IAPP CIPT – Understanding the need for privacy in IT environment

1. Evolving compliance requirements

Hi guys. In this lesson, we’ll discuss about evolving compliance requirements, regulatory activities, security threats, advances in technology, new software releases, and the increasing proliferation of social networks can have serious impacts on an It department’s approach to compliance. Not only must It professionals be able to respond to the needs of the their organization, but they must also be able to predict how events might impact the products security and privacy readiness of the organization. More than ever, privacy controls have become an integral part of a comprehensive It compliance program. Additionally, having good internal privacy procedures can help to attract and retain good employees. Prospective employees will be reluctant to work at a company that has an undesirable privacy reputation because such a reputation is likely to damage their professional career.

Moreover, they may be concerned that their employee data could be released to the wrong person, causing financial or reputation issues. Having good external privacy procedures can also help attract and retain customers, business partners, and investors. Conversely, doing business with a company with a bad privacy reputation can be seen as a general risk. Having a relationship with such a company could taint one’s own reputation.

So how does it look like in year 2000? There was no LinkedIn, no Twitter or Facebook, no bring your own device program, not to mention about privacy and protection. The challenges in that time was minimizing the spam, running the backups, or how often to run the backups, or how to improve network performance. When we spoke about security, we usually referring to firewalls and antiviruses, not even intrusion prevention systems, or the security, intelligence and event management, or the automation, or the machine learning and security that we are talking today. There are five privacy principles that we called NCAs E, which is notice, choice, access, Security, and enforcement. And these are set out by the FTC, which is the Federal Trade Commission.

So let’s take this one by one. Notice consumers should be given notice of an entity’s information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Choice at its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information that is, uses beyond those necessary to complete the contemplated transaction. Access refers to an individual’s ability both to access data about him or herself, that is, to view the data in an entity’s file and to contest that data’s. Accuracy and completeness both are essential to ensuring that data is accurate and complete.

Security both managerial and technical security measures are needed to protect against loss and the unauthorized access, destruction, use, or disclosure of data. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data, limits on the access to the use of credentials, implementation of role based access controls, and other techniques and the storage of data on secure servers or computers is also important and enforcement. It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.

Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive and does not ensure compliance with the core fair information practice principles.

2. Major Risks to a Company’s IT Framework

Hi, guys. In this lesson, we’ll discuss about the It risks and the effects and impact on the company from different perspectives. Each type of system has its own set of requirements that must be addressed. Failure to address the requirements could cause privacy incidents, such as a data breach and improper use of personal data. It risks include improper or access controls or application of retention policies leaving corporate documents exposed to the wrong people. Failure to meet industry commitments could result in a loss of accreditation, leading to a loss in customers. In the worst case scenario, the company could be fined, forced to change its practices, and have its executives jailed. Let’s speak about the client side vision.

The client side represents the computers typically used by company employees. These computers normally connect to the company’s server side systems via wireless and hardwired networks. The client side can represent a significant threat to the company’s system as well as sensitive data that may be on the client computers. Employees often download customer files, corporate emails, and legal documents to their computer for processing, and employees may even store their personal information on company computers. Even more concerning is that the client computer can access resources across the company that could have vast amounts of planning documents that might be of great interest to competitors or corporate spies. For that reason, client computers should be protected from possible threats.

Even when an employee’s computer is protected from known threats, there is still more to be done to address client side privacy issues. When accessing data from client computers, employees should be made aware of their privacy obligations and should be required to take privacy training before accessing personal data. The server side organizational servers can share the same vulnerabilities as their client counterparts, though those risks can be minimized. Many client applications do not need to be on a server, and most users have less of a need to access servers directly. Social office productivity and communication software are examples of the types of applications that are typically not needed on servers and should be kept off of them. Reducing the number of applications on a computer reduces the surface area that can be vulnerable to attack.

