Data Sharing & Privacy Agreements PDF

Summary

This document details various data security controls, including interconnection security agreements (ISAs), data sharing and usage agreements, service-level agreements (SLAs), and confidentiality and non-disclosure agreements (CNDAs). It explains how these agreements protect data confidentiality and prevent breaches. The document also reviews different rights management services.

Full Transcript

Certified Cybersecurity Technician Data Security Exam 212-82 Data Sharing and Privacy Agreements Interconnection Security Agreement (ISA) oxe It is a mutual agreement between an organization and a third party that decide to connect their IT systems Data Sharing and Usage Agreement OTo It is a documented agreement between a data provider and receiver, which contains a clear understanding of what type of data is to be shared and how the data need to be handled Service-level Agreement (SLA) o i @ O: e It is a contractual agreement that states the level of service that an organization expects from a vendor, along with the metrics and detailed terms of penalties if service levels are not met Confidentiality and Non-disclosure Agreement (CNDA) It is a security contract signed between two individuals or companies for maintaining the confidentiality of information shared between them Copyright © by EC-Councll, Al Rights Reserved, ReproductionIs Strictly Prohibited Data Sharing and Privacy Agreements When an organization wishes to share resources with outsiders such as third-party service vendors, there is a risk associated with data security and privacy. Outsides with access to any internal system could cause a data breach, for which the organization will have to bear the consequences. To protect the confidentiality of data, it is important to make a formal legal agreement with third-party vendors and contractors who use the resources. The following are some of the common agreements. Interconnection Security Agreements (ISA) An ISA is a mutual agreement between an organization and a third party when they decide to connect their IT systems. The ISA is a memorandum of understanding (MOU) for security risk awareness and implementing security controls. It is defined by the NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems. Data Sharing and Usage Agreement A data sharing and usage agreement is a documented agreement between a data provider and receiver, which contains a clear understanding of what type of data is to be shared and how the data must be handled. This agreement protects the data from misuse and eliminates miscommunication process the shared data. between the two parties about how to Service-level Agreement (SLA) An SLA is a contractual agreement that states the level of service that an organization expects from a vendor, along with the metrics and detailed terms of penalties if service levels are not met. The SLA is a crucial element for every contractual alliance with third Module 15 Page 1845 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security parties. It can be set for all the services or products that a third party offers. A vendor management SLA provides a collection of metrics that indicates to an organization how vendors are performing. * Confidentiality and Non-disclosure Agreement (CNDA) An NDA is a security contract signed between two individuals or companies for maintaining the confidentiality of information shared between them. The parties sign this agreement when they intend to restrict the use of the shared information. NDAs are also known as confidentiality agreements, proprietary information agreements, and secrecy agreements. Business experts state that NDAs are the best option when an individual or firm makes a contract with another. NDAs are useful when an individual or firm needs to share its confidential information with third parties but does not want them to disclose it. This confidential information can be the pharmaceutical formulas of a pharmaceutical firm, beverage compositions of a beverage firm, list of customers of an e-commerce firm, or other technical data. A written NDA is a powerful legal tool stating that neither party will disclose any trade secrets, patents, or other proprietary information to anyone outside the company. A party can initiate legal action against the other for any violation of the documented agreement. The organization can sue for damages and compensation in the case of any violation. Module 15 Page 1846 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Data Security Exam 212-82 Rights Management Services a 3 B Active Directory AD RMS is a security solution designed for data security Rights Services Management |. gh oi prop proper the implementation of access po policies P * : SolarWinds Access Rights Manager https://www.solarwinds.com/accessrights-manager Foxit PDF Security Suite https://www.foxit.com ManageEngine AD360 https://www.manageengine.com Netwrix Auditor https://www.netwrix.com Microsoft Azure RMS https://www.paessler.com https./fwww. windows-active-directory.com B Copyright © by EC-C cll. Al Rights Reserved, ReproductionIs Strictly Prohibited Rights Management Sexvices Active Directory Rights Management Services (AD RMS) Source: https://www.windows-active-directory.com RMS is a security tool that has been used since before the release of Windows Server 2008. Currently, RMS is named Active Directory Rights Management Services (AD RMS) and is a security solution designed for data security through the proper implementation of access policies. AD RMS employs encryption techniques and a type of functionality for limiting access to critical organizational data such as MS Word files, emails, web pages, and activities of a legitimate client. AD RMS consists of a server and client units. The server is created from multiple web services, and the client comprises utilities that can be used for encryption and decryption. The client can also procure document licenses and security certificates from the server to perform many other security-related operations; these licenses or certificates can be accessed only by authorized individuals. AD RMS also employs the Information Rights Management (IRM) feature to enhance the security plans for enterprises determine authorized to secure individuals and documents. provide These access IRM policies are used permissions to to documents, presentations, and other services based on specific criteria. The following are some of the features provided by the AD RMS. o Provides constant and continuous usage policies o Provides an additional layer of security to protect sensitive information o Thwarts unauthorized copying, modifying, and forwarding of documents Module 15 Page 1847 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security o Allows setting file expiration, which makes the content in a document inaccessible after a certain period Server Manager * Dashboard T AD PMS Confguration: SUB_SERVERO 01 Newbickp Tech & A > SUB_SERVIR--01 - o TARGLT SERVIR X Newblelp Tech & Figure 15.85: Screenshot displaying AD RMS in Windows Server The following are some of the additional rights management services: SolarWinds Access Rights Manager (https.//www.solarwinds.com/access-rightsmanager) Foxit PDF Security Suite (https.//www.foxit.com) ManageEngine AD360 (https://www.manageengine.com) Netwrix Auditor (https://www.netwrix.com) Microsoft Azure RMS (https://docs.microsoft.com) Module 15 Page 1848 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.