CompTIA CYSA+ CS0-002 – Non-technical Data and Privacy Controls Part 2

3. Legal Requirements (OBJ 5.1)

Legal requirements. In this lesson, we’re going to talk about some of the legal requirements around privacy. Now, any type of information or asset needs to consider how a compromise of that information can threaten the three core security attributes of the CIA triad confidentiality, integrity, and availability. And I mention this a lot in my courses, but if you’re thinking about CIA, I like to think about confidentiality usually has to do with encryption, integrity usually has to do something with hashing, and availability usually has to do something with redundancy. And so if you keep those three key words in mind, it’ll help you figure out what the right answer is when you’re dealing with CIA Triad and things associated with it. Now, what we’re going to really focus on in this lesson is the difference between privacy and security.

Now, when we talk about security controls, there is that focus on CIA attributes of the processing system. So if I say this data is encrypted, well, that is a security control. That’s confidentiality. If I say this data has been hashed, so I have a digital fingerprint of it, that tells me we have integrity of it, but that’s all security. That doesn’t tell me whether or not that data is private, if it’s been kept private from other people. And so that’s something we have to think about when we talk about privacy. We’re really talking about a data governance requirement that arises when you’re collecting and processing personal data to ensure the rights of the subject’s data. So if I collect information from you when you sign up for my course, I get your name, your email, maybe your credit card information, I have to keep that information private. It doesn’t necessarily mean that I have to have it encrypted in my database.

Although we do that, we just have to make sure that nobody else can get that data who doesn’t have a need to know inside our organization, that’s the idea of privacy. Now, one of the things that I think is unique is the way privacy is seen across the globe. Depending on where you are and where you live, privacy is either a bigger or less deal to you. For instance, when you go to a website and you look at the privacy policy, do you actually read through all of the pages of legalese to figure out what they’re saying they can do with your private information? Most people don’t. But if you’re in someplace like Europe, they take privacy much more seriously, and they have things like the right to be forgotten and they have GDPR, which says that you have to write your privacy policy in a very clear and easy to understand method, not legalese like we do here in the States.

So even just the difference between European countries and the United States has a big difference in the way we view privacy. Now, because of the cultural differences and the cultural pressure that’s been applied there are different legal requirements in different areas. There are legal requirements that will affect your corporate governance and policies in regards to privacy of your user’s data. As a company that works worldwide with people, we have students all over the world. We have to be aware of that. And so we keep in mind what the legal requirements are in the different areas we’re operating in. Now, one of the biggest requirements, and one of the best requirements in terms of privacy, is GDPR.

This is the general data protection regulation, and this says that personal data cannot be collected, processed, or retained without the individual’s informed consent. Now, when I talk about informed consent, this means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. So if you go to a website and they say, give us your name, your email, and your home address so that we can sell you this product and then deliver it to your house, that’s the stated purpose. That doesn’t mean that they can now send you mailers every single week to your home address to try to get you to buy more stuff, unless that was part of their privacy policy that you accepted. So GDPR says they have to be upfront with this.

Now, GDPR also provides the right for a user to withdraw consent at any time. It also gives them the ability to inspect, amend, or race data that’s held about them. We like to call this the right to be forgotten. If you’re a resident and citizen of the European union, you can call up the company or fill out their form and say, I want you to forget everything you’ve ever known about me, and they have to go into their database and scrub you out of it. That is part of that law. It gives you a lot of protections if you’re a European citizen. Now, if you’re an American citizen, we don’t have that right. So if I’m sitting in Maryland and I want to be forgotten, I can’t do it. That’s just not something that the companies have to do for me. I can request they do that, but they are not by law required to do it. So there are different protections depending on where you live in the world.

And as a company operating in different areas, you need to be aware of this. Now, what happens if you have a data breach? Well, this depends again, where you are and what laws you fall under. For instance, if you deal with GDPR, you have responsibilities within 72 hours. If you’re doing business within Europe, you have to notify the regulators and the users that you had a data breach. So once again, this is an area where the European citizens have better rights than the Americans do, based on the laws that are in each of those countries at the time of this filming. Now let me give you a quick word of warning. Data breaches can happen both accidentally and through malicious interference. Just because you had a data breach doesn’t mean that some hacker got in. It could have been assistant missionary did the wrong thing.

