Upload File

privacy implications guide for - center for internet security · 2017-03-17 · security and...

  • Home
  • Documents
  • Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could
21
Privacy Implications Guide for the CIS Critical Security Controls(Version 6)

Upload: others

Post on 25-May-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

PrivacyImplicationsGuide

for

theCISCriticalSecurityControls™(Version6)

Page 2: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

PrivacyImplicationsGuidefortheCISCriticalSecurityControls(Version6)Acknowledgements:TheCenterforInternetSecuritygratefullyacknowledgesthecontributionsprovidedbyMaryEllenCallahan,ChairofJenner&Block’sPrivacyandInformationGovernancePractice;RickDoten,ChiefofCyberandInformationSecurityattheCrumptonGroupLLC;andotherexpertvolunteersfromtheCISCommunityforthecontentandeditingofthisguide.

Page 3: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

2

PrivacyImplicationsGuidefortheCISCriticalSecurityControls(Version6)Introduction.................................................................................................................................................................................................................................................................3AudienceandUseofPrivacyGuide...................................................................................................................................................................................................................3Scopeofthisdocument...........................................................................................................................................................................................................................................4PrivacyPrinciples......................................................................................................................................................................................................................................................5PrivacyReferences.................................................................................................................................................................................................................................................20

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.TofurtherclarifytheCreativeCommonslicenserelatedtothecontentofthisPrivacyImplicationsGuidefortheCISCriticalSecurityControls(the“PrivacyGuide”),youareauthorizedtocopyandredistributethecontentofthePrivacyGuideforusebyyou,withinyourorganizationandoutsideofyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,and(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuilduponthisPrivacyGuide,youmaynotdistributethemodifiedmaterials.CommercialuseofthePrivacyGuideissubjecttothepriorapprovalofTheCenterforInternetSecurity.

Page 4: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

3

Introduction

Manyprofessionalswithinthecybersecurityindustrystruggletounderstandthedifferencesbetweenprivacyandsecurity.Someviewbothasaninterrelatedmeanstoanend:privacymeansusingencryptiontoprotectconfidentiality.ThisconfusionmakesitchallengingforITprofessionalstoprotectprivacyeffectively:youcan’thaveprivacywithoutsecurity,butcanhavesecuritywithoutprivacy.Additionally,legalstaffgrappleswiththeimplicationsofchangesintechnologythatoftenoutpacethelaw.

ThisdocumentisacompaniontotheCISCriticalSecurityControlsforEffectiveCyberDefensev.6(CISControls),whichareasetofprioritizedbestpracticesdesignedtoprotectinformationsystemsandassetsagainstinternalandexternalthreats.ThePrivacyGuidesupportstheseobjectivesbyaligningprivacyprinciplesandhighlightingpotentialprivacyconcernsthatareimplicatedbytheCISControls.TheCISControlsprovideguidelinesandexamplesforITsecurityprogramsbydescribingacomprehensivelistofkeysecurityareastobeaddressed,includingthreatstopersonalinformationandprivacy.ThisGuideisintendedtoidentifyopportunitiestointegrateprivacyconsiderationsintodatasecuritycontrols.

AudienceandUseofPrivacyGuide

TheNationalAcademyofSciences(NAS)PrivacyResearchandBestPracticesreportposesthat,“organizationsmustdevelopandcontinuouslyadapttheirowninternalpoliciesandpracticestoprotectprivacy—beyondthosethatarelegallymandated—inordertobeeffectiveandmaintainthetrustoftheirstakeholdersandthepublic.”

ThisPrivacyGuideisaresourcemeantforbothITSecurityprofessionalswhoarefamiliarwiththeCISControls,andprivacyorlegalstaffwithinorganizations.ThedocumenthopestoprovidebridginginformationforbothITSecurityprofessionalslookingtobetterunderstandhowprivacyappliestoITsecuritycontrolsandprivacyorlegalprofessionalswhoneedtobetterunderstandhowmoderntechnologyandITprocessesmightimpactprivacy.