The more application that exists, the greater the chance that one could harbor a virus or contain a vulnerability that could be exploited. When computers do have to be connected to the Internet, a firewall can be used to block unwanted network traffic from reaching the corporate network. Where possible, all data on a server should be classified based on its category, origin, sensitivity and purpose. This will help ensure that employees know which privacy policies apply to the treatment of the data. Let’s go ahead for security Policy and Personal it could be said that a company with no security policy has no security at all. Privacy cannot be assured unless practical security measures have been established. Likewise, a security policy with no accountability or people to enforce it is of little value.

Each company should have a security policy in place along with compliance and security personnel to enforce it. This policy will help employees understand what their security responsibilities are. The compliance personnel can create a set of security controls to help enforce accountability with security policies. Objectives when determining the appropriate security policy to protect personal information, a privacy impact assessment or PIA can help find any gaps in coverage and determine security requirements to address them. While there will be several internal corporate obligations to consider, all security policies should also include external requirements such as corporate, regulatory or industry. Once completed, the security policy will drive the processes and procedures that an organization can follow for implementing the policy.

Several industry standards can provide guidance on creating security policies, processes and procedures. There are some examples of security measures that should be included in a security policy to help protect data and these are encryption software protection, access control, physical protection, social engineering prevention, or auditing. Once a security policy has been developed, employees should be periodically trained so they understand the processes and procedures necessary to help ensure proper privacy protection of Personal Data application Most company employees depend on applications to get their jobs done.

However, it is prudent to restrict the number and types of applications that are deployed on a company’s computers. The more application that exists, the more opportunities for one of them to carry malware or be exploited. There are some important steps to consider in order to avoid privacy. Invasive Applications privileged access restrictions can be placed on who can install or configure software on a user’s computer. Software Policy Each company should have a policy in place that describes the requirements and guidelines for applications used on company computers.

Company can manage application usage and there are several ways for do that, but we will not get into the details then. Privacy Links Where possible, each application should have a link to a privacy policy that explains the privacy obligations to data that may be accessible via the application. Application research, employee training and It involvement in different ways either It controlled, It monitored or employee controlled. It controlled means the It department of each company can enforce a policy. Then, only the It department can set up each computer, ensuring that only specific applications are installed.

It monitored company computers can be periodically scanned to validate that each installed application is on the approved list of applications and employee controlled means companies can choose to let employees manage their own computer systems based on the corporate policy. Let’s talk about the network perspective. A company’s network is one of the most challenging systems for It professionals to protect because of its pyrazines and the number of possible connection points, both FML and permanent. The network is connected to client machines, servers, routers, hubs, load balancers, pocket filters, wireless endpoints, and the internet, just to name a few. Connections.

Traffic over network can come from employees, vendors, customers connected to the network either via a direct wireless or VPN connection. Many of the applications running on client and server computers, network devices, and smartphones can also access the network. There are several ways to mitigate these types of network risks keep computers clear of malware, apply smartphone policies, validate network devices, write secure code, and validate applications. Besides threats posed by all of the legitimate connections to the company network, many risks to a network came from devices, individuals, and applications that should not be on a network. This include inappropriate access to resources, scanning of network data, and deployment of malware.

This type of threat prevention requires going beyond the mitigations listed above, which are strong authentication practices, network monitoring, and network encryption. Let’s talk about storage. Companies store sensitive data in many locations, each with its own pros and cons. It’s important to have policies that cover each of the following storage mechanisms and to continually train employees on their proper use to minimize the risk of improper access to data, a data breach, or the placement of malware. So where do you store data files? Storing data in files provides both flexibility and challenges when it comes to protecting sensitive data. Access to files can be restricted using the security of an operating system or document management system.

However, once the files are removed from the system, the protection goes away. Files can be protected outside of their storage system using passwordbased, encryption or digital rights management. Websites organizations websites often hold sensitive data, such as product plans, design documents, customer contact information, patent fillings, or even personal data such as credit card numbers. In general, employees can have access to internal websites, but debt access should be limited due to the risk of data falling into the wrong hands. Each website should have a privacy policy link, so employees know their privacy obligations with regard to processing of data accessible via the website. Databases much of the sensitive data stored by a company is kept in databases.

