IAPP CIPT – Privacy Considerations & Techniques Part 2

4. Retention

Hi, guys. In this lesson, we’ll discuss about retention. Retention refers to the persistence of data by an organization after its collection. Organizations should have policies that govern the retention of data to comply with regulatory requirements, reduce the risks that come from holding too much data for too long, and show their trustworthiness. All data that is stored by a company should would be assigned a minimum and maximum retention period. The remainder of this section looks at specific aspects of data retention. Working with Records Management records management has to do with all aspects of managing records, from creation to final disposition.

Records can include database records, emails, server logs, documents, periodicals, media, contents of files, and the files themselves. Proper handling of record is important to managing risk in an organization. The lifecycle of a record should include the following phases receipt or creation. This is the point at which a record comes into existence within an organization. The first steps that must be taken are to identify the record and determine if it should even remain in the organization. Storage. Once a record has been identified as something that should be kept, it should be classified and put away for safekeeping, depending on its classification usage during its lifetime, a record may be accessed many times.

Great care must be taken to ensure that records are accessed only by the proper personnel or customers and that they are processed in accordance with organizational policies. Maintenance records may need to be updated over their lifetime. Think about tax rates, product pricing, address changes, or updates to policies. Disposition once records have reached the end of their useful life, they must be disposed of. A record could be disposed of by deletion, destruction, recycling, selling, rights management, expiration, or returning it to the original owner. Let’s discuss about providing data. Subject Access when an organization collects personal data on individuals, it has an obligation to provide them with access to their data.

The greater transparency principle of the FTC’s privacy framework asks that companies provide reasonable access to the consumer data they maintain. Providing access to personal data should not be viewed simply as a regulatory requirement, but as a way to build trust. People feel more comfortable when they can gain access to their data. Facebook and Google, which have received complaints about holding a lot of data on users, both provide a way for their users to download their data from the services.

When processing requests, great care should be taken to validate the requester of the data. Users often provide data to websites in an active or passive fashion that does not uniquely identify them. If a user has not signed into a service, then an IP address or cookie is probably the only way to identify that visitor. However, multiple people sharing the same computer could be identified by those same mechanisms, requiring an account ID and password to access user data. And only data that was created while the user was signed in is the only safe way to handle data access requests. Secure transfer of information and metadata retention requirements often mandate that data be kept for long periods. Instead of keeping the data online, where it can take up valuable network resources, data can be stored offline.

This can be challenging when storing sensitive data, so the following are ways to protect the data network encryption even though data may be encrypted while resting in a database or on a hard drive, it may be unencrypted during transmission. Storage encryption offline storage, such as tapes and DVDs, don’t have integrated access control systems or supports native encryption. Encrypting the data itself is the best way to protect it offline. Using Metadata Metadata can assist with the retrieval of data from offline storage, especially when the data is encrypted. Metadata can be used to determine the type of data being stored on backup media without exposing the contents of the data. For example, the metadata could provide categorization information sensitivity level, or even the index to the encryption keys used to encrypt the contents of the backup.

Considerations for Business Continuity and Disaster Recovery Retention management can play a big role in a business continuity plan. Retention is often viewed as the maximum length of time data must be kept within an organization. Retention policies should also cover the minimum amount of time data should be maintained in order to support disaster recovery. Contingencies business continuity and disaster recovery are iterative processes that must be continually reviewed. The process starts with an assessment of business risks.

A plan should be put in place to mitigate the risks, execute the plan does the plan, fix gaps and then start again with the new assessment. Portable Media Challenges The days of floppy disks, CDs, and DVDs are all but a faded memory. Still, portable media can take many forms. Though laptops, mobile devices, flash drives, and USB drives are the most common. Though these types of devices can provide great flexibility as well as data protection via encryption, they share a common flow lack of Accountability retention rules that may apply to content residing on an external drive cannot be enforced if the drive is not attached to the organization’s network.

