discussion
Confidentiality and Privacy Controls
Chapter 9
9-1
Copyright © 2015 Pearson Education, Inc.
Copyright © 2015 Pearson Education, Inc.
Protecting Confidentiality and Privacy of Sensitive Information
Identify and classify information to protect
Where is it located and who has access?
Classify value of information to organization
Encryption
Protect information in transit and in storage
Access controls
Controlling outgoing information (confidentiality)
Digital watermarks (confidentiality)
Data masking (privacy)
Training
9-2
Copyright © 2015 Pearson Education, Inc.
Recall that in Chapter 7 the trust services framework was introduced and confidentiality versus privacy was first introduced? This chapter focuses on controls related specifically to preserving confidentiality and privacy.
Confidentiality relates to organizational intellectual property which includes strategic plans, trade secrets, cost information, legal documents, and so on.
Privacy focuses on protecting personal information on customers, vendors, employees, and business partners (it does not apply to organizational data, that is confidentiality).
2
Generally Accepted Privacy Principles
Management
Procedures and policies with assigned responsibility and accountability
Notice
Provide notice of privacy policies and practices prior to collecting data
Choice and consent
Opt-in versus opt-out approaches
Collection
Only collect needed information
Use and retention
Use information only for stated business purpose
Access
Customer should be able to review, correct, or delete information collected on them
Disclosure to third parties
Security
Protect from loss or unauthorized access
Quality
Monitoring and enforcement
Procedures in responding to complaints
Compliance
9-3
Copyright © 2015 Pearson Education, Inc.
Generally Accepted Privacy Principles (GAPP) are 10 best practices recommended for protecting privacy of customer’s personal information.
3
Encryption
Preventative control
Factors that influence encryption strength:
Key length (longer = stronger)
Algorithm
Management policies
Stored securely
9-5
Copyright © 2015 Pearson Education, Inc.
Encryption Steps
Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)
To read ciphertext, encryption key reverses process to make information readable (receiver of message)
9-5
Copyright © 2015 Pearson Education, Inc.
5
Types of Encryption
Symmetric
Asymmetric
Uses one key to encrypt and decrypt
Both parties need to know the key
Need to securely communicate the shared key
Cannot share key with multiple parties, they get their own (different) key from the organization
Uses two keys
Public—everyone has access
Private—used to decrypt (only known by you)
Public key can be used by all your trading partners
Can create digital signatures
9-6
Copyright © 2015 Pearson Education, Inc.
The text refers to examples of symmetric and asymmetric encryption algorithms:
Examples of symmetric encryption are DES (data encryption standard) which was superseded by AES (advanced encryption standard).
Examples of asymmetric encryption are RSA (Rivest-Shamir-Adleman) and PGP (Pretty Good Privacy).
A good example for understanding asymmetric encryption is this:
I want to buy a book online, this purchase information with my credit card uses the online bookstore’s public key to encrypt the information. Only the online bookstore can decrypt this information using their private key which is known to them. That way, I can feel safe when purchasing online with the bookstore.
Now that we understand encryption better and that information is encrypted in transit, why is it that hackers can get credit card data?
It’s usually due to the fact that the private encryption key is stolen because it is not secured properly. Many times the private key is stored on the same server as the data itself, so when hackers gain access to the server, they are able to decrypt the data!
6
Virtual Private Network
Securely transmits encrypted data between sender and receiver
Sender and receiver have the appropriate encryption and decryption keys.
9-7
Copyright © 2015 Pearson Education, Inc.