The last chapter in this section is about data security and privacy practices. It’s more legalese than you’d expect, but it also talks about setting things on fire. So let’s get started.
This is a continuation of my blog post series on the CompTIA Security+ exam.
Security is prerequisite for privacy. Privacy is control over your data. Data privacy in an organization is the prevention of unauthorized use of data held by that organization.
Data Destruction and Media Sanitization
If you no longer need data, holding onto it doesn’t benefit your company, and only increases risk of eventual exposure. So, what do you do? You destroy it. This needs to happen before you lose physical control over the media, whether it’s printed pages, old or broken equipment, etc.
How might you destroy it?
- You could burn the data (or rather, the media that it is stored on).
- Shredding, which is destruction by tearing it into many small pieces (and maybe mixing those pieces)
- Pulping, which is when you shred paper and recombine it into new paper (crafty!)
- Pulverizing, which is essentially smashing something until it’s unusable. The book also offers the idea of digital pulverization: encrypt data, and then throw away the key.
- Destroy files by degaussing them (using magnets).
If you don’t want to destroy the device, but instead use it for later, you can purge the data. This erases the data permanently, but leaves the device open for new storage. You can also wipe the data by rewriting the storage media with patterns of 1s and 0s multiple times.
Data Sensitivity Labeling and Handling
Data should be labeled such that personnel know whether the data is sensitive, and understand how much protection/caution should be used.
US government levels include Confidential, Secret and Top Secret. The business equivalent of these are as follows:
- Confidential data would potentially cause serious harm to an organization if disclosed.
- Private data would potentially cause harm or disruption to an organization if disclosed.
- Public data is data already seen by the public, so no extra protection is needed with respect to confidentiality.
- Proprietary data is restricted because it contains business secrets.
- PII is personally identifiable information. This is a set of data that can lead to the specific identity of a person. If it’s no longer needed, it should be destroyed.
- Protected Health Information (PHI) is a HIPAA term. HIPAA is a set of rules about how health care providers should handle all physical and mental health information of an individual.
Multiple people in an organization contribute to data privacy controls.
- The data owner is responsible for determining what data is needed by an organization.
- A data custodian is responsible for day-to-day care of the data and must follow relevant policies.
- The privacy officer is a C-suite executive who is responsible for establishing and enforcing data privacy policies. They must also find the gap between the policies and reality, and work to bridge the gap. Determining this gap is known as a privacy impact assessment.
This is the storage of data records. Organizations must first determine what records require storage, and how long they should be stored. There are many factors that go into this. You might need data for billing, accounting, contracts, and warranties. You might also need to store data for a given length of time to comply with various laws. If you work in the health field, it’s even more complicated. Lastly, data might be subject to legal hold.
Legal and Compliance
Many data security and privacy policies are guided by laws and regulatory compliance. This is especially true in the fields of medical, finance and banking.
In the medical field, HIPAA covers privacy of patient records.
In banking, the Fair Credit Reporting Act and its Disposal Rule states how to handle consumer information with respect to credit. The federal Trade Commission’s Disposal Rule applies to entities using consumer reporting information (businesses, individuals, debt collectors, etc.)
In finance, the Gramm-Leach-Bliley Act and its Safeguards Rule of Consumer Financial Information Rule cover PII protections.
Within the federal government, the US Privacy Act of 1974 regulates federal records containing PII. Finally, the Freedom of Information Act (FOIA) allows people to gain access to federal government documents (outside of a few enumerated restrictions).