The only real mitigation to this risk is disabling USB ports. However, creating strong policies and training employees about the risks of using portable media may be more practical. Persistent and Transient Storage Persistent storage is where the most content is placed, such as on a hard drive. Persistent storage can also be devices such as tapes, DVDs or flash drives. When retention management plans are created, they usually target data in persistent storage. Transient storage is used for storing data that has a short lifespan. Think of session cookies that are stored in a browser. As soon as the browser is closed, the station cookies, along with their content, are purged from the system. Other types of transient storage include paging files in an operating system, temporary database tables created to perform transactions, the clipboard storage or the shopping cart on a website that sells goods or services.

5. Destruction

Hi guys. In this lesson, we’ll discuss about destruction at the end of its lifecycle. Data should be destroyed. Destruction can be designated by a retention period, applied to a data records creation date, a request from a user, or the completion of a transaction. Destruction can result in the deletion of files, clearing of records from a database, or removal of data from from a file such as a spreadsheet. A destruction plan should be applied to an organization’s record management plan to ensure the proper removal of data. Simply stating that the data should be destroyed is not always sufficient. There should be clear guidelines on how to destroy the data based on its type. Let’s discuss about digital content. The destruction of most digital content is simply a matter of deleting the data or the files containing the data. Care must be taken when deleting data from an entire disk or tape and handling it of a third party.

Using standard operating system commands to delete files typically deletes only the header information and leaves the contents of the files intact. Formatting the entire disk is the best way to ensure the data is removed from the disk. Proper formatting is important because using the standard formatting will clear only the headers from each file and once again leave the data intact on the disk. The format command exists within the Windows operating system. Using the format comma and count flag will zero the entire disk and then write a random number to the discount times. There are also several free applications that provide various levels of disk clearing capabilities.

However, degaussing is the best way to remove data from hard drives, tapes, and rewritable CDs and DVDs. Digital Rights Management, or DRM, is another method of removing access to digital content through programmatic means by setting an expiration period in the contents, DRM attributes. Portable Media when a portable medium such as a flash drive is used to store data, it is difficult to enforce deletion policies on it. When a device is not connected to the organization’s network, running deletion routines against the data or performing a manual deletion is impossible. Proper training and reminders are the best way to keep employees aware of the need to delete expired data from portable media. Printers, Copiers, and Fax Machines Many printers, copiers, and fax machines contain hard drives that are used to store a copy of the printed material that is presented to them. This can be a source of risk when the machines are returned after their rental period or otherwise disposed of.

Before the machines are removed, the hard drives should be wiped clean or destroyed. Some manufacturers of these devices automatically scrub the hard drives after use, encrypt data while it is on the drive, or provide features that permit the administrators of the machines to remove any data that may be stored on their drives. Hard Copy destroying paper documents in an organization is an extremely difficult task not because of the process, but because of the difficulty in determining which documents need to be destroyed. Paper documents rarely have a deletion date, as they are typically printouts from files that do not have embedded deletion dates.

Many documents are assigned a data classification that can help determine a destruction date. As long as employees are properly trained in what the data classification mean and how they apply the retention policies, it is a best practice to place a destruction date on the paper. If the paper was printed from a file that does not have a destruction date, then the document should be destroyed once it is no longer needed and use the digital copy for future needs. For many companies, it may be more efficient to hire a document destruction company to destroy expired documents.

Developing and executing an information lifecycle program helps organizations ensure that they are collecting the right data, providing proper transparency for the collection, processing it properly, and destroying the data once there are no longer business needs for having an information lifecycle program in place is important for minimizing risk to organizations and the data subjects to which the data belongs.

