CompTIA CYSA+ CS0-002 – Non-technical Data and Privacy Controls Part 3

5. Data Retention (OBJ 5.1)

Data retention. In this lesson, we are going to talk about data retention. When we talk about data retention, it’s really just talking about a set of policies, procedures, and tools for managing the storage of persistent data. Essentially, think about, how long should I keep this thing? Now, as an organization, we may have legal requirements that bind us to retain certain types of data for a specified period of time to meet compliance and ediscover recovery requirements. For example, I mentioned Sarbanes oxley earlier. If you work for an American company that is publicly traded and has a value of at least $75 million, they have data retention standards that are dictated by law. They can’t go and shred all their paperwork ahead of time. They have to wait until the time runs out. And that’s what we’re talking about here with meeting compliance requirements.

Now, when we talk about data retention, this is the process that an organization uses to maintain the existence of and control of certain data in order to comply with business policies and or applicable laws and regulations. So your data retention doesn’t just have to be told to you by law or regulation. It can also be something you self inflict using your own business policies. Now, whenever you’re creating your own business policies, you should always include your legal counsel when you’re developing these data retention policies. Why? Because legal counsel knows the laws. Legal counsel is another fancy word for lawyers. You’re going to make sure that the lawyers for your company are involved in this process because they know what the requirements are exactly for Sarbanes Oxley or HIPAA or GLBA or any of the other laws out there. And they’ll say, you need to keep this data for two years.

You need to keep that data for seven years. This data you only need for three months. And being able to tell you that is really helpful as you’re developing those policies. Now, in addition to retaining the data, you also sometimes will hear the word preservation of data. And when I talk about data preservation, this refers to information that’s kept for a specific purpose outside of an organization’s data retention policy. For example, our data retention policy at our company doesn’t cover user data specific on our website. And what I mean by that is, when you go to our website, you take a course, we actually know which lessons you finished, and we also know which quizzes you took and what your score was on those. That policy that we talk about there isn’t covered in data retention.

Instead, that’s a separate policy known as data preservation. And this is just us knowing how long do we want to keep an average customer’s data. And that’s based on our storage size, our processing capabilities, and things like that. Now, when you start trying to deal with all this data retention stuff, you have to have a way to back up and archive the information and these tools are going to be used to help you fulfill the requirements of data retention. If I need to keep this thing for seven years, it doesn’t mean that it has to be seven years online where you can access it in a second. We can have that offloaded to a tape backup or an external drive, and then we can pull it if we have the need for it inside of a lawsuit or some other regulatory finding. Now, there are two types of retention. We have both short term and longterm retention.

When I’m talking about short term retention, this is determined by how often the youngest media sets are overwritten. This is essentially your online data. So I have a server, I do backups of it every single night. Now when I run out of space, I start overwriting the old backups with new backups, whatever that time period is, that is your short term retention. So for most companies, that might be seven days, it might be two weeks, it might be a month. It’s usually not very long. Now, when I talk about long term retention, this is any data that’s moved to an archive storage to prevent being overwritten. So if I have to keep this data for seven years, for instance, by law, and my backups are only done every seven days, they start rewriting.

That’s my short term. Then within seven days, I need to copy that data off into some kind of long term storage. That could be as simple as printing those documents out, putting them in a filing cabinet. It could be backing them up to a tape and putting that into a filing cabinet. It could be putting it off to an offsite glacier. Storage inside the cloud. There are lots of different ways you can do this, but the main term here that you have to think about is, is it short term or is it long term? If you need it for the long term, you’re going to have to archive it off your system so you always have it available. Now, when it comes to backups, how do you know how much to back up? Well, all of your backups are going to take up valuable storage space.

Now, can you back up everything all the time? No, because you simply won’t have enough time, money or space for all of that. So instead, you have to start thinking through what will be backed up. And the first thing you’re going to back up is everything you’re legally required. Then you’re going to back up what you need to based on policies or based on operations. Now, in addition to being able to do local backups to things like tapes or external drives, you can also backup to the cloud. And that can give you unlimited storage. But you still aren’t unlimited because you have to pay for that. And your budget may not allow you to do unlimited storage. And so again, you’re going to have to be picky and choosy of what you can back up and how much it’s going to cost you.

Now, when you try to figure all this out, you’re going to do this based on your business continuity plan. Now, as you do your business continuity planning, you need to define your recovery point objective, your RPO, and we’ve talked about this term before then that recovery point objective will drive the recovery window and your backup plans. Just a reminder when we talk about a recovery point objective, what is that? The recovery point objective is what point in time you need to be able to restore from backup. So if I can afford to lose a day’s worth of data, my recovery point objective would be 24 hours. If I can afford to lose five minutes of data, my recovery point objective is five minutes. Based on that recovery point objective, you’re going to be budgeted and funded and design your systems around that, including what your recovery window should be and your backup plans.