Wehopethatthedocumentstartsalineofcommunicationbetweenthesetwokeygroups,andenhancesthegovernanceprocessbywhichbusinessandlegalmanagementcommunicatewithITandITsecurityteams.Properdatagovernancewill

Page 5: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

4

helptobetterunderstandtheprivacyimplicationsanddevelopandimplementappropriateprivacycontrols.WehopethatprivacyprofessionalslearnabouttheCISControlsandhowitcanbeatooltosupportprivacyrequirements.

ThisGuideshouldbeagoodstartingpointtoestablishaconstructivedialogueandcooperationamongallgroups.ThePrivacyGuideisusefulforenterprisesofanysize:largeorganizationsthatmightnothavegoodcommunicationbetweenITandlegalteamsandSmall/MediumEnterprise(SMEs)thatmightnotknowwhattheyneedtoknow.TheGuideoutlinessometheprivacyimplicationsoftheCISControlsandsuggestsmitigationapproaches.

Topicslikeregulatoryrequirements,dataprotectionstandards,requirementswithinpartneragreements,andbreachdisclosurelawsmightnotbeknowntotechnicalstaffwhoshouldunderstandwhattheyneedtoprepareforreporting.Thereisnosilverbullettoapproachingprivacyconsiderationsastheyareoftencomplexandwillvarybycountry,state,industry,customertypeandotherfactors.

Scopeofthisdocument

InnotingprivacyimplicationsoftheCISControlsandsuggestingmitigations,thisdocumentfocusesonprivacyrequirementsandbestpracticesforenterprises.Ittakesabroadviewofinternationalprivacylawsastheyvaryfromcountrytocountryandprovidesguidanceonwhatisneededfororganizationstomaketheirownrisk-baseddecisions.Assuch,itiscriticalthatITsecurityandprivacy/legalteamsworktogether.

Whileafull-scopeprivacyandsecurityguidecouldrunthousandsofpages,thisGuideisonlymeantasastartingpointtooutlinethemostessentialprocessesthateveryorganizationshouldfocusonwhendealingwithdataprivacyandsecurityconcerns.AlthoughthefollowingtopicsfalloutsidethescopeoftheGuide,weencourageorganizationstobemindfulofthefollowingissues,whereapplicable:

• Evolvingnationalandinternationallaws• SafeHarbor’sreplacementbyPrivacyShieldintheEU• Breachdisclosurerequirementsnationally,regionally,andinternationally• BigDataanalysis,issuesofsecondaryuse,andderiveddata• Privacyrelatedtopersonalmobiledevicesusedintheenterprise

Page 6: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

5

• PrivacyforInternetofThings(IoT),suchaspersonalwearabledevices,autos,smarthomes,etc.PrivacyPrinciples

ThefollowingoverarchingprivacyprinciplesshouldbediscussedbetweenITSecurityandcorporateprivacyorlegalteamswithinanyorganization:

• PrivacyisbasedontheFairInformationPracticePrinciples:Transparency,IndividualParticipation,Collection

Limitation,PurposeSpecification,UseLimitation,DataQuality,Security,andAccountability.

• PrivacyisahumanrightinEurope.IntheUnitedStates,influentialscholarsandjuristshavedefinedprivacyasalegalright,like“therighttobeletalone,”oranindividual’sright“tocontrol,edit,manage,anddeleteinformationaboutthem[selves]anddecidewhen,how,andtowhatextentinformationiscommunicatedtoothers.”

• Privacyisavalue;itisnormativeandvariesamongculturesinitsparticulars.Forexample,anindividual’sfinancial

informationisconsideredpersonalinformationrequiringprotectionintheU.S.,butnotinEurope;anindividual’sbusinesscontactinformation(e.g.,businessemailaddressorphonenumber)isconsideredpersonalinEurope,butnotintheU.S.