6. Authentication techniques

Hi, guys. In this lesson, we’ll discuss about authentication techniques and degrees of strength. Authentication is a means for a system to identify an individual ATMs, electronic doors, voicemail and computers are examples of systems that authenticate users. Authentication helps to ensure that the right person is accessing a system and the sensitive data data it may hold. Different mechanisms can be used to protect access to sensitive data. The username and password is the classic means for authenticating people for access to their online accounts. Fingerprint, radio frequency identification or RFID, magnetic stripe and picture passwords are other authentication mechanisms. Some provide greater security, while others are just easier to use. Multifactor authentication provides a more secure mechanism by requiring an individual to provide two factors for authentication. These are usually two of the following something the person knows, something the person has or something the person is or where the person is.

Be aware that increased security is typically accompanied by increased complexity, which tends to thwart the increased security. For example, multifactor authentication will be harder to deploy, require more training of employees, and require more support from the It department to resolve access issues. Username and Passwords The username or ID and password are still the most common form of authentication for computers, software, and online services. The username and password are also often used to protect access to other people’s information and corporate secrets. The importance of the username and password should not be underestimated, and great efforts should be made to protect them. An enormous number of data breaches and identity thefts have been caused by the initial theft of a username and password.

To mitigate threats to your password, start by creating a complex one, having at least eight characters, mixed case, a number, and a special character word. Password ideas you can find them on the slide are pet names, notable date, family members, birthday, child name, family member name, birthplace, favorite holiday, the word password, the name of a significant or other stuff that really matters for you, and it can be easily found out by others. I don’t know, looking at your Facebook account or Twitter account, something related to your favorite sports team, et cetera. When it comes to the number of passwords we have to remember, many of us feel there are too many.

According to a recent study, 30% of adults have at least ten passwords and 8% have more than 20. Since remembering a lot of passwords is difficult, we need to have a way to store them. It is astounding in this day and age, how many people still store their passwords on a piece of paper or in an unencrypted file or secondary storage? If you are one of those people, put this training down and go encrypt your password file. If the file is called passwords, run and do it. Simplifying the use of multiple passwords. There are products like Mask Me, for example, that provide the ability to create random, unique values for email addresses, telephone numbers, and password fields. The email address that it creates can receive emails and can stay active as long as one likes. With this type of program, the user never needs to remember the password.

The user simply clicks into the password field and the program automatically enters the value based on the current website domain. The product, for example, LastPass permits the easy storage of multiple password as well as automatic login to the dozens of sites you might visit. Protecting passwords in the enterprise equally important is for the passwords to be encrypted during storage. It’s disappointing to continue to hear about data breaches where passwords were stored in the clear. Encrypting also protects passwords from a rogue employee who might be looking to access a computer using someone else’s credential or to sell a set of them for monetary gain. By hashing the password before storage, it is possible to protect the password such that the value cannot be decrypted and the hash value can be used to validate the password during authentication attempts.

Single Factor Authentication Single factor authentication provides protection to a resource using one type of authentication, which usually consists of an ID and password, which is something you know. An electronic key fob magnetic stripe card are something you have or biometrics something you are are other ways to initiate single factor authentication. One recent form of single factor authentication that has emerged is the picture password. Selecting a picture and then using a series of gestures such as a circle, line or point, provides a secure means to authenticate to a computer that can be easier to remember than a series of characters. With so many ways to protect access to resources, there is little excuse for not using authentication.

A fingerprint reader has been seen as a way to provide single factor authentication. However, be wary of devices that have low sensitivity sensor or are susceptible to false positives. Some fingerprint devices can also be susceptible to the gummy bear attack whereby latent fingerprints on glass are transferred to gelatin fingers. Multifactor authentication has been used by consumers for years without them realizing what it was. For instance, some vendors require a driver’s license when purchases are made with a credit card to confirm the identity of the cardholder. Those items represent something they have and something they are. They are credit card and facial features. When ATMs were developed, consumers use the ATM card along with a Pin to obtain money. Those two items represent, respectively, something the person has and knows.

