Pass your certification exam. Faster. Guaranteed.

Protecting Privacy Transcription

Welcome to our information security compliance fundamentals module on protecting privacy. It is very important that you protect the privacy of your employees, your customers, and anyone else that you interact with. It's important to protect individual privacy rights and civil liberties. Governmental agencies should incorporate privacy protection into their information security planning.

And we must understand that since there is such a high risk of data being stolen, and people's personally identifiable information is so valuable we should put better controls in place to protect that data. Fair information practice principles, or FIPPS, provides an open framework to define privacy principles, offers standards for privacy to provide better protection for our individual employees and customers, attempts to avoid over-collecting data or over-retaining data and also discusses privacy implications as part of general cybersecurity.

There are many laws and regulations that are in place which require us to make sure that we protect our employees' and customers' personally identifiable information or PII. Businesses can be held responsible for data loss or misuse and may be required to pay damages or provide credit monitoring services if they do lose PII.

Obviously laws will be different in different countries, so you should be familiar with the laws you are required to comply with. It's important to make sure that you're keeping good records to prove compliance and governance in case of an incident. Most of the times individual users will give away their privacy rights when using different websites and applications.

A lot of times, without even realizing that they are doing this. It's important to protect the PII from disclosure to any unauthorized individuals or entities and, we must respect individual's privacies. For example, our employees If we gonna monitor their computer activity we should have written agreements in place such as an acceptable use policy or A.U.P to notify the employee that they do not have an expectation of privacy when using our system.

We should also have confidentiality agreements in place to protect any of our company secrets and ensure that our employees are not taking them or using them inappropriately. Personally identifiable information or PII Is any information about an individual that's maintained by a company, including information that can be used to distinguish or trace their identity, or any information that is linked to them.

So when we talk about distinguishing them, that could be their identity information, such as their phone number, their birthday, their social security number, or their name. When we talk about tracing them, we're referring to gathering enough information to determine their activities or the status. And we talk about linking, we're referring to taking information and logically associating it with an individual. Some example of PII could be your name, your Social Security number, IP address, your vehicle's license plate number, your street address or email address. And it's very important that you are familiar with what PII is for the CISSP examination and also know why it is important to protect people's PII.

Untied States citizens are used to having a reasonable expectation of privacy provided by the Fourth Amendment. The Fourth Amendment provides that the people should be secure in their persons, houses, papers and effects from unreasonable searches and seizures by government agents. You should be familiar with the fourth amendment for the CISSP examination.

Electronic surveillance does make it easy to violate an individual's privacy. And it appears to be less intrusive because we're not entering the employee's home for example. It is important to make sure that your employees have a proper expectation of privacy in the workplace. If you are collecting data on your employees Your employees should have signed off on an acceptable use policy, prior to accessing your systems.

And you should have a reminder, like a login banner, to notify them that they don't have any right to privacy on the system, and that the business owns the system and any data that's contained on the system, or processed using the system. Your business should also have an expectation of privacy.

You should have your employees sign non disclosure agreements, or NDAs to protect your trade secrets, customer data, and any other important information that your employees should not take off of the premises, or use inappropriately. There are several United States and international laws to protect individual privacy rights, and can make it a crime to violate an individuals privacy.

So you should make sure that you are complying with these laws that may affect your business in your area. An individuals privacy could be described as a state of being free from unsanctioned intrusion. There are several identity theft laws and privacy laws that may vary depending on your jurisdiction.

You should be familiar with the Federal Privacy Act of 1974 for the CISSP exam. This was the first time a law was created for privacy involving electronics and prohibits phone taps and opening other people's mail. It was designed to protect citizens from big brother watching. And there are certain exceptions, such as census, or legal needs, such as search warrants or court orders which can break privacy in certain situations.

The United States Electronic Communications Privacy Act of 1986, or ECPA makes it a crime to invade someone's email, cellphone, or voice mail. Canada also has a law in this area known as the Personal Information Protection and Electronic Documents Act. And this provides rules for how organizations can collect data how they can use and disclose personal information belonging to their customers in the course of their business activities.

Another law you should be familiar with for the CISSP exam is FERPA, or the United States Family Educational Rights and Privacy Act. This is a Federal law which protects an individual students educational records. One of the most popular privacy framework is provided by the OECD or the Organization for Economic Development.

Their practices require the limitation of the data that's collected, require that data should be relevant and up to date as well as accurate. That there must be purposes specified at the time of collecting data. You must notify the user of how their data will be used before you collect it.

It requires limitations on how data should be used or disclosed. It requires security safeguards to ensure the confidentiality, integrity and availability of data collected, so that it is not lost, modified or disclosed to unauthorized individuals. It also requires participation rights, where an individual has the right to select what data is collected about them, and the ability of the user to request data related to themself without any excessive charge, and within a reasonable amount of time.

These standards also require that a data controller is assigned, and is made accountable for complying with the security principles. In the United States, we have the Health Insurance Portability and Accountability Act or HIPAA which provides steep penalties for non-compliance. It requires that hospitals and other healthcare organizations provide appropriate safeguards to protect the confidentiality, integrity and availability of EPHI or Electronic Protected Health Information and any patient transactions from any unauthorized disclosure.

It requires that medical organizations like doctors, hospitals, and insurance companies do not share any patient information unless they have the informed and written consent of the patient. Typically HIPAA compliance is measured using gap analysis, and HIPAA also has a transaction rule which provides a standardized format to exchange electronic data between authorized parties.

You should be familiar with HIPAA for the CISSP examination. In the United States we also have a privacy law which relates to banks and savings and loan organizations and this is the Gram Leach Bliley Act or GLB. This act is also known as the Financial Services Modification Act of 1999.

And it governs the collection and the disclosure and the protection of individual consumer's non- public, personally identifiable information by banks. This law specifically applies to banks and you should be familiar with that for the CISSP examination. The law requires that banks provide a privacy notice to each consumer, requires that they have a risk management process in place for their different departments.

And compliance with this law is mandatory in the United States, whether or not the financial institution intends to disclose the non public information. This law also makes it illegal to use pre texting as a form of stealing personally identifiable information. This is a social engineering attack where an individual lies about their need to collect personally identifiable information.

This concludes our information security compliance fundamentals module. Thank you for watching.