CompTIA Security+: Data Security and Privacy Practices

The last chapter in this section is about data security and privacy practices.  It’s more legalese than you’d expect, but it also talks about setting things on fire.  So let’s get started.

This is a continuation of my blog post series on the CompTIA Security+ exam.

Security is prerequisite for privacy.  Privacy is control over your data.  Data privacy in an organization is the prevention of unauthorized use of data held by that organization.

Data Destruction and Media Sanitization

If you no longer need data, holding onto it doesn’t benefit your company, and only increases risk of eventual exposure.  So, what do you do?  You destroy it.  This needs to happen before you lose physical control over the media, whether it’s printed pages, old or broken equipment, etc.

How might you destroy it?

If you don’t want to destroy the device, but instead use it for later, you can purge the data.  This erases the data permanently, but leaves the device open for new storage.  You can also wipe the data by rewriting the storage media with patterns of 1s and 0s multiple times.

Data Sensitivity Labeling and Handling

Data should be labeled such that personnel know whether the data is sensitive, and understand how much protection/caution should be used.

US government levels include Confidential, Secret and Top Secret.  The business equivalent of these are as follows:

Data Roles

Multiple people in an organization contribute to data privacy controls.

Data Retention

This is the storage of data records.  Organizations must first determine what records require storage, and how long they should be stored.  There are many factors that go into this.  You might need data for billing, accounting, contracts, and warranties.  You might also need to store data for a given length of time to comply with various laws.  If you work in the health field, it’s even more complicated.  Lastly, data might be subject to legal hold.

Many data security and privacy policies are guided by laws and regulatory compliance.  This is especially true in the fields of medical, finance and banking.

In the medical field, HIPAA covers privacy of patient records.

In banking, the Fair Credit Reporting Act and its Disposal Rule states how to handle consumer information with respect to credit.  The federal Trade Commission’s Disposal Rule applies to entities using consumer reporting information (businesses, individuals, debt collectors, etc.)

In finance, the Gramm-Leach-Bliley Act and its Safeguards Rule of Consumer Financial Information Rule cover PII protections.

Within the federal government, the US Privacy Act of 1974 regulates federal records containing PII.  Finally, the Freedom of Information Act (FOIA) allows people to gain access to federal government documents (outside of a few enumerated restrictions).