Many computer systems today allow for two factor authentication using a password and a chip card. Some more sophisticated systems send a verification code to a user via email or text message. To provide a secondary means of authentication. It departments should consider implementing multifactor authentication for systems carrying sensitive data and for administrator terminals. Biometrics enables users to authenticate themselves to a computer using a physical attribute as the authentication mechanism. For example, a fingerprint, palm print, finger vans, earscan, voice recognition, and facial recognition are all types of biometric authentication. Biometrics can be one of the simplest types of authentication to use. Because there is nothing to remember or carry around, there is very little worry about losing your credentials or a person stealing them when you yourself are the credentials. Biometric systems can suffer from false positives and false negatives. The extent to which these weaknesses will present themselves depends on how sensitive the biometric systems are. The more sensitive the system, the more false negatives will occur.

The less sensitive it is, the more false positives will occur. Another weakness of biometric authentication is the inability to provide revocation capabilities. While it is simple to revoke a password or certificate, revoking a person’s facial recognition isn’t an option. After all, a person has only one phase to present to a facial recognition system. Biometrics can have drawbacks, such as being more expensive, requiring additional maintenance and support, and having limited compatibility across systems. Portable Devices Supporting Authentication Portable devices are things individuals can carry around with them for authentication purposes. A smart card, USB drive and RFID tag are some examples.

These types of authentication devices can carry a simple code or consist of a sophisticated program. Authentication can occur by inserting the device into a reader or USB port, or merely by placing it near the authentication device. They can help to strengthen authentication with computers. When policies require that the device be connected to the computer in order to use it, the errors secure ID, tails and looks devices are examples of the type of extreme security that can be provided by small portable devices.

7. Identifiability

Hi guys. In this lesson we’ll discuss about Identifiability and Identifiers. Authentication and even authorization are mostly made possible by the ability to identify an individual service or device by means of an Identifier. An Identifier can be a person’s name, a user ID, or code on a key. Fob the choice of Identifier will dictate the identity management systems that are used within an organization and the ease with which an employee can be identified. The ability to identify individual owners of data is important to organizations that are looking to manage risk and validate access to resources. However, Identifiability of individuals make them susceptible to tracking, targeting, and identity theft. Individuals can go through various level of Identifiability, from anonymous to well known.

Anonymity can have its advantages, but it can be a liability when it is necessary to validate ownership of something or find a criminal. Labels that points to Individuals Many labels can be used to point to individuals. Some labels are precise, but most are imprecise and even vague depending on context. We often state that a person’s full name is personal, identifiable, information, or PII. However, can you say definitely who John Peter Smith is? You may know one, but it is the right one. It depends on context. Understanding when or where the name is used can help to narrow a search to the specific person with that name. A person’s full name is considered PII even though we may not be able to determine to whom the name belongs. However, a single name is not considered PII.

Although many people who use a single name can be uniquely identified, such as Madonna, Cher, or Arsenio, we often use labels instead of names to identify people we don’t know, such as the man with the cowboy hat, the lady with the red dress, or the person with the balloon. Labeling people based on their attributes makes it easier to identify them in the context in which the description is used. Device Identifiers Device Identifiers are used to identify a device which often can be linked to an individual. For this discussion, I will exclude RFID tags associated with the smart ID or access page that directly links to PII. The IP address is probably the most common type of device Identifier. It is how traffic moves around on the Internet.

A message with a destination IP address is sent, including a return IP address so the receiving device knows how to respond to the message using the Ping or IP Config command. On Windows, machines can be used to determine the IP address of the computer or the host name that the IP address represents. Though the IP address does not point directly to an individual, the ISP can easily determine the person to whom an IP address belongs in the similar fashion that a mobile operator can determine the owner of a phone number or device ID.

