Data Privacy

5.8 Given a scenario, carry out data security and privacy practices

Labelling of data

Classification

Responsibility

Data Security and Privacy

  • Data Sensitivity labelling and Handling

    • Data / information classified according to its value and level of sensitivity

    • The appropriate level of security can be applied

    • Process should be

      • Easy to apply

      • Consistent

      • Visible

    • Data Sensitivity Classifications

      • Public / unclassified - no harm if disclosed

      • Confidential - Limited harm if disclosed

      • Secret - Grave harm if disclosed

      • Proprietary - Information regarding people

    • Sensitive Data Types - Legal

      • PII - Personally Identifiable Information

        • Data that identifies or is traceable to a specific individual

        • Name, Social Security Number, Biometric, Address

        • see NIST SP800-122

      • PHI- Protected (or personal) health Information

        • HIPAA: any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" that can be linked to a specific individual.

  • Data Roles

    • Data Owner

    • Data Custodian

    • Privacy Officer

  • Data retention

    • US Federal Rules of Civil Procedure (FRCP)

    • Keep information for only as long as you need it and no longer

    • Set in a Data Protection Policy

  • Legal and Compliance

  • Data Disposal. destruction, and Media Sanitization

    • Properly disposing of data and associated hardware

    • Trusting third parties for destruction

    • Observe destruction process

    • Transportation to destruction facility

    • Use of media after destruction

    • Best Practices is to combine methods

      • Burning - use of heat or fire. Not environmental friendly

      • Shredding- Reduces the size of objects with the intent of making them no longer usable. Items may stil be re-assembled

      • Pulping- Reduces paer to liquid slirry. Can the be safely recycled.

      • Pulverizing - Using hydraulic or pneumatic action to reduce the materials to loose fibres and shards. Disadvtage high cost

      • Degaussing- Using a large magnet to remove data from magnetic storage media such as hard drives and magnetic tapes

      • Purging- Removing files and all traces of data. Sanitization

      • Wiping- Overwriting data. Data is replaced (often with random 0's & 1's) and then removed.

PreviousControlsNextCryptography and PKI

Last updated