Databases have many features that make them attractive for storing sensitive data, such as general access control, role based access control, various types of encryption data, categorization retention, management, and auditing. In addition, applications can be written on top of the database to provide an extra layer of control over the data. Cloud storage organizations often use cloud storage for several reasons, such as to provide better access to data for customers, to lower operational costs, and to limit regulatory risks from cross border transfer of customer data.

However, using a hosting company for cloud storage can introduce additional risks. I will invite you to take a look at my course regarding cloud security and GDPR and you will find out more information and more needs and more impacts regarding how the cloud service providers need to process data under GDPR and what exactly you need to do. If you are using cloud service provider in order to process data, then we’ll look at applications many applications such as accounting, HR and financial systems store sensitive data that can be accessible to anyone who has authorization to use the application.

Make sure to use applications that have strong role based access controls. Backup Tapes backup tapes are often overlooked as a source of data. Leakage tapes don’t have an access control list and can easily be read by anyone who has a tape reader unless the data on the tapes is properly encrypted. Remember that just because the data is encrypted while on disk or in a database doesn’t mean the data will be encrypted after the backup process completes. And Hardware when storage hardware is replaced, it is important that any data is completely destroyed or made unbreathable before recycling or disposing of the old hardware.

3. Stakeholder expectations for privacy

Hi guys. In this lesson, we’ll discuss about stakeholders ‘expectations for privacy. According to the Business Dictionary, a stakeholder is a person, group or organization that has interest or concern in an organization. Stakeholders can affect or be affected by the organization’s actions, objectives and policies. Managing stakeholders expectations can can be a huge responsibility for organizations with regard to protecting privacy. Even when the organization does not hold stakeholders data, an organization can have many stakeholders who are concerned about the organization’s privacy practices, some inside the company and some outside.

Expectations around privacy often go beyond what the law allows or what a company may state in its privacy policy. When consumers make online purchases or vendors do business with the company, they expect their personal data to be treated a certain way. They don’t want to be compelled to read a long privacy statement in order to feel that their privacy will be respected. As a matter of course, most people do not read privacy statements, and we’ll discuss now about some stakeholders and expectations that companies should be aware of.

Consumers on average, Web consumers are one of the biggest sharers of personal information on the Internet. They share information with social, shopping, search, banking and healthcare sites, to name just a few. Very few of them read the website’s privacy policy, but they have the expectation for their privacy nonetheless. Most consumers expect a website to see and retain their browsing habits or the information they give the website.

Consumers don’t expect a website to share that data with other sites across the Internet unless it is to fulfill a transaction, such as sharing an address with Ups for shipping purposes. Regulators. Several us. Regulators monitor privacy issues for consumers. Agencies such as the Federal Trade Commission or the Federal Communications Commission and Federal Reserve Board are responsible for different aspects of consumer privacy. These agencies enforce regulations such as Copa, Copa, the Fair Credit Reporting Act, and the Right to Financial Privacy Act. In the European Union, the Data Protection Directive requires individual member states to establish national regulatory bodies. The DPD is replaced now by the GDPR. The institutions of the European Union itself are monitored by the European Data Protection Supervisor. The European Free Trade Association has much the same system in which member states establish independent national regulatory bodies and the EFTA institutions are monitored by the EFTA Surveillance Authority.

As in Europe, each province in Canada has its own privacy commission, with a national body known as the Office of the Privacy Commissioner of Canada. Regulators work to ensure that companies follow privacy regulations and find them when they don’t. Industry Groups there are many industry groups that work to protect consumer privacy via self regulation. The Better Business Bureau, Interactive Advertising Bureau, and Trustee are examples of organizations that represent companies for specific industries such as consumer advocacy, advertising, and online privacy. One of their main goals is to encourage companies to follow self regulatory principles that they set up and avoid cost legislation, which can have a chilling effect on online business researchers.

Many academic and corporate researchers conduct studies that aim to improve consumer safety, find curves for diseases, and increase the yield and nutrition of food. Much of this research requires the use of personal information from lots of people. While there is enormous support for these types of research from a broad set of stakeholders, there is an expectation that the work will be done in a way that will preserve the privacy of those providing the personal information. Those responsible for collecting and storing the information must ensure that proper privacy and security procedures are in place to minimize the risk of a data breach or improper use of the data and employees.

