|
Protecting Privacy
Organizations have an obligation to protect data that they collect and maintain. This is
especially true for both PII and PHI data (described earlier in this chapter). Many laws and
regulations mandate the protection of privacy data, and organizations have an obligation to
learn which laws and regulations apply to them. Additionally, organizations need to ensure
that their practices comply with these laws and regulations.
Many laws require organizations to disclose what data they collect, why they collect it,
and how they plan to use the information. Additionally, these laws prohibit organizations
from using the information in ways that are outside the scope of what they intend to use it
for. For example, if an organization states it is collecting email addresses to communicate
with a customer about purchases, the organization should not sell the email addresses to
third parties.
It’s common for organizations to use an online privacy policy on their websites. Some
of the entities that require strict adherence to privacy laws include the United States (with
HIPAA privacy rules), the state of California (with the California Online Privacy Protection
Act of 2003), Canada (with the Personal Information Protection and Electronic Documents
Act), and the EU with the GDPR.
Many of these laws require organizations to follow these requirements if they operate
in the jurisdiction of the law. For example, the California Online Privacy Protection Act
(CalOPPA) requires a conspicuously posted privacy policy for any commercial websites
or online services that collect personal information on California residents. In effect, this
potentially applies to any website in the world that collects personal information because if
the website is accessible on the internet, any California residents can access it. Many people
consider CalOPPA to be one of the most stringent laws in the United States, and U.S.-based
organizations that follow the requirements of the California law typically meet the require-
ments in other locales. However, an organization still has an obligation to determine what
laws apply to it and follow them.
When protecting privacy, an organization will typically use several different security
controls. Selecting the proper security controls can be a daunting task, especially for new
organizations. However, using security baselines and identifying relevant standards makes
the task a little easier.
186
Chapter 5
■
Protecting Security of Assets
Many legal documents refer to the collection limitation principle. While the wording
varies in different laws, the core requirements are consistent. A primary requirement is
that the collection of data should be limited to only what is needed. As an example, if an
organization needs a user’s email address to sign up for an online site, the organization
shouldn’t collect unrelated data such as a user’s birth date or phone number.
Additionally, data should be obtained by lawful and fair methods. When appropriate,
data should be collected only with the knowledge and/or consent of the individual.
Using Security Baselines
Once an organization has identified and classified its assets, it will typically want to secure
them. That’s where security baselines come in. Baselines provide a starting point and ensure
a minimum security standard. One common baseline that organizations use is imaging.
Chapter 16, “Managing Security Operations,” covers imaging in the context of configuration
management in more depth. As an introduction, administrators configure a single system
with desired settings, capture it as an image, and then deploy the image to other systems.
This ensures that all the systems are deployed in a similar secure state, which helps to protect
the privacy of data.
After deploying systems in a secure state, auditing processes periodically check the sys-
tems to ensure they remain in a secure state. As an example, Microsoft Group Policy can
periodically check systems and reapply settings to match the baseline.
NIST SP 800-53 Revision 5 discusses
security control baselines
as a list of security
controls. It stresses that a single set of security controls does not apply to all situations,
but any organization can select a set of baseline security controls and tailor it to its needs.
Appendix D of SP 800-53 includes a comprehensive list of controls and has prioritized them
as low-impact, moderate-impact, and high-impact. These refer to the worst-case potential
impact if a system is compromised and a data breach occurs.
As an example, imagine a system is compromised. What is the impact of this compro-
mise on the confidentiality, integrity, or availability of the system and any data it holds?
■
If the impact is low, you would consider adding the security controls identified as low-
impact controls in your baseline.
■
If the impact of this compromise is moderate, you would consider adding the security
controls identified as moderate-impact, in addition to the low-impact controls.
■
If the impact is high, you would consider adding all the controls listed as high-impact
in addition to the low-impact and moderate-impact controls.
It’s worth noting that many of the items labeled as low-impact are basic security prac-
tices. For example, access control policies and procedures (in the AC family) ensure that
users have unique identifications (such as usernames) and can prove their identity with
secure authentication procedures. Administrators grant users access to resources based on
their proven identity (using authorization processes).
Similarly, implementing basic security principles such as the principle of least privi-
lege shouldn’t be a surprise to anyone studying for the CISSP exam. Of course, just
Summary
187
because these are basic security practices, it doesn’t mean organizations implement them.
Unfortunately, many organizations have yet to discover, or enforce, the basics.
Do'stlaringiz bilan baham: |
