Pass your certification exam. Faster. Guaranteed.

Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.

BASIC

Comprehensive practice exam engine!

  • Unlimited access to thousands of practice questions
  • Exam readiness score
  • Smart reinforcement

PRO

All features in the FREE plan, plus:

  • Focused training ensures 100% exam readiness
  • Personalized learning plan
  • Align exam engine to your current baseline knowledge
  • Eliminate wasted study time
  • Exam pass guarantee
  • And much more

Protecting Privacy Transcription

Welcome to our information security compliance fundamentals module on protecting privacy. It is very important that you protect the privacy of your employees, your customers, and anyone else that you interact with. It's important to protect individual privacy rights and civil liberties. Governmental agencies should incorporate privacy protection into their information security planning.

And we must understand that since there is such a high risk of data being stolen, and people's personally identifiable information is so valuable we should put better controls in place to protect that data. Fair information practice principles, or FIPPS, provides an open framework to define privacy principles, offers standards for privacy to provide better protection for our individual employees and customers, attempts to avoid over-collecting data or over-retaining data and also discusses privacy implications as part of general cybersecurity.

There are many laws and regulations that are in place which require us to make sure that we protect our employees' and customers' personally identifiable information or PII. Businesses can be held responsible for data loss or misuse and may be required to pay damages or provide credit monitoring services if they do lose PII.

Obviously laws will be different in different countries, so you should be familiar with the laws you are required to comply with. It's important to make sure that you're keeping good records to prove compliance and governance in case of an incident. Most of the times individual users will give away their privacy rights when using different websites and applications.

A lot of times, without even realizing that they are doing this. It's important to protect the PII from disclosure to any unauthorized individuals or entities and, we must respect individual's privacies. For example, our employees If we gonna monitor their computer activity we should have written agreements in place such as an acceptable use policy or A.U.P to notify the employee that they do not have an expectation of privacy when using our system.

We should also have confidentiality agreements in place to protect any of our company secrets and ensure that our employees are not taking them or using them inappropriately. Personally identifiable information or PII Is any information about an individual that's maintained by a company, including information that can be used to distinguish or trace their identity, or any information that is linked to them.

So when we talk about distinguishing them, that could be their identity information, such as their phone number, their birthday, their social security number, or their name. When we talk about tracing them, we're referring to gathering enough information to determine their activities or the status. And we talk about linking, we're referring to taking information and logically associating it with an individual. Some example of PII could be your name, your Social Security number, IP address, your vehicle's license plate number, your street address or email address. And it's very important that you are familiar with what PII is for the CISSP examination and also know why it is important to protect people's PII.

Untied States citizens are used to having a reasonable expectation of privacy provided by the Fourth Amendment. The Fourth Amendment provides that the people should be secure in their persons, houses, papers and effects from unreasonable searches and seizures by government agents. You should be familiar with the fourth amendment for the CISSP examination.

Electronic surveillance does make it easy to violate an individual's privacy. And it appears to be less intrusive because we're not entering the employee's home for example. It is important to make sure that your employees have a proper expectation of privacy in the workplace. If you are collecting data on your employees Your employees should have signed off on an acceptable use policy, prior to accessing your systems.

And you should have a reminder, like a login banner, to notify them that they don't have any right to privacy on the system, and that the business owns the system and any data that's contained on the system, or processed using the system. Your business should also have an expectation of privacy.

You should have your employees sign non disclosure agreements, or NDAs to protect your trade secrets, customer data, and any other important information that your employees should not take off of the premises, or use inappropriately. There are several United States and international laws to protect individual privacy rights, and can make it a crime to violate an individuals privacy.

So you should make sure that you are complying with these laws that may affect your business in your area. An individuals privacy could be described as a state of being free from unsanctioned intrusion. There are several identity theft laws and privacy laws that may vary depending on your jurisdiction.

You should be familiar with the Federal Privacy Act of 1974 for the CISSP exam. This was the first time a law was created for privacy involving electronics and prohibits phone taps and opening other people's mail. It was designed to protect citizens from big brother watching. And there are certain exceptions, such as census, or legal needs, such as search warrants or court orders which can break privacy in certain situations.

The United States Electronic Communications Privacy Act of 1986, or ECPA makes it a crime to invade someone's email, cellphone, or voice mail. Canada also has a law in this area known as the Personal Information Protection and Electronic Documents Act. And this provides rules for how organizations can collect data how they can use and disclose personal information belonging to their customers in the course of their business activities.