They entered the wrong command in the database, and they dumped it to the screen. And now people were able to see everybody’s Social Security numbers or their dates of birth or their names. This is all types of things that have happened in the past, so just keep that in mind. It’s not always a malicious actor. It’s not always a hacker. Sometimes it’s our own internal staff who makes mistakes. Now, I’ve mentioned GDPR a couple of times here already in this lesson. But I want you to remember, when I’m talking about GDPR, I’m talking about a law inside of Europe. And GDPR does provide stronger protections than most federal or state laws in the United States. Most of the laws here in the United States are very industry specific or state specific. So we might have laws that affect the financial industry or the health care industry, but we don’t have ones that protect all of our citizens all of the time.

And for the rest of this lesson, we’re really going to focus on those narrower definitions of personal data in industry specific areas. So the first one I want to talk about is Socks or Sarbanes Oxley. We talk about Sarbanes oxley. This sets forth the requirements for the storage and retention of documents that are relating to an organization’s financial and business operations, including the type of documents to be stored and the retention periods. This applies to publicly traded companies, companies listed on the stock exchange, and they have to have a value of at least $75 million to be required to follow Socks. Socks came out of all of the scandals in the early 2000s, things like WorldCom and Enron. And so after that, Congress stepped in and said, all these companies need to retain their documents.

We want to be able to go back and look at those records and see what they’ve been doing. And that way we could try to protect the people. Another law that came out of the early 2000s was GLBA, the Graham Leach Blyly Act. Now, this sets forth requirements that will help protect the privacy of an individual’s financial information that’s held by financial institutions and others. When we talk here about financial institutions, we’re talking about stockbrokers banks and other things like that. So if you’re dealing with a mortgage company, they fall under GLBA and they have to protect the privacy of your information. Next, we have FISMA. And FISMA applies to the government itself. FISMA is the Federal Information Security Management Act. It sets forth the requirements for federal organizations to adopt information assurance controls.

So if you’re talking about government organizations, we’re talking about things like the Social Security Administration, health and Human Services, the Department of Housing and Urban Development, the Department of Defense, which is the military. All of these folks fall under FISMA. So if you work for the government or a government contractor, FISMA applies to you. And so a lot of folks in the cybersecurity world, we end up working for the government, for the military, or one of those type of organizations. So keep FISMA in mind because it probably applies to the place you work if you’re in the United States. Next, we have HIPAA, which is the Health Insurance Portability and Accountability Act. This sets forth the requirements to help protect the privacy of individuals health information that’s held by health care providers, hospitals, and insurance companies.

Now, again, HIPAA is going to deal with health care providers, hospitals, doctors and insurance companies. If they have information about your health records, it’s protected by HIPAA. And so if you work for one of those sectors of the economy, make sure you’re familiar with HIPAA as well. Now, all of those were reviewed for you from Security Plus, but I do have one new one for you. And this is COSO, which is a committee of sponsoring organizations of the Treadway Commission. This provides guidance on a variety of governance related topics, including fraud, controls, finance and ethics. And it relies on COSO’s Erm integrated framework, which is Enterprise Risk Management framework. Now, this essentially is a bunch of best practices and ways of working to deal with fraud and controls and finance and ethics inside your organization.

So it’s not necessarily a regulation or law, but it is a best practice way of doing things and so it is something you could consider as well. Now, I know that was a lot of different laws and regulations that we talked about in terms of privacy. And there are countless other laws and regulations around the globe. We really did focus on really only two main areas europe with GDPR and then America with all the rest. But if you’re located in Canada or India or someplace else, there are laws and regulations that apply to you based on your own countries. For the exam, though, they only have the ones that I talked about here as testable information based on your objectives. And so if you know the ones I talked about in this lesson, you’re going to find on the exam in terms of privacy and legal requirements.

4. Data Policies (OBJ 5.1)

Data policies. In this lesson we’re going to talk more about data policies. Specifically, we’re going to cover purpose limitation, data minimization and data sovereignty. First, let’s talk about purpose limitation. Now, when we talk about purpose limitation, this is the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented. For example, if you’re working with the US. Government on a lot of different things, we have something known as the Privacy Act of 1976. And it will actually say that if you’re giving your naming your Social Security number to this form to maybe get your driver’s license or something like that, that it can only be used for that stated purpose. They can’t then use it for something else. That’s what we’re talking about with a purpose limitation.