Now, why is the RPO so important? Well, the RPO is so important because it’s going to help drive the recovery window or the redundancy decisions you’ve made inside your business. And these redundancy decisions and those recovery windows are going to end up driving what that retention policy is going to look like, because it’s going to be based on them. Now, all of your data at the end of its life has to be destroyed. And what are you going to do to destroy it? Are you just going to format the drive? Are you going to throw it away? Well, no. You have to make sure you securely dispose of it. And so the data has to be securely disposed once you reach the end of that retention period, once it expires. Now, you can do this if it’s paper, it’s really easy. You take out your paper and you shred it or you burn it or something like that.

But that’s not going to solve all of your problems, because we have hard drives, too. And hard drives can’t necessarily just be shredded very easily through a shredder like this at your office. So some people actually physically destroy it. They’ll take a drill and go right through the platter. Or you might have people who actually go and pay to have somebody shred the hard drives. There are machines that can shred hard drives expensive. So you have to take it to a third party company who specializes in this usually, but they do exist. Now, there are lots of different ways to do secure disposal, and we’ve already talked a lot about that back in the forensic section of this course. So if you want to review that, please go back to the forensics section and rewatch that video.

6. Data Ownership (OBJ 5.1)

Data ownership. In this lesson, we are going to talk about data ownership and some of the things that are important inside of it. Now, when we talk about data ownership, this is the process of identifying the person responsible for the confidentiality, integrity, availability and privacy of the information assets. Now, you might think that the data owner is the person who created that file, but that’s not what we’re talking about. In an enterprise environment, there are are different roles that fall under this idea of data ownership. These include things like the data owner himself, the data steward, the data custodian, and the privacy officer. Let’s take a look at each of these. First, we have our data owner. This is going to be a senior executive role and they have the ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset.

So what is their real role here as the data owner? It’s not the person who created the file, it’s the senior executive. And this data owner is going to be responsible for labeling the asset and ensuring that it’s protected with the appropriate controls. So the data owner is going to say this type of information when we’re dealing with, let’s say, the balance sheets for the corporation, they should be protected as financial information. So anybody who creates it will now follow my rules and label it as financial information. And we’re going to protect financial information by doing X, Y and Z, whatever those controls are. Now the data steward is a role that’s focused on the quality of the data and the associated metadata. This data steward is going to be somebody who is working for the data owner.

They are going to be involved with making sure that the data is appropriately labeled and classified. So we said that all financial data should be labeled financial data and it should be taken care of this way. That’s going to be the role of the data steward to make sure that’s actually done. Now as we go down even further, we get to our data custodian. This is a role that’s responsible for handling the management of the system on which the data assets are stored. So who might be a data custodian? Well, a system administrator. These are the people responsible for enforcing the access control, the encryption, and the backup and recovery measures that protect this data based on the requirements set forth by that data owner. And so you can see how this all goes upward as you go.

Then we have our privacy officer. Now this is a role that’s responsible for the oversight of any kind of privacy related data. Things like PII, SPI or Phi, any of those things that are managed by the company fall under the realm of the privacy officer. This is the person who’s going to really be on the hook if you have a data breach. Because normally when you have a data breach, what people are concerned about is the private user data that has been expelled. And so that is going to be what they’re focused on. They have to make sure that we are complying with the legal and regulatory frameworks and make sure that we have the right purpose, limitations and consent. We’re doing data minimization, data sovereignty, data retention.

All the stuff we’ve been talking about in this section falls under that privacy officer. Now the real question is who should own the data? Now, in a lot of organizations, they try to make the CIO or the It department be in charge of all the information and be the data owners. But that is the wrong answer because as the It personnel, we don’t know about the data, we know about the systems. We should be the data custodians. Instead, the data owners should be somebody from the business side, the people who are creating this information. And each data owner can actually be specified inside their own departments. So for instance, you might have the accounting department have their leader be the data owner and they would have a data owner over their information.

Because if I, as the It person, am looking at some accounting data, I don’t know it well enough to be able to classify it at the right level. And so this is one of those things that I think is really important, that the It people should not be the data owners and the data owners should really be the people who know more about data based on the content of the company. If your company is a software development company, then the software design department should probably be the data owner. If you’re an accounting firm, it should be the financial department or the CFO, somebody who knows about the data, who can make the right decisions as far as labeling and classification. That is who should be your data owner.

