M4 - Confidentiality and Privacy

Questions and Answers

What is a primary goal of Data Loss Prevention (DLP)?

To prevent unauthorized physical access to data centers

To detect and prevent the transfer of sensitive information out of the organization (correct)

To enhance data encryption for stored files

To improve employee productivity with data usage

Which of the following is NOT a type of DLP system?

Network-Based DLP

Cloud-Based DLP

Application-Based DLP (correct)

Endpoint-Based DLP

What is the purpose of a structured walk-through?

To perform a data analysis for system performance enhancement

To train employees on policy changes via written procedures

To evaluate compliance with data regulations through documentation

To simulate real emergency situations such as disasters (correct)

Which step is the last in the walk-through process?

Evaluate and Report

Which safeguard for data at rest focuses on protecting the physical environment of data storage?

Physical security

What is the primary distinction between privacy and confidentiality?

Privacy protects individual rights, while confidentiality protects unauthorized access to information.

Which of the following methods is an example of obfuscation?

Data encryption

What is a key disadvantage of symmetric encryption?

It is difficult to manage on a large scale since both parties need the same key.

Which of the following best describes hashing?

It is a one-way process that generates a unique hash value for varying input lengths.

Which statement accurately represents asymmetric encryption?

It utilizes a public key for encryption and a private key for decryption.

Study Notes

Confidentiality and Privacy

• Privacy protects an individual's rights and gives them control over their information.
• Confidentiality protects information from unauthorized access.
• NIST defines confidentiality as preserving restrictions on accessing and disclosing data, including protecting personal and proprietary information.

Obfuscation

• Obfuscation replaces sensitive data with less valuable data for unauthorized users.
• Methods include encryption, tokenization, and masking.

Tokenization

• Tokenization replaces sensitive data with a surrogate value (token).
• Examples include random number generators, hashing, and encryption.

Masking

• Masking swaps data to disguise identifying information.

Encryption

• Encryption is the highest level of data protection.
• Data must be encrypted at rest and in transit.

Symmetric Encryption

• Symmetric Encryption uses a single private key for encryption and decryption by all involved parties.
• This method is commonly used by banks and in Virtual Private Networks (VPNs).
• Downsides: requires sharing a private key among all parties, is complex in large-scale scenarios, and does not guarantee non-repudiation.

Asymmetric Encryption

• Asymmetric Encryption uses a public key for encryption and a private key for decryption.
• More secure, but slower than symmetric encryption, requiring more computing resources.

Hashing

• Hashing creates a one-way transformation of a message into a fixed-length hash value (message digest).

Ciphers

• Ciphers use symbols or letters to replace actual data, e.g., substitution or transposition ciphers.

Data Loss Prevention (DLP)

• DLP aims to prevent unauthorized transfer of sensitive information.
• DLP methods include pattern matching and word recognition.
• Steps for a DLP program:
  • Implement DLP program
  • Define enterprise data
  • Evaluate data types
  • Monitor sensitive data use
  • Enforce security policies
  • Implement education

DLP System Types

• Network-Based DLP: prevents outgoing data transfers on networks.
• Cloud-Based DLP: prevents outgoing data transfers in cloud environments.
• Endpoint-Based DLP: scans files on endpoint devices (printers, USB drives, laptops).

Safeguards for Data at Rest

• Physical security protects data storage hardware.
• Digital security protects data digitally.
• Authorization/Access controls manage who can access data.
• Change management governs changes to systems and data.
• Backup and recovery ensures data restoration in case of loss.

Walk-Throughs

• Walk-throughs assess program logic, design, features, and functionality.
• Read-through: review of security, confidentiality, and privacy procedures.
• Structured walk-through: role-playing or simulating a disaster scenario.
• Fire drill: simulating an emergency.
• Walk-through steps: planning & preparation, understanding, performing walk-through, documentation, testing, evaluation & report.

Description

This quiz covers key concepts related to data privacy and security, including confidentiality, obfuscation, tokenization, and encryption methods. Test your understanding of how these practices protect individual rights and sensitive information from unauthorized access. Brush up on these essential principles for safeguarding data.