Another law you should be familiar with for the CISSP exam is FERPA, or the United States Family Educational Rights and Privacy Act. This is a Federal law which protects an individual students educational records. One of the most popular privacy framework is provided by the OECD or the Organization for Economic Development.

Their practices require the limitation of the data that's collected, require that data should be relevant and up to date as well as accurate. That there must be purposes specified at the time of collecting data. You must notify the user of how their data will be used before you collect it.

It requires limitations on how data should be used or disclosed. It requires security safeguards to ensure the confidentiality, integrity and availability of data collected, so that it is not lost, modified or disclosed to unauthorized individuals. It also requires participation rights, where an individual has the right to select what data is collected about them, and the ability of the user to request data related to themself without any excessive charge, and within a reasonable amount of time.

These standards also require that a data controller is assigned, and is made accountable for complying with the security principles. In the United States, we have the Health Insurance Portability and Accountability Act or HIPAA which provides steep penalties for non-compliance. It requires that hospitals and other healthcare organizations provide appropriate safeguards to protect the confidentiality, integrity and availability of EPHI or Electronic Protected Health Information and any patient transactions from any unauthorized disclosure.

It requires that medical organizations like doctors, hospitals, and insurance companies do not share any patient information unless they have the informed and written consent of the patient. Typically HIPAA compliance is measured using gap analysis, and HIPAA also has a transaction rule which provides a standardized format to exchange electronic data between authorized parties.

You should be familiar with HIPAA for the CISSP examination. In the United States we also have a privacy law which relates to banks and savings and loan organizations and this is the Gram Leach Bliley Act or GLB. This act is also known as the Financial Services Modification Act of 1999.

And it governs the collection and the disclosure and the protection of individual consumer's non- public, personally identifiable information by banks. This law specifically applies to banks and you should be familiar with that for the CISSP examination. The law requires that banks provide a privacy notice to each consumer, requires that they have a risk management process in place for their different departments.

And compliance with this law is mandatory in the United States, whether or not the financial institution intends to disclose the non public information. This law also makes it illegal to use pre texting as a form of stealing personally identifiable information. This is a social engineering attack where an individual lies about their need to collect personally identifiable information.

This concludes our information security compliance fundamentals module. Thank you for watching.

Included in all plans.

1000's of practice test questions

Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.

Exam Readiness Score

Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.

Smart Reinforcement

Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.

THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!

PRO Membership Benefits.

Personalized Learning Plan

Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.

Exam Pass Guarantee

Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.

Eliminate Wasted Study Time

Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.

Coming Soon - Simulated Exam

More PRO benefits are being built all the time!

Membership Options and Pricing.



BASIC Not ready for serious certification attempt and just want to sample it?

FREE

  • Unlimited access to thousands of practice questions
  • Exam readiness score
  • Smart reinforcement

1 Month PRO Only joining us for the final push?
This is for you!

99/month

  • Thousands of practice test questions
  • Fully-featured exam engine
  • Continuous knowledge measurement and feedback
  • Reinforcement questions
  • Detailed exam question explanations
  • Focused training ensures 100% exam readiness
  • Personalized learning plan
  • Align exam engine to your current baseline knowledge
  • Eliminate wasted study time
  • Exam pass guarantee

3 Months PRO MOST POPULAR
Successful students spend 3 months preparing.

79/month USD 237 for 3 months

  • Thousands of practice test questions
  • Fully-featured exam engine
  • Continuous knowledge measurement and feedback
  • Reinforcement questions
  • Detailed exam question explanations
  • Focused training ensures 100% exam readiness
  • Personalized learning plan
  • Align exam engine to your current baseline knowledge
  • Eliminate wasted study time
  • Exam pass guarantee

1 Year PRO Learn and study for your certification at your own pace.

59/month USD 708 per year

  • Thousands of practice test questions
  • Fully-featured exam engine
  • Continuous knowledge measurement and feedback
  • Reinforcement questions
  • Detailed exam question explanations
  • Focused training ensures 100% exam readiness
  • Personalized learning plan
  • Align exam engine to your current baseline knowledge
  • Eliminate wasted study time
  • Exam pass guarantee

Train Your Team.

Subscriptions available for teams of 5 or greater.