Depending on their perspective, employees are either concerned about how the privacy of their personal data within the company is protected or how they should be protecting personal data for which they are responsible. For that reason, even internal websites should have a link to a privacy statement, so employees can be assured that their privacy expectations are being met.

4. Privacy vs Security

Hi, guys. In this lesson, we’ll discuss about privacy versus security. Though privacy and security are linked, they are by no means interdependent. It is also not necessary to give up one to have the other. To help ensure privacy, it is important to employ security mechanisms. Guards, locks, cameras, access controls, and encryption are types of security mechanisms that can be deployed to help ensure privacy. It is not just the perimeter that should be protected, but the data items themselves, such as individual rows or columns in a database.

Even with the strongest security measures possible, an employee who has legitimate access to data can mishandle it if he or she does not have a thorough understanding of the privacy policies that govern the processing of the data. Proper auditing can help provide after the fact detection of breaches, but that is not without its challenges. For these reasons, one cannot rely on security or privacy alone to protect data. They offer the best protection when used together. New advances in encryption have provided a means to protect sensitive data while maintaining its utility.

Homomorphic encryption, multiparty computation, and differential privacy are examples of technology that prevents the raw data from being accessed but still provide the ability to perform analysis on the data. Trusted third parties, such as credit reporting companies, can also be used to provide information on users without exposing unnecessary personal data. There will be cases where privacy practitioners will be asked to give up privacy in order to ensure security, sometimes going against stated policies or contractual agreements. Instead of taking the path of least resistance and releasing sensitive data against company commitments, privacy preserving solutions should be sought that support the desired analysis without relinquishing sensitive data. Privacy and security have a shared goal of protecting personally identifiable information, or PII.

In that manner, they are very much alike. However, they have different approaches for achieving the same goal. Privacy governs how PII should be used, shared, and retained. Security restricts access to the sensitive data and protects it from being viewed during collection, storage and transmission. In that way, they have a symbiotic relationship. Privacy policies can inform security systems about the security that is needed to protect data, and the security system can accordingly enforce those privacy policies. For example, one policy could state that only payroll administrators can view employee salaries, and database access controls could enforce that policy.

The Extensible Access Control Markup Language, or X ASML, is an example of a policy language that permits the definition of policies that can be programmatically enforced via security controls. Microsoft’s SQL Servers policy based management system permits the definition of user and group policies that can be programmatically enforced by the database. There is no silver bullet and no one fixed to ensure both privacy and security. Rather, it takes continual education, awareness, and the application of appropriate controls in accordance with statute standards and policies. The essential challenge around privacy and security for privacy practitioners is to be steadfast and express how to preserve both in an environment of escalating data collection and security threats without negatively impacting business operations.

5. IT Governance vs Data Governance

Hi guys. In this lesson we’ll discuss about it. Governance versus data governance. It Governance focuses on the systems, applications and support personnel that manage data within a company. For the most part, it governance is managed by the It Department. The Key Performance Indicators, or It controls for It Governance should be based on access, control, physical and technical security measures, encryption software inventory, computer and network device configurations, database schemas, backups and retention management proper. It Governance is the foundation for great data governance. It is through the proper application of It policies such as access, control, encryption and auditing that proper data handling can be enforced. It Governance can be achieved through business alignment, consistency and common frameworks such as COBIT Five.

Data Governance focuses on the proper management of data within a company. Data Governance is a shared responsibility for all teams across a company. It Governance is an important element in reaching data governance, but is not all that is needed. Beyond the It requirements are mandates for providing transparency to users and honoring commitments to manage data in accordance with published policies, KPIs, or Privacy. Controls for data governance should be based on transparency of data practices, user data control and principles for data usage, sharing of data retention, vendor contracts and customer contact. One way to view the differences in the two models is by using a plumbing metaphor. It Governance is about governing the way the pipes are built, maintained and protected. Data Governance is about governing how water flows through the pipes.

• Category: Uncategorized