01_Handout_1 (1).pdf

Full Transcript

IT2028

Data Privacy  Data security includes a set of standards and different
safeguards and measures that an organization is taking to
 Personal data refers to any information, whether recorded in a prevent any third party from unauthorized access to digital data
material form or not, from which the identity of an individual is or any intentional or unintentional alteration, deletion, or data
apparent or can be directly ascertained by the entity holding the disclosure. It focuses on the protection of data from malicious
information. attacks and prevents the exploitation of stolen data such as:
 Privacy concerns the collection and use of data about o Data breach – an unauthorized or unintentional
individuals. There are three (3) primary privacy issues: disclosure of confidential information.
o Accuracy relates to the responsibility of those who o Cyberattack – the stealing of data or confidential
collect data to ensure that the data is correct. information by electronic means, including ransomware
o Property relates to who owns the data. and hacking.
o Access relates to the responsibility of those who have  To achieve this, organizations use tools and technology such as
data to control who can use that data. firewalls, user authentication, network limitations, and internal
security practices to prevent such access.
Data Privacy Versus Data Security
 Organizations commonly believe that keeping sensitive data
secure from hackers means they’re automatically compliant with
data privacy regulations
 Data privacy and data security are often used interchangeably,
but there are distinct differences, although sometimes difficult to
distinguish between. Whereas security controls can be met
without also satisfying privacy considerations, privacy concerns
are impossible to address without first employing effective
security practices. In other words, security protects data, and
privacy protects the identity
 Privacy and security come down to which data is being
protected, how it’s being protected, from whom it’s being
protected, and who is responsible for that protection. Security is
about protecting data from malicious threats, whereas privacy is
about using data responsibly.
 Data privacy is a part of the data protection area that deals with
the proper handling of data, with the focus on compliance
with data protection regulations.
 Data privacy focuses on the rights of individuals, the purpose of Figure 1. Privacy and Security
data collection and processing, privacy preferences, and the way
organizations govern the personal data of data subjects. It
focuses on how to collect, process, share, archive, and delete
the data under the law.

01 Handout 1 *Property of STI
 [email protected] Page 1 of 3
 IT2028

 CIA Triad is a model designed to guide an organization’s Aspect of Privacy
policies on information security. The elements of the triad are  Information privacy is considered an important aspect of
considered the three most crucial components of security. The information sharing. With the advancement of the digital age,
following are the three (3) elements of data security. personal information vulnerabilities have increased
o Confidentiality ensures that data is accessed only by  Information privacy may be applied in numerous ways, including
authorized individuals. encryption, authentication, and data masking, each attempting
o Integrity ensures that information is reliable as well as to ensure that information is available only to those with
accurate; and authorized access.
o Availability ensures that data is both available and  Information privacy includes the regulations required for
accessible to satisfy business needs. companies to protect data. And as more data protection
regulation grows worldwide, global privacy requirements and
demands will also expand and change.
 Protective measures are geared toward preventing data mining
and the unauthorized use of personal information, which are
illegal in many parts of the world.
 Information privacy also relates to different data types, including:
o Internet privacy: All personal data shared over the
Internet is subject to privacy issues. Most websites
publish a privacy policy that details the website's
intended use of collected online and/or offline collected
data.
o Financial privacy: Financial information is particularly
sensitive, as it may easily use to commit online and/or
offline fraud.
o Medical privacy: All medical records are subject to
stringent laws that address user access privileges. By
Figure 1. CIA Triad law, security and authentication systems are often
required for individuals that process and store medical
Elements of Data Privacy records.
 Data privacy encompasses three (3) key elements:
o Right of an individual to be left alone and have control
over their data
o Procedures for proper handling, processing, collecting, References:
and sharing of personal data
o Compliance with data protection laws Kumar, G., Saini, DK., Huy Cuong, NH. (2020). Cyber Defense Mechanisms: Security,
Privacy, and Challenges. CRC Press.
 Data management – the process of ingesting, storing, Stallings, W. (2019). Information Privacy Engineering and Privacy by Design:
organizing, and maintaining the data created and collected by an Understanding privacy threats, technologies, and regulations. Assison-Wesley
organization. Professional.
 Data management is at the heart of privacy. Data is a vague Petters, J. Data Privacy Guide: Explanations and Legislation. Retrieved from
https://www.varonis.com/blog/data-privacy/#tips on September 9, 2020
concept and can encompass such a wide range of information.

01 Handout 1 *Property of STI
 [email protected] Page 2 of 3
 IT2028

Information Privacy Concepts
 Information privacy generally pertains to what is known as
personally identifiable information (PII).
 PII is information that can be used to distinguish or trace an
individual’s identity, such as:
o Information about birth, race, religion, weight, activities,
geographic indicators, employment information, medical
information, education information, and financial
information;
o Personal characteristics, including photographic
images, x-rays, fingerprints, or biometric image; and
o Asset information, such as Internet Protocol (IP) or
media access control (MAC) address or other host-
specific persistent static identifier that consistently links Figure 1. Information Privacy Development Life Cycle
to a particular person or a small, well-defined group of
people. Privacy by Design Principles
Privacy by Design  A useful guide to developing a PbD approach is the set of
 In dealing with the privacy of PII, two (2) new concepts have foundational principles for PbD first proposed by Ann Cavoukian,
emerged: privacy by design (PbD) and privacy engineering. as shown in Figure 2. These principles were later widely adopted
 The goal of privacy by design is to take privacy requirements into as a resolution by other prominent policymakers at the 32nd
account throughout the system development process, from the Annual International Conference of Data Protection and Privacy
conception of a new IT system through detailed system design, Commissioners meeting.
implementation, and operation.
o Privacy requirements: These are system requirements
that have privacy relevance. System privacy
requirements define the protection capabilities provided
by the system, the performance and behavioral
characteristics exhibited by the system, and the
evidence used to determine that the system privacy
requirements have been satisfied. Privacy requirements
are derived from various sources, including laws,
regulations, standards, and stakeholder expectations.
 Figure 1 provides an overview of the major activities and tasks
involved in integrating information privacy protection into any
information system developed by an organization. The upper
part of the figure encompasses design activities that determine
what is needed and how to satisfy requirements. The lower part
of the figure deals with the implementation and operation of
privacy features as part of the overall system.
Figure 2. Foundational Principles of Privacy by Design

01 Handout 1 *Property of STI
 [email protected] Page 3 of 3