7. Data Sharing (OBJ 5.1)

Data sharing. In this lesson, we’re going to talk about data sharing and some of the agreements you might use. Now, one of the things I’ve mentioned earlier in this class is that you can outsource a service or an activity, but you can’t outsource the legal responsibility for it. Even if I give that job to somebody else to do for me, I’m still responsible for it. So I can have somebody else do my bookkeeping. But at the end of the year, the IRS is still going to come after me if it’s done wrong. And so these are the things you have to think about when you’re dealing with data sharing because this kind of stuff can come back to bite you. Now we’re going to talk about four specific types of agreements. We’re going to talk about service level agreements or SLAs, interconnection security agreements or Isas, nondisclosure agreements or NDAs, and data sharing and use agreements.

Let’s talk about each of these. Now, a service level agreement or an SLA is a contractual agreement setting out the detailed terms under which a service is being provided. So I might have an SLA between me and my ISP, my Internet service provider. It says they’re going to provide me X amount of storage space, x amount of bandwidth, x amount of uptime, and X amount of hours a day of support. That is all in contract in writing that we have both signed and we both agreed to. Now, that means I don’t have to worry about hosting my website, right? Correct. But if the site gets hacked, guess who’s still going to have to answer for it? Me. Because I’m still responsible. My company is still responsible.

We’ve outsourced the task of running the web server, but we have not outsourced the responsibility. You can’t give away that responsibility. The second one we’re going to talk about is an interconnection security agreement, or Isa. Now, an Isa is an agreement used by federal agencies. So we’re talking about the US. Government here to set out security risk awareness processes and commit the agency and suppliers to implementing security controls. Now essentially these are used when the federal government wants to allow a third party to connect into their system. So let’s say I got a big contract to take over all of the It training for the federal government. They would want to connect into my web server to allow all their users access.

We would have to have one of these interconnection security agreements. And it might say that every three months we have to do a vulnerability scan and give them a report. We have to have all patches done within 30 days. We have to have X, Y, and Z done, whatever those requirements are, to make sure that our security requirements meet their level of agreement. That way we’re not just plugging bad networks into the federal government’s network. That’s what we’re talking about with an Isa. Next, we have our third one, which is an NDA, a nondisclosure agreement. This is a contract that sets forth the legal basis for protecting information assets between two parties. So I’m making a new course, for instance, for another company.

We have an NDA that says I can’t disclose what’s in that course until it goes live and is published because they want to make sure that their competitors don’t figure out what our table of contents is going to look like and build a competing course. That would be an NDA. We can’t tell other people outside of the two of us what’s going on. I have some other partners that I work with inside the business and we have NDAs with those organizations as well. So they can tell us things about future upcoming products they might be working on. But I can’t tell you about it because you’re not party of that NDA, only the two of us are. And so we have this. Basically it says I’m going to keep your secrets and you’re going to keep mine. And neither of us will tell their people. That’s what an NDA does. And then we have data sharing and use agreements.

Now, these are an agreement that sets forth the terms under which personal data can be shared or used. So let’s say you bought this course on some kind of a platform and in part of their privacy policy, it says they can monitor your use of the course and they can use that to then sell that to third parties to tell them about elearners in the market. They can then say, well, out of all the students we have 50% finish all of their courses, 20% buy a second course, 70% take courses in English, whatever those facts and figures are, I’m just making that up. But they can share that data with a third party if they have permission when they collected it from you. And they now have a data sharing agreement in place. This is the idea of data sharing agreements.

I can take my corporate data that I’ve collected off of those people that are using my service and then share it with somebody else under the terms of that agreement. Now, all of these things predicate themselves on us having personal data on our users and this becomes a large data set for us. Now, these data sets may be subject to suitableization or deidentification to remove personal data. Now, we’ve talked a lot about privacy inside this course and one of the ideas here is that we can actually take your data and we can deidentify you from it. And that makes that data no longer personal data, it just becomes big data.

And this is done a lot by a lot of different companies, the Googles and the Facebooks and others of the world. Even if they don’t have permission to have your personal data because you have opted out, there might be information about you at large that could be used if they deidentify you. And what this means is we want to take out anything that can identify you uniquely. So let’s say I’m an online training company, and I have lots of students in my site, but I never asked you if I could share your personal data. Well, that means I can’t share your personal data, but I can deidentify you and then use that data. And what I mean by this is I could say out of the 100,000 students who took this course, 99% passed on their first try.

Now, that doesn’t identify you as one of my students in any way. It doesn’t identify you in the least. You are just one of those 100,000. So that is now deidentified. Or I can take smaller groups of information from my course. For instance, I could say males who are 35 to 40 years old pass at a rate of 80% or higher. Females who are 18 to 24 passed 99%. And again, I’m just making up numbers. This doesn’t these aren’t real numbers, but it gives you the idea of how we can take subsets of the larger data, and it doesn’t identify you uniquely. This is the idea of de identification or pseudonymonization by taking away those personal details and making it about the larger group instead of an individual.

• Category: Uncategorized