• Securityisnotnormative;itisaboutbuildingsystemsthatperformaccordingtospecifications,includingspecifications

toimplementpoliciesonprivacy.

• PrivacyisnotjusttheCofthesecuritytriadofConfidentiality,Integrity,andAccessibility.

• Securityisessentialtoprivacy:itisoneofthefoundationalprinciplesofprivacy.

Page 7: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

6

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyCSC# ControlName PrivacyImplications PrivacyMitigationSuggestions

1

InventoryofAuthorizedandUnauthorizedDevices

Computingassetsareusuallytiedtoemployees.Knowledgeaboutadeviceandwhereitislocatedcouldprovidealinktoanindividual.

• Theremightbeissueswiththe

nameofindividualtiedtodevice(ifdevicenameisalsousername).

• Sometimesorganizationsissue

differentdevicesbasedonrole,forinstancedevelopersmightgetmorepowerfullaptopsthangeneralstaff;orexecutivesmightgettablets.Knowledgeofthiscouldallowenumerationofuser’srole.

• Withpersonalmobiledevices,

devicemanagementmighttracklocationofthatdeviceatanygiventime,whichcoulddeterminewhereaboutsofauser.

Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection.

Deviceinventoriesshouldbeprotectedaspersonalinformation.

Enterprisesshouldhaveaprivacypolicythatletsusersknowtheprivacyrisksofmobiledevices,andwhatcouldbederivedfromthedevicestheyhave.

2 InventoryofAuthorizedand

UnauthorizedSoftware

Applications,tiedtodevices,thataretiedtoindividualsmayholdpersonaldata,orallowsomeonetogleam

Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection.

Page 8: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

7

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

informationaboutthatuser. • Somesoftwareapplicationsmay

containpersonalinformation(e.g.,employer-sponsoredwellnessapplicationsorfinancial).

• Whenmanagingappsonmobile

devices,theremightbeissueswithcertainpersonalapplicationsrelatedtolifestyle,healthtracking,orpersonalfinances.

• Whenusersareusingpersonal

devicesforwork,thisbecomesmoreacute,ascertainapplicationscouldindicatelifestylesthatmightbeusedtodiscriminate.

Intheinventory,identifyapplicationslikelytocontainpersonalorconfidentialinformation.Applyappropriateprotectionstotheinventoryandtosensitiveapplications.

Note:Adatainventoryandclassificationprocesscanbecoordinatedwiththeinitialcreationandmaintenanceofthesoftwareinventory.

Softwareinventoriesofemployeepersonalmobiledevicesshouldbeprotectedaspersonalinformation.

Enterprisesshouldhaveaprivacypolicythatletsusersknowthesecharacteristics,andwhatcouldbederivedfromthedevicestheyhave.

3

SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers

Thereareoftenregulatoryrequirements,or3rdpartyagreementsforsecuritycontrolsonsystemsthatstoreprivacyinformation

• Thesecurityconfigurationscould

beacompliancerequirement;orifthereisabreach,theirabsence

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

Page 9: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

8

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

couldprovelackofsufficientcontrolstoprotectdata.

4

ContinuousVulnerabilityAssessmentandRemediation

Theremightberegulatoryrequirementsor3rdpartyagreementsforidentifyingandmanagingvulnerabilitiestosystemsthatstoreprivacyinformation.

• Similartomanagingsecure

configurations,theidentificationofvulnerabilitiesthatcouldallowunauthorizedaccesstoprivacydatacouldbeacomplianceissue,orleadtoabreach,whichwouldrequiredisclosure.

• Ifthereisabreach,inadequate

vulnerabilitymanagementcouldprovelackofsufficientcontrolstoprotectdata.

ApplyingtheguidancefromtheCISControlsforvulnerabilitymanagementwillcontributetosituationalawarenessofvulnerabilityandbeingtobeproactiveaboutpotentialweaknessesinprivacycontrols.

