Lesson 16: Summarize Data and Protection and Compliance Concepts

Data Types

Categorizing or classifying data based on its inherent characteristics, structure, and intended use

Regulated Data

Sensitive information that must be stored and handled in specific ways because of government laws or industry rules

Trade Secret

Valuable, confidential information that gives a business a competitive advantage

Intellectual Property

A type of legal protection for ideas, creations, and inventions that come from a person’s or business’s mind or creativity.

Legal Data

Documents and records that relate to matters of law

Financial Data

Information about money and financial activities

Data Classification

Sorting information into groups based on how private or sensitive it is

Public Data Classification

There are no restrictions on viewing the data

Confidential Data Classification

Private but manageable information that needs controlled access.

Secret Data Classification

Information that, if revealed, could cause serious harm to national security, so it must be strictly protected.

Top Secret Data Classification

The highest classification level for information that, if leaked, could cause exceptionally grave harm to national security.

Private Data Classification

Information that relates to an individual’s identity and must be protected from unauthorized access to ensure their privacy and safety.

Data Sovereignty

Data is subject to the laws and regulations of the country where it is physically stored.

Geographical Considerations

• Organizations must ensure data remains within designated boundary

• Access controls to validate a user’s geographic location

General Data Protection Regulation (GDPR) in the European Union

A strict EU privacy law that gives people control over their personal data and forces companies to protect it responsibly.

Data Controller

The organization or person that decides why and how personal data is collected and used.

Data Processor

Someone who uses or stores data for someone else, without making decisions about it

Data Subject

The person whose personal data is being collected, stored, or used

Right to be Forgotten

A key principle in GDPR that gives people the right to ask for their personal data to be deleted, under certain conditions

Data Inventories

List of classified data or information stored or processed by a system.

Data Retention

Organizations must keep personal data only as long as it's needed to fulfill its original purpose or as required by law, and then safely delete or archive it

Data Breach

When information is read, modified, or deleted without authorization

Organization Consequences of Data Breaches

• Reputation Damage

• Identity Theft

• Fines

• Intellectual Property (IP) Theft

Breach Notification

How a company alerts people and authorities that their data may have been compromised

Security Compliance

Organizations adherence to applicable security standards, regulations, policy and best practices

Legal & Regulatory Noncompliance

When an organization fails to follow laws, regulations, or required standards that apply to its business or data practices.

Software Licensing Noncompliance

When an organization uses software in ways that break the terms of its license agreement

Contractual Noncompliance

When a person or organization fails to follow the terms and conditions of a signed contract

Data Protection

Data requires different protections methods for each state

Data at Rest

Data that is being stored somewhere

Data in Transit

Data that is actively moving between locations

Data in Use

Data being actively processed or accessed.

Data Loss Prevention (DLP)

Tools and strategies used to stop sensitive data from being leaked, lost, or stolen

Conduct Policies

Rules that explain how employees are expected to behave in the workplace, helping ensure a safe, respectful, and ethical environment

Acceptable Use Policy (AUP)

A policy that controls how employees (or customers) can use company equipment, internet access, and other IT resources

Code of Conduct

A set of rules of behavior that defines the expected professional standards for individuals within an organization

Social Media Use and Analysis

Refers to how people or organizations interact on social platforms and how they study that activity to understand trends, behaviors, or opinions.

Use of Personally Owned Devices in the Workplace

A set of rules that explains how employees can use their personal phones, laptops, or tablets for work, while protecting the company’s data and systems

Clean Desk Policy

Mandates employee work areas be free from potentially sensitive information