discussion

profilequake
013255271X_ppt_09.pptx

Confidentiality and Privacy Controls

Chapter 9

9-1

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Protecting Confidentiality and Privacy of Sensitive Information

Identify and classify information to protect

Where is it located and who has access?

Classify value of information to organization

Encryption

Protect information in transit and in storage

Access controls

Controlling outgoing information (confidentiality)

Digital watermarks (confidentiality)

Data masking (privacy)

Training

9-2

Copyright © 2015 Pearson Education, Inc.

Recall that in Chapter 7 the trust services framework was introduced and confidentiality versus privacy was first introduced? This chapter focuses on controls related specifically to preserving confidentiality and privacy.

Confidentiality relates to organizational intellectual property which includes strategic plans, trade secrets, cost information, legal documents, and so on.

Privacy focuses on protecting personal information on customers, vendors, employees, and business partners (it does not apply to organizational data, that is confidentiality).

2

Generally Accepted Privacy Principles

Management

Procedures and policies with assigned responsibility and accountability

Notice

Provide notice of privacy policies and practices prior to collecting data

Choice and consent

Opt-in versus opt-out approaches

Collection

Only collect needed information

Use and retention

Use information only for stated business purpose

Access

Customer should be able to review, correct, or delete information collected on them

Disclosure to third parties

Security

Protect from loss or unauthorized access

Quality

Monitoring and enforcement

Procedures in responding to complaints

Compliance

9-3

Copyright © 2015 Pearson Education, Inc.

Generally Accepted Privacy Principles (GAPP) are 10 best practices recommended for protecting privacy of customer’s personal information.

3

Encryption

Preventative control

Factors that influence encryption strength:

Key length (longer = stronger)

Algorithm

Management policies

Stored securely

9-5

Copyright © 2015 Pearson Education, Inc.

Encryption Steps

Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)

To read ciphertext, encryption key reverses process to make information readable (receiver of message)

9-5

Copyright © 2015 Pearson Education, Inc.

5

Types of Encryption

Symmetric

Asymmetric

Uses one key to encrypt and decrypt

Both parties need to know the key

Need to securely communicate the shared key

Cannot share key with multiple parties, they get their own (different) key from the organization

Uses two keys

Public—everyone has access

Private—used to decrypt (only known by you)

Public key can be used by all your trading partners

Can create digital signatures

9-6

Copyright © 2015 Pearson Education, Inc.

The text refers to examples of symmetric and asymmetric encryption algorithms:

Examples of symmetric encryption are DES (data encryption standard) which was superseded by AES (advanced encryption standard).

Examples of asymmetric encryption are RSA (Rivest-Shamir-Adleman) and PGP (Pretty Good Privacy).

A good example for understanding asymmetric encryption is this:

I want to buy a book online, this purchase information with my credit card uses the online bookstore’s public key to encrypt the information. Only the online bookstore can decrypt this information using their private key which is known to them. That way, I can feel safe when purchasing online with the bookstore.

Now that we understand encryption better and that information is encrypted in transit, why is it that hackers can get credit card data?

It’s usually due to the fact that the private encryption key is stolen because it is not secured properly. Many times the private key is stored on the same server as the data itself, so when hackers gain access to the server, they are able to decrypt the data!

6

Virtual Private Network

Securely transmits encrypted data between sender and receiver

Sender and receiver have the appropriate encryption and decryption keys.

9-7

Copyright © 2015 Pearson Education, Inc.