5

ControlledUseofAdministrativePrivileges

Administratorsofsystems,applications,anddatabaseshavefullaccesstoanydatastoredontheplatform.

• ForPIIorPHIdata,thereisno

businessneedforsysadminsto

Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection,includingthemonitoringofuserswithadministrativeprivileges,aslegallyallowed

Therearetoolsthatcanlimitadministrativeaccesstoprivacydataatthesystemorapplicationlevel.Thesetoolsalsocan

Page 10: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

9

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

haveaccesstothisdata.Failuretocontrolaccesscouldbeacompliancerequirement,orcouldleadtounauthorizedaccessandrequiredisclosure.

• Controlrecommendsmulti-factor

authentication;someimplementationsloggeolocationoftheuserisattimeoflogin.

monitoraccess,andsetalertsforunauthorizedaccess,orprovidelogreportstoproveadministratorsdidnotaccessdata.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

6

Maintenance,Monitoring&AnalysisofAuditLogs

Someaccessorerrorlogsfromapplicationsmightcontainprivacydata.

• Theremightbeissueswithtypeof

datathatiscollected,especiallyaboutuseractivity,personalinformationwithinanactivitylog.

• Itispossiblethatprivacydatais

loggedorcachedatthesystemorapplicationlevel.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwhereitisstored,andthedataflowofthatdata,includingwhatislogged

AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinlogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself,includingappropriateretentionlimits.

Page 11: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

10

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

7

EmailandWebBrowserProtections

Emailisthemostprominentbusinesscommunicationchannel,theemailserverholdsallemailssentbyusersfromtheirworkaccounts,betheybusinessorpersonal.

Mostlargeorganizationshavegatewaysforprotectionandmonitoringofemailandwebtraffic,whichstoreactivityaboutwebsearches,andareanotherrepositoryofemails.

Webbrowsershavelocalhistoriesofallsitesvisitedbytheuser.

Therearetrackingcookiesusedbywebsitesto“followandrecord”allthesitesvisitedbyauser;additionally,webbrowserssometimeshavevulnerabilitiesthatallowexternalsitestocaptureprivacydata.

Personalinformationcouldbewithinemails,historyofwebactivity,orcaptureofpersonalinformationineventlogs.

AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinwebandemaillogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself.

Userswillneedtobetrainedonappropriateemailandwebactivityrelatedtohandlingprivacydata.Theyshouldnotsendprivacydataoverunencryptedchannels,ortonon-authorizedlocationsorindividuals.

SimilartoCSC2,theregularupdatingandpatchingofwebbrowsers,aswellasuseofscript-blockingadd-ons,orrestrictuseofapplications,suchasFlash,willcontributetoprotectinguserprivacyandthatofotherswhosepersonalinformationusershandle.

Page 12: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

11

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

8

MalwareDefenses

Sometimesmalwarecollectspersonalinformation,suchascontacts.Sometimesthealertsorlogsfromendpointorperimetermalwaredefensescontainthisdata.

Malwaremightcollectandsendprivacydataoutsideofthenetworkoverinsecurechannels.

Somehostandperimetermalwaretoolsmightrecordsensitivedata.Thesealertsandlogscouldcontainprivacyinformationthatshouldbeprotectedaccordingly.

AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinlogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself.

9

LimitationsandControlofNetworkPorts,ProtocolsandServices

Thereareoftenregulatoryrequirementsforsecureconfigurationsandcontrolsonsystemsthatstoreprivacyinformation

• Thesecurityconfigurationscould

becomeacompliancerequirement;orifthereisabreach,theycouldprovelackofsufficientcontrolstoprotectdata.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

Page 13: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

12

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

10

DataRecoveryCapability

Personaldatamightbebackedupandstoredinaninsecuremanner,orinacountrythatviolatestheprivacyrequirementsregardingthedatasubjects.

MakesuredatagovernanceprocessidentifiesallPIIandprivacyrelateddata.Developbackupplansthataccountforanyspecificprivacyprotections,orgeographicrestrictions.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

11

SecureConfigurationsforNetworkDevicessuchasFirewalls,RoutersandSwitches

Thereareoftenregulatoryrequirements,or3rdpartyagreementsforsecuritycontrolsondevicesthatrouteprivacydatawithinorbetweennetworks.

• Networkandsecuritydevice

configurationscouldbeacompliancerequirement;orifthereisabreach,theycouldprovethelackofsufficientcontrolstoprotectdata.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwherethatdataflowsinandoutofthenetwork.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

Page 14: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

13

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

12

BoundaryDefense

Theremightbeissueswiththetypeofdatathatiscollected,especiallyaboutuseractivity,emaillogs,orpersonalinformationwithinanactivitylogtowebsites.

• Thesecurityarchitecturecould

becomeacompliancerequirement;orifthereisabreach,insufficientperimetercontrolscouldprovelackofsufficientcontrolstoprotectdata.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwherethatdataflowsinandoutofthenetwork.

Makesureyouknowwhatdataisrecordedinperimetersecuritytools.Thesealertsandlogscouldcontainprivacyinformationthatshouldbeprotectedaccordingly.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

Page 15: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

14

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

13

DataProtection

Thiscontrolrecommendsdatalosspreventiontools,whichcancollectPII.Aspartofthatprocess,sweepsofdevicescanrevealPII.

• Thesecurityconfigurationscould

becomeacompliancerequirement;orifthereisabreach,theycouldprovelackofsufficientcontrolstoprotectdata.

• Incorrectimplementationofencryption,useofweakencryptionalgorithms,orinsecuremanagementofencryptionkeyscouldleadtoprivacyrisks.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.BesuretoaddressportabledevicesandmediathatmaycarryPII.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

14

ControlledAccessBasedontheNeedtoKnow

Privacyisnotsimplyamatterofprotectingdatafromunauthorizedaccess,butalsooftheappropriateuseofdatabythosewithbusinessneedtoaccessthedata.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.

Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.

Page 16: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

15

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

15

WirelessAccessControl

Wirelessaccessisubiquitous.Withinanorganization,guestsmightconnecttheirpersonal,ortheircompany-issueddevices,andemployeesmightconnecttheirpersonaldevicestolocalWiFi.

• Beawareofwhatinformationis

collectedaboutthedevice,andwhetheritmighthaveprivacyprotectionrequirements,orwhethercertaininformationshouldnotbecollectedoncitizensofsomecountries,ordataonWiFInetworksinofficesofthosecountries.

• Theremightbeissueswithtypeof

datathatiscollected,couldrelatetotrackingofdevice,oruseractivity,personalinformationwithinanactivitylog.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.Forexample,aseparateWiFinetworkforusebyguests,preventsthemfromaccessingtheregularorganizationalnetwork.

Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.

Page 17: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

16

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

16

AccountMonitoringandControl

IntheUSA,employeeshaveonlylimitedexpectationsofprivacyfortheiraccountsoncorporatenetworks.Butinothercountries,therearestillexpectationsofprivacy,evenoncompanynetworks.Formultinationalcompanies,it’simportanttoknowtheserules.

• Therecouldbeinformationabout

whenandwhereauseraccessesinformation.

• Someremoteaccessand

multifactorauthenticationmechanismslogthegeolocationofuserswhentheyconnect.

• Whilethisvisibilityisappropriate

fortrackingunusualactivity,suchasauserknowntobeinonelocationlogginginfromanother.Orforinvestigations,toseewhereauserwasattimeofalogin,therearecountrieswherethiscouldbeaprivacyissuefortheircitizens.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.

Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.

Beawareofthecitizenshipofusers,andtheprivacyrequirementsforanyinternationalofficesofyourorganizations.

Page 18: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

17

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

17

SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps

Thisisaprivacytrainingopportunity

Trainingalllevelsoftechnicalstaffonprivacy,socializingprivacypoliciestousers,andpromotinggoodbehaviorinprotectingprivacyinformationareopportunitiestoimproveoverallenterpriseprivacyprograms.Coordinateorintegrateprivacyandsecuritytrainingforstaff.

18

ApplicationSoftwareSecurity

Applicationscanbeprimarycollectorsofprivacyinformation,andtheapplicationofthiscontrolcouldintroduceissuesifthisdataisloggedorrecordedaspartoferrororeventlog.

• Generallytheguidanceinthis

controlpromotesprivacy. • Applicationsmighthaveloggingor

errormessagesthatwritedatatohelpidentifyandtroubleshootproblems.Thereisachancethatsomeofthisdatamighthaveprivacyrequirements;it’simportanttoevaluatealllogs,backups,andcachestoreswhereprivacydatamightbepermanentlyortemporarilystored.

MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.

Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.

Mostorganizationsmusthaveprivacypoliciesontheirwebsites,andcustomerfacingapplications(webormobile).Thesepoliciesdefinewhatinformationiscollected,howit’susedandshared,andhowit’sprotected.Considerhavingandpostingaprivacypolicyforinternalbusinessapplications.

Page 19: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

18

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

19

IncidentResponseandManagement

Therecouldbepersonalinformationrevealedorcollectedaspartofdatacollectionforanincident.Protectionofthisinformationisimportantforprivacy.

• Therearepacketcapturetools

thatorganizationsusetoasasourceofevidencewithdoinginvestigations.Becausetheylogalldatatotheweb,thesetoolsoftenhaveprivacyinformationfromemployeesaccessingtheirpersonalfinancialorhealthcareaccounts.

Builddatabreachreportingrequirementsintoincidentresponseplans.Whileconductinganinvestigation,orcollectingevidenceforforensics,workwithprivacyorlegalteamtounderstandwhatdatamighthaveprivacyrequirementsandprotectthatdataappropriately.Thisincludespossiblyredactingitinreportsthatcouldhavewidedistribution.

Considerlegalteamoverseeingincidentstoalloworganizationstomarkincidentreportsas“attorneyclientprivileged.”

Descriptionofincidentresponseofforensicproceduresshouldbeintheemployeeprivacystatement,soemployeesareaware.

Itisimportanttoprotectforensicdata,andtheaccesstothisdatasimilartootherprivacydata.

Page 20: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

19

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions

20

PenetrationTestsandRedTeamExercises

Therecouldbepersonalinformationrevealedorcollectedaspartofthetestingprocess,especiallywithPhishing.Protectionofthisinformationcouldbeanissue.

• Inadditiontotheconsiderations

intheincidentresponseControl#19,partofmodernpenetrationtestingissocialengineering.Thisinvolvescollectinginformationabouttargetstouseinthescam.Somemethodologiessendphishingemailstotargetstosendthemtositestoenterpersonalinformation,laterusedforsocialengineeringortoresetapasswordwithhelpdesk.

Penetrationtestersshouldbeinformedbyprivacyorlegalteamsonwhatdataisconsideredprivacydata,andtolimitthecollectionofthatdata,protectanyprivacydatacollectedappropriately,andnotincludePIIinreports.

Considerlegalteamoverseeingpenetrationtestingtoalloworganizationstomarkfindingsreportsas“attorneyclientprivileged.”

Page 21: Privacy Implications Guide for - Center for Internet Security · 2017-03-17 · security and privacy/legal teams work together. While a full-scope privacy and security guide could

CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide

20

PrivacyReferences• NationalAcademyofSciences:PrivacyResearchandBestPractices• TheCISControlsPrivacyImpactAssessmentCompanion• OASISPrivacymanagementreferencemodel• EUGeneralDataProtectionRegulation• EUPrivacyShield