Now, a purpose limitation will restrict your ability to transfer data to third parties. So you have to make sure you look at the way it’s written. Because if my purpose limitation says that I can’t transfer any data to third parties, that means I can’t outsource that part of my business. I have to do it internally with employees that I own. Also, you can’t take the data and then just give it to somebody else so that they can market to other people. These are things you have to think about when you look at what was the purpose that you used to collect that information? What did you tell your customers? And then you need to make sure you follow through keeping the promise that you made to them in that purpose limitation. Now, the second area we want to talk about is data minimization.

Data minimization is the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose. So what does this look like in the real world? Well, I’ll give you a great example from my own website. Let’s say you decide you want to buy your cysaplus voucher by going to my website. You’re going to go to deontraining. Comvouchers, you hit Enter and you’re at the website. You click on the button for CYSA and it brings you up to a checkout page. We’re going to collect the minimal amount of information from you. What would be the minimal information do you think, if you wanted to buy a voucher from us? Well, it would be your name, your email and your credit card information. That’s all I need. I don’t need to know your home address, I don’t need to know your mother’s maiden name, I don’t need to know your date of birth, I don’t care about any of that.

It’s out side the purpose that I need. So for me, I need your name so I can send you an email and say thanks Jason, for buying your voucher. I need your email so I can send you the voucher that you’re buying and I need your credit card so I can get paid for the voucher I’m sending you. That’s it. And so for us, we collect the minimum amount of information possible to give you the maximum freedom to protect your privacy. Now, each process that uses personal data should be properly documented. We have all of our processes document and we say, here’s what comes in, here’s all the different actions that happen, and here’s what comes out. That way we can verify that we are minimizing data collected.
In the old days, we used to actually ask for your mailing address, and then we found out that we didn’t need it because we’re not mailing you anything physically.

We’re only using email, and our credit card company said they weren’t even using the shipping address of the credit card. So we stopped collecting that information. Again, you need to figure out what is needed for the process so you can minimize it. When you look at data minimization, it’s also going to affect your data retention policy, because if you have less data that is, data that you may not need to keep as long, or on the opposite side, you might be able to keep it longer, because your data retention policy will allow, and you have enough storage because you’re collecting less data. So either way could help you in your data retention policy. Now, data minimization can also affect your data retention policy. If I have a policy of minimizing the amount of data I have, I also might want to have a policy that minimizes how long I keep that data.

For instance, if you bought a voucher for me ten years ago, do I still need to have your name and email? Probably not, because if you only bought something from me ten years ago and you haven’t come back since, you’re probably not interested. So I don’t really have a business case for why I would keep that even longer. And so you can look at your data retention policy in terms of data minimization as well. Now, the third main principle we’re going to talk about in this lesson is data sovereignty. This is the principle that countries and states may impose individual requirements on data collected or being stored within their jurisdiction. So there are different rules in different areas. We’ve already talked about this. If you’re in Europe, you have one set of rules.

If you’re in America, you have another set of rules. If you’re in some other country, you might have a third set of rules. And so it’s important to understand what those rules are where you are. Now, how does this affect us as people who work on the internet? Well, all that data has to be stored someplace, right? And so some states and nations may respect data privacy more or less than others. And based on that, you can determine where you want to host your servers. For example, if I choose to host my servers in America, which I do, that means I have to follow the American laws for it. But if I decide to move it to some country in Africa or the Middle East or Asia, I have to follow their rules. And their rules may not be as strict as the American rules. Or if I moved it to Europe, they have stricter rules. So, for instance, if I move my server to Germany, I’m now in the European Union, so I now fall under GDPR. If I’m dealing with GDPR.

These protections are actually extended to any European Union citizen while they are within Europe or within the European Economic Area or the EU. Now, technically, if you’re a European Union citizen and you start traveling to a different area, you now have affected your data sovereignty because you’re no longer protected by GDPR while you’re in, say, Thailand, because now you’re following the Thailand rules. And so if you’re dealing with a local Thai company, they don’t have to deal with GDPR regulations. Even though you’re a European Union citizen. That protection only protects you within the walls of the European Union. It doesn’t protect you once you move outside. And so this is the idea of data sovereignty, and it affects you personally as you travel, but it also affects companies as we’re deciding where to put our data, because the location of our servers will help determine data sovereignty.

• Category: Uncategorized