Other than IP address, devices may have a device ID, a Mac Media Access Control address or one of many other IDs assigned by the device manufacturer or operating system vendors. Strong and Weak Identifiers can be strong or weak depending on how precise they are. Examples of strong Identifiers are driver’s license number, Social Security number, and national ID number. Examples of weak Identifiers are a person’s postal code, area code and shoe size. Some Identifiers can be weak or strong depending on how uniquely they identify the person and the context in which they are used. In general, age is a weak Identifier unless the person is 110 years old. Height is also a weak Identifier unless the person is 8ft tall.

These distinctions are important to understand when building a database to categorize individuals. Psychonimus and anonymous data. There has been a lot of confusion around the meaning of cell to nimbus and anonymous. Anonymous means that there is truly no way to know who a person is. More importantly, as it refers to privacy, there is no way to know to whom a set of data belongs. It personal often make the mistake of hashing a unique ID that identifies a record as being from a specific computer or person and declaring that the data is anonymous.

Because there is no practical way to get back to the original value, an important distinction needs to be made between practicality and reality. First, if a law enforcement agent presents a unique ID and asks that it has been hashed in order to find all associated records, it could probably be done. Second, a company typically creates and assigns only a finite number of unique IDs. That means that a lookup table could be easily created to match the list of unique IDs to their hashed values. In both cases, the owner of the data becomes known, meaning the data is not anonymous.

Some will state that an IP address is anonymous because it points to a computer which could be shared, or because the last octave has been erased, which leaves it anonymous. Shared computers make up a small percentage of all computers, and the timestamp can help identify the person who is using the computer at the time that a log has captured. Based on a login event. Clearing the last octet of an IP address does obscure its original value, but it’s not very effective if only one person from the root IP address is accessing a website. In general, if you are able to match two records as being from the same person or device, then the records are not anonymous. A good taste of anonymity is to ask if there is any way to know whom a set of data came from, or if a new data set can be matched to a previous one with the autonomy. An ID rather than PII is typically used to identify a data record as being from a specific person. Then the autonomyous means that the identity of a person isn’t known, but one is able to tell when the same person appears or owns a data set.

Say, for example, that you run a local grocery store and the person walks up to your counter. If you cannot see the person’s face whatsoever, then the person is anonymous. If you recognize the person but don’t know his name, then the person is held on emus. Of course, if you know who the person is, then the person is identifiable. Imprecise Data Making data less precise is another means of DE identifying data. Say you are collecting GPS data from someone’s phone, but all you need is a person’s zip code or current city.

The GPS coordinates could be converted to a value less granular and then thrown away. The same could be said for other values age or birth date, location URL IP address search keyword DE identification when collecting logs based on a user’s browsing experience, several pieces of extraneous data may be collected that could be used to identify someone. Performing the identification on the data can mitigate the risk of retaining unneeded identifiable data. In a server log, one typically finds an IP address, website address timestamp, cookie values, and possibly refer data. Now, let’s say you want to de identify the data. The first thing you would do is get rid of unique IDs so the IP address and cookie values would go. If your database stores personal information about the user to de identify, you would delete the name and birth date.

Though the birthdate by itself is not identifiable when combined with gender and zip code, it could be used to identify a person using public records. If the referral information is left in the logs, then it could contain clues to a person’s identity. It could indicate that the user performed a vanity search. It could be the URL to person’s Facebook, LinkedIn, Twitter or blog site. It could contain map coordinates to the person’s place of business, church, gym or friend’s house. Before setting up an analytics or research program, determine how many data you will need and how many days of data. Move the data to a separate database. Remove unique IDs.

Convert precise locations to something less precise. Remove URLs or if needed, use only the URLs to come on site and truncate everything other than the main domain values. The US. Hold insurers portability and Accountability Act called HIPAA provides a standard for DE identification. To assist with the deidentification of health information. The Department of Health and Human Services created a paper called Guidance Regarding Methods for DE identification of Protected Health Information. Companies claiming HIPAA compliance must validate that they are deidentifying data as the HIPAA standard requires. Even companies not subject to HIPAA compliance can benefit from the DE identification guidelines.

• Category: Uncategorized