Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 05_ocred PDF

Summary

This chapter discusses various regulatory frameworks, laws, and acts related to privacy and security, encompassing the Gramm-Leach-Bliley Act (GLBA) and the General Data Protection Regulation (GDPR). It covers information protection requirements and data security standards. The document provides an overview of key concepts and principles in these regulatory areas.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Administrative Controls Gramm-Leach- , QO The objective of the ,' » Act Bliley (GLBA) | ' ial was to ease the transfer of information between and while making the rights of the individual more specific through requirements Ly Key Points include: QO Protecting consumer’s personal financial information held by financial institutions and their service providers QO The officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation https://www.fre.gov Copyright © by EC-Council. All Rights Reserved. Reproductionks Strictly Prohibited. Gramm-Leach-Bliley Act (GLBA) Source: https://www.ftc.gov The Gramm-Leach-Bliley Act (GLB Act or GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. The Act requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information- sharing practices to their customers and to safeguard sensitive data. The objective of the GLBA is to ease the transfer of financial information between institutions and banks, while making the rights of the individual through security requirements more specific. In this regard, the key points include: * Protecting consumer’s personal financial information held by financial institutions and their service providers are the key points of the financial privacy provisions of the GLBA. Companies should give consumers privacy notices that explain the GLBA’s informationsharing practices, while customers can limit the sharing of their information. = |f an organization violates GLBA, then o Itis subject to a civil penalty of not more than $100,000 for each violation; o Officers and directors of an organization shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation; and o The organization and its officers and directors shall also be subject to fines or imprisonment for not more than five years, or both. Module 05 Page 520 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls = * Exam 212-82 The top information protection requirements of GLBA include o Financial Privacy Rules to be provided for consumers with privacy notice after the relationship is established with the consumer; and o Safeguards Rules, which require organizations to develop a written information security plan describing its processes and procedures for protecting clients’ NPI. The Security and Encryption Requirements for GLBA include o Organizations to establish required standards that related to the administrative, technical, and physical security of customer records and information; and o Organizations to implement encryption to reduce the risk of disclosure or alteration of information—for example, strong key management practices, robust reliability, and securing the encrypted communication’s endpoints. Module 05 Page 521 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 General Data Protection Regulation (GDPR) O GDPR regulation was put into effect on May 25, 2018 and o : GDPR one of the O. The GDPR will against those who violate its privacy and security standards, with penalties reaching tens of millions of euros GDPR Data Protection Lawfulness, fairness, and transparency Principles Purpose limitation 9 Storage limitation | ~ Data minimization @ Accuracy e Integrity and confidentiality Copyright © by Accountability https//gdpr.eu L Al Rights Reserved. Reproductionis Strictly Prohibited General Data Protection Regulation (GDPR) Source: https://gdpr.eu The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. With the GDPR, Europe is signaling its firm stance on more people are entrusting their personal data with occurrence. The regulation itself is large, far-reaching, compliance a daunting prospect, particularly for small data privacy and security at a time when cloud services and breaches are a daily and fairly light on specifics, making GDPR and medium-sized enterprises (SMEs). GDPR Data Protection Principles The GDPR includes seven protection and accountability principles outlined in Article 5.1-2: = Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject. = Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it. = Data minimization: You should collect and process only as much necessary for the purposes specified. = Accuracy: You must keep personal data accurate and up to date. Module 05 Page 522 data as absolutely Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 = Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose. * Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption). * Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles. Module 05 Page 523 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Data Protection Act 2018 (DPA) O Tn “ The DPAis an act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under specific regulations relating to information; to make provision for a direct marketing code of practice, and connected purposes The DPA protects individuals concerning the processing of personal data, in particular by: and fairly, based on the data Requiring personal data to be processed lawfully P““‘Efl““ c E subject’s consent or another specified basis, A Q Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and I ‘ Conferring functions on the Commissioner, giving the holder of that office responsibility to monitor and enforce their provisions hetps://www.legisiation.gov. uk Data Protection Act 2018 (DPA) Source: https://www.legislation.gov.uk The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. The DPA is an act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes. The DPA also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defense, and sets out the Information Commissioner’s functions and powers. Protection of personal data 1. The DPA protects individuals with regard to the processing of personal data, in particular by: a. Requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, b. Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and c. Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring, and enforcing their provisions. Module 05 Page 524 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls 2. Exam 212-82 When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest. Module 05 Page 525 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.