CISSP Privacy
Privacy is concerned with providing that the sensitive information an organization processes, stores, or transmits is ingested compliantly and with consent from the owner of that sensitive information.
When it comes to data privacy, here are the important aspects that need to be kept in mind.
1. Personal data shared online is at the minimum requirement.
2. Data is not accessible by the ones who are not authorized to access it.
3. Security policies are to be kept in a location secure from hackers and attackers.
CISSP – Privacy Laws
Enforcing Privacy through law.
The most common is Europe’s GDPR. It is also important to be familiar with the EU-US Privacy Shield, which allows US companies to meet the requirements of GDPR.
In addition to the EU, other countries have also adopted privacy laws:
- APEC CBPR
- Canada PIPEDA
- US : There is no overarching privacy law in the US. Only laws that apply to specific sectors :
- Privacy Act : Applicable only to US federal government agencies.
- GLBA : Gramm-Leach-Bliley Act (For financial institutions).
- COPPA : Children’s Online Privacy Protection Act (For online services directed to children under 13 years of age).
- FERPA : Family Educational Rights and Privacy Act (Protect the privacy of student education records).
- HIPPA : Health Insurance Portability and Accountability Act (For protecting sensitive patient health information).
Common CISSP Privacy Law Tenants
Here are some common CISSP privacy law tenets shared across regulatory standards:
- Participation – the data subject should have the option to opt in or opt out.
- Limitation – data can only use it for the purpose stated.
- Scope – there must be a specific purpose (and it must be legal/ethical), the scope should be include in the notification.
- Accuracy – the data must be as accurate as possible, and the data subject should be able to make corrections.
- Retention – the data should be kept only as long as it’s needed.
- Security – the custodian must protect the data.
- Dissemination – the custodian must not share the data without notifying the data subject.
- Notification – must notify the user that you’re collecting and creating their data before it’s used, should include purpose of use.
A trick to memorize the privacy tenets is to say the following phrase while noting the bolded letters above:
“PLS (please) Acquire or Reveal Some DoNuts”
GPDR Tenants
GDPR stands for General Data Protection Regulation. It’s a new set of privacy laws in the European Union (EU) made to protect its citizens’ and residents’ data. The regulation vastly expands people’s rights over their personal information and how it’s used. Any company that deals with “EU data subjects” has to abide by the new rules, regardless of where they are based. Those data subjects can include EU citizens and residents, but it could also could be interpreted to include non-residents visiting the EU.
General Data Protection Regulation (GDPR): also has privacy tenets that are similar, but not the same as the general tenets. There is no guarantee which one you’ll be tested on, so memorize both and what happens with each tenet. You can memorize these with a mnemonic as well: “Public Displays of Affection Sure Interest All of Us.”
Purpose limitation – this means it should be collected for the stated purpose.
Data minimization – this means it should be used for the stated purpose.
Accuracy – this means there should be a method for the data subject to make corrections so that the info is accurate.
Storage limitation – basically, don’t keep the information longer than needed.
Integrity/confidentiality – this means you should prevent unauthorized modifications or views of the data.
Organization for Economic Cooperation and Development (OECD) Tenants
The Organization for Economic Cooperation and Development (OECD) has small differences in its privacy tenets:
- Collection limitation – limits the collection of personal data
- Data quality – accurate and up to date, and relevant to the purpose that it is used
- Purpose specification – the purpose should be specified at the time of collection
- Use limitation – the data cannot be disclosed or used without consent
- Security safeguards – data affords reasonable protection
- Openness – with respect to policy and procedure involving personal data
- Individual participation – data must be made available to the subject and the subject has specific rights related to the data
- Accountability – the data controller is accountable
Data masking: pseudonymisation or anonymisation is highly recommended by the GDPR regulation. Such techniques reduce risk and assist “data processors” in fulfilling their data compliance regulationsThis makes it much harder, if not impossible, to link data back to the original person.
Anonymization eliminates personal data so that data subjects can no longer be identified. Anonymized data is excluded from GDPR regulation altogether because anonymized data is no longer “personal data.”
Pseudonymization replaces personal identifiers with nonidentifying references or keys so that anyone working with the data is unable to identify the data subject without the key. This type of data may enjoy fewer processing restrictions under the GDPR.
Tokenization is similar to pseudonymization, but requires a complex process to retrieve original data. It is reversible.
