Lesson 9: Understanding Governance and Regulatory Compliance

Data Governance

Overall management of the availability, usability, and security of the information used in an organization

Data Loss Prevention (DLP)

Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks

• data is accessible only to appropriate people and systems

• loss of data is due to corruption, exfiltration, data breaches, or misuse

• loss of data can be accidental or intentional

Private Data

Any personal, personally identifiable, financial, sensitive, or regulated information

• including credit or debit card information, bank account information, or usernames and passwords

Confidential Data

Data that is material to the operations of a business or government organization, which cannot be learned outside of that business or government organization

• data that is restricted from general knowledge or access and is considered secret data

Bring Your Own Device (BYOD)

Practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposed

Data At Rest

Information that is primarily stored on specific media, rather than moving from one medium to another

• data that is neither being actively used nor being transferred

• data that is stored on physical storage media, on a device, or in a cloud service

• easiest state of data to secure

• most common target for hackers

Data In Transit

Information that is being transmitted between two hosts, such as over a private network or the internet

• also known as data in motion

On-Path Attacks

An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic

• also known as a man-in-the-middle attack

Data Leakage

Unauthorized transfer of data from inside an organization to a destination outside its secured boundary

• can refer to electronic data or physical data

Data Exfiltration

Process by which an attacker takes data that is stored inside of a private network and moves it to an external network

• unauthorized data theft falls under this

Identifying the location and type of data, and classifying what data is considered private data

What is the first step that must be taken in order to determine how to properly detect data?

Data At Rest and Data In Transit

What are the two states of data that must be considered when determining how to protect data?

Data in Transit

Data in which state is vulnerable to an on-path attack?

Modern networks consist of endpoint devices that are often outside of the boundaries of perimeter security. Devices such as smartphones, tablets, and equipment with network-enabled sensors all become endpoints that might be outside the traditional network perimeter

Why are traditional perimeter security measures no longer sufficient for protecting network endpoints?

Employees

What is often the biggest threat to data security?

Data Retention

Process an organization uses to maintain the existence of and control over certain data in order to comply with business practices and/or applicable laws and regulations

Retention Policy

Policy that dictates for how long information needs to be kept available on backup and archive systems, and how it must be disposed of

• may be subject to legislative requirements

How to destroy or properly dispose of data when it is no longer necessary

What does the data destruction part of the data retention policy specify?

Changes to regulations or laws may require data to be treated differently, and changes will be necessary to the policies to reflect these required changes

Why should a data retention policy be reviewed periodically?

How long inactive data must be kept before being destroyed or disposed of

What does the retention period dictate?

False; a data retention policy applies to all private data, whether it is digitally stored or physically stored in the form of printed reports, forms, and emails

True or False: A data retention policy only applies to digital data

Heavy fines can be imposed on the violating company and individuals may be fired

What are the ramifications of violating a data retention policy?

Personally Identifiable Information (PII)

Data that can be used to identify or contact an individual (or, in the case of identity theft, impersonate them)

Personal Health Information (PHI)

Data that can be used to identify an individual and includes information about past, present, or future health as well as related payments and data used in the operation of a healthcare business

Health Insurance Portability and Accountability Act (HIPAA)

U.S. federal law that protects the storage, reading, modification, and transmission of personal healthcare data

Payment Card Industry Data Security Standard (PCI DSS)

Information security standard for organizations that process credit or bank card payments

Primary Account Number

14-, 15-, 16-, or even up to 19-digit number generated as a unique identifier designated for a primary account

• also called payment card numbers, as they are found on payment cards like credit and debit cards

Classification of the data

What is one of the major variables that affect whether data needs to be protected and how it must be protected?

Confidential Data

Data that is not generally known and should be considered secret is generally categorized as what?

HIPAA

What is the primary law that oversees the use of, access to, and disclosure of PHI in the United States?

PCI DSS

What regulation defines how credit and debit card data must be stored, transmitted, and destroyed?

Personally Identifiable Information (PII)

What is data that can be used to identify a unique individual?

Data Sovereignty

In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction

Jurisdiction

Official power to make legal decisions and judgements

General Data Protection Regulation (GDPR)

Regulation in EU law that impersonates data privacy obligations onto organizations anywhere, so long as they target or collect data related people in the EU

False; companies outside the region where the regulation is defined might be affected by the regulation if that company does business with individuals in the region

True or False: Regulations only affect companies located in the regions in which the regulations are defined

Many organizations do business on the Internet, which means they can reach customers all across the globe and thus may be affected by one or more regulations that exist in the regions those customers reside in

Why do many organizations find identifying the privacy laws that affect their business challenging?

Many of the world’s countries (>70%) are putting legislation in place to address data privacy and protection

How do we know that the importance of privacy and data protection is increasingly being recognized by local, regional, and global organizations and governments?

Data Use Agreement

Agreement between two parties about the exchange of data that specifies what data will be shared and how that data can be used

Nondisclosure Agreement (NDA)

Agreement that defines the conditions under which an entity cannot disclose information to outside parties

Acceptable Use Agreement

Agreement that describes not only how data can be used, but also for what purpose

Memorandum of Understanding (MOU)

Acceptable Use Agreement that establishes the rules of engagement between two parties and defines roles and expectations

Nondisclosure Agreement (NDA)

What type of agreement exists between an organization and another party that requires both parties to avoid disclosing information to any other party?

Data Use Agreement

What type of agreement exists between two parties that specifies what data will be exchanged and how that data can be used?

Memorandum of Understanding (MOU)

What type of nonbinding agreement establishes the rules of engagement between two parties, defining roles and expectations?

False; not everyone has the same access to information, and in many cases, release approvals are required before any information can be released outside the team

True or False: It’s a best practice to share your insights with everyone as you discover them