiable information (PII)


• Data that can be used to identify, contact, or locate an individual
• Customer data
• Institutional information
• Personal information about the customer's employees
• Health information
• Medical and insurance records and test results
• Financial information
• Data held about bank and investment accounts, plus information such as payroll and
tax returns
• Government data
• Legislative requirements

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Personally identifiable information (PII) is data that can be used to identify, contact, or
locate an individual. A Social Security Number (SSN) is a good example of PII. Others include
name, date of birth, email address, telephone number, street address, biometric data.
Customer data can be institutional information, but also personal information about the
customer's employees, such as sales and technical support contacts.
Personal health information (PHI)—or protected health information—refers to medical
and insurance records, plus associated hospital and laboratory test results. PHI may be
associated with a specific person or used as an anonymized or deidentified data set for
analysis and research. Criminals seek to exploit the data for insurance fraud or possibly to
blackmail victims.
Financial information refers to data held about bank and investment accounts, plus
information such as payroll and tax returns. Payment card information comprises the card
number, expiry date, and the three-digit card verification value (CVV). Or PIN
Government data – Govt. agencies have complex data collection and processing
requirements. This data may be shared with companies for analysis under strict agreements
to preserve security and privacy.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Privacy Notices and Data Retention

• Legislation and regulations


• General Data Protection Regulation (GDPR)
• Rights of data subjects
• Privacy notices
• Purpose of collecting personal information
• Consent to declared uses and storage
• Impact assessments
• Assess and mitigate risks from collecting personal data
• Data retention
• Keeping data securely to comply with policy/regulation/legislation
• Audit requirements versus privacy requirements

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Privacy Notices- Informed consent means that the data must be collected and processed only
for the stated purpose, and that purpose must be clearly described to the user in plain
language, not legalese. This consent statement is referred to as a privacy notice. Data
collected under that consent statement cannot then be used for any other purpose.

Impact Assessments Tracking consent statements and keeping data usage in compliance with
the consent granted is a significant management task. A data protection impact assessment is
a process designed to identify the risks of collecting and processing personal data in the
context of a business workflow and to identify mechanisms that mitigate those risks.

Data Retention refers to backing up and archiving information assets in order to comply with
business policies and/or applicable laws and regulations. To meet compliance and e-discovery
requirements, organizations may be legally bound to retain certain types of data for a
specified period. This type of requirement will particularly affect financial data and security
log data. Conversely, storage limitation principles in privacy

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Data Sovereignty and Geographical Considerations

• Data sovereignty
• Jurisdiction that enforces personal data processing and storage
regulations
• Geographical considerations
• Select storage locations to mitigate sovereignty issues
(Most cloud providers allow choice of data centers for processing and
storage, ensuring that information is not illegally transferred from a
particular privacy jurisdiction without consent.)
• Define access controls on the basis of client location
(Cloud-based file and database services can apply constraint-based
access controls to validate the user's geographic location before
authorizing access)

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Privacy Breaches and Data Breaches
• Definition of a breach event
• Data breach versus privacy breach (next slide)
• Organizational consequences
• Reputation damage
• Identity theft
• Fines - legislation might empower a regulator to levy fines. - fixed sum or in the
most serious cases a percentage of turnover.
• IP theft eg copyright material—unreleased movies and music tracks
• Notifications of breaches - The requirements indicate who must be notified.
• Escalation- Any breach of personal data and most breaches of IP should be
escalated to senior decision-makers and any impacts from legislation and
regulation properly considered
• Public notification and disclosure- notification might need to be made to
law enforcement, individuals and third-party companies affected by the
breach, and publicly through press or social media channels.
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
A data breach occurs when information is read or modified without authorization.
"Read" in this sense can mean either seen by a person or transferred to a network
or storage media. A data breach is the loss of any type of data, while a privacy
breach refers specifically to loss or disclosure of personal and sensitive data.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Data Sharing and Privacy Terms of Agreement

• Service level agreement (SLA)


• Require access controls and risk assessment to protect data
• Interconnection security agreement (ISA)
• Requirements to interconnect federal systems with third-party systems
• Non-disclosure agreement (NDA)
• Legal basis for protecting information assets
• Data sharing and use agreement
• Specify terms for the way a dataset can be analyzed
• Proscribe use of reidentification techniques

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Service level agreement (SLA)—a contractual agreement setting out the detailed terms
under which a service is provided. This can include terms for security access controls
and risk assessments plus processing requirements for confidential and private data.
ISA - Any federal agency interconnecting its IT system to a third party must create an
ISA to govern the relationship. An ISA sets out a security risk awareness process and
commits the agency and supplier to implementing security controls
NDAs are used between companies and employees, between companies and
contractors, and between two companies. If the employee or contractor breaks this
agreement and does share such information, they may face legal consequences.
Data sharing and use agreement—personal data can only be collected for a specific
purpose. Data sets can be subject to pseudo-anonymization or deidentification to
remove personal data, but there are risks of reidentification if combined with other
data sources. A data sharing and use agreement is a legal means of preventing this risk.
It can specify terms for the way a data set can be analyzed and proscribe the use of
reidentification techniques.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Privacy and Data Sensitivity Concepts

Review Activity

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Topic 16B
Explain Privacy and Data Protection Controls

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Syllabus Objectives Covered

• 2.1 Explain the importance of security concepts in an enterprise


environment
• 3.2 Given a scenario, implement host or application security solutions
• 5.5 Explain privacy and sensitive data concepts in relation to security

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Data Protection

• Data at rest
• In some sort of persistent storage media
• Encrypt the data, using techniques such as whole disk encryption, database
encryption, and file- or folder-level encryption
• Apply permissions—Access Control Lists (ACLs)—to ensure only authorized
users can read or modify the data
• Data in transit (or data in motion)
• Transmitted over a network
• Protected by transport encryption, such as TLS or IPSec
• Data in use
• Present in volatile memory, such as system RAM or CPU registers and cache
• Malicious intruder with rootkit access to the computer may be able to access it
• Trusted execution environments/enclaves
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Data Exfiltration
Unauthorized copying or retrieval of data from a system, specially valuable
data or PII
• Data exfiltration methods
• Removable media- USB drive, memory card, or a smartphone
• Transferring over the network- s HTTP, FTP, SSH, email, or IM/chat
• Communicating data over the phone or by video
• Taking a picture or video of text data
• Ordinary countermeasures
• Ensure that all sensitive data is encrypted at rest
• Create and maintain offsite backups of data
• Ensure that systems storing or transmitting sensitive data are implementing
access controls
• Restrict the types of network channels that attackers can use
• Train users about document confidentiality and the use of encryption to store
and transmit data securely
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Data Loss Prevention
• DLP products scan files for
matched strings and prevent
unauthorized copying or transfer
• Policy server
• Endpoint agents
• Network agents
• Cloud-based DLP
• Remediation
• Alert only
• Block
• Quarantine
• Tombstone - the original file is
quarantined and replaced with
one describing the policy Screenshot used with permission from Microsoft.
violation and how the user can
release it again.
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Data loss prevention (DLP) products automate the discovery and classification of
data types and enforce rules so that data is not viewed or transferred without a
proper authorization. Such solutions will usually consist of the following
components:
• Policy server—to configure classification, confidentiality, and privacy rules and
policies, log incidents, and compile reports.
• Endpoint agents—to enforce policy on client computers, even when they are not
connected to the network.
• Network agents—to scan communications at network borders and interface with
web and messaging servers to enforce policy. DLP agents scan content in
structured formats, such as a database with a formal access control model or
unstructured formats, such as email or word processing documents. A file
cracking process is applied to unstructured data to render it in a consistent
scannable format.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Rights Management Services
• Assign file permissions for different document roles, such as author, editor,
or reviewer.
• Restrict printing and forwarding of documents, even when sent as file
attachments.
• Restrict printing and forwarding of email messages.

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Privacy Enhancing Technologies

• Data minimization
• Only collect sufficient data to perform the specific purpose that consent was
obtained for
• Deidentification
• Removing personal information from shared data sets
• Anonymization
• Irreversible deidentification techniques
• Pseudo-anonymization
• Reidentification is possible using a separate data source
• Reidentification attacks
• K-anonymous information

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
• Data minimization is the principle that data should only be processed and stored if
that is necessary to perform the purpose for which it is collected. The workflow can
supply evidence of why processing and storage of a particular field or data point is
required. Data minimization affects the data retention policy. It is necessary to track
how long a data point has been stored.
• Deidentification methods may also be used where personal data is collected to
perform a transaction but does not need to be retained thereafter.
• A fully anonymized data set is one where individual subjects can no longer be
identified, even if the data set is combined with other data sources.
• Pseudo-anonymization modifies or replaces identifying information so that
reidentification depends on an alternate data source, which must be kept separate.
• A reidentification attack is one that combines a deidentified data set with other data
sources, such as public voter records, to discover how secure the deidentification
method used is.

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Database Deidentification Methods

• Data masking
• Whole or partial redaction of strings
• Format-preserving masks
• Irreversible
• Tokenization
• Replacing field value with a random token
• Token stored in a separate data source (vault)
• Reversible with access to the vault
• Aggregation/banding
• Hashing and salting
• Indexing method
• Discarding original data for identifier

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Data masking can mean that all or part of the contents of a field are redacted, by
substituting all character strings with "x" for example. A field might be partially
redacted to preserve metadata for analysis purposes.
Tokenization means that all or part of data in a field is replaced with a randomly
generated token. The token is stored with the original value on a token server or
token vault, separate to the production database.
Aggregation/Banding Another deidentification technique is to generalize the data,
such as substituting a specific age with a broader age band. Hashing and Salting A
cryptographic hash produces a fixed-length string from arbitrary-length plaintext
data using an algorithm such as SHA. If the function is secure, it should not be
possible to match the hash back to a plaintext.
A salt is an additional value stored with the hashed data field.
The purpose of salt is to frustrate attempts to crack the hashes. It means that the
attacker cannot use precomputed tables of hashes using dictionaries of plaintexts.
These tables have to be recompiled to include the salt value

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Privacy and Data Protection Controls

Review Activity

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Applied Lab

• Identifying Application Attacks

Lab Activity
CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Lesson 16

CompTIA Security+ Lesson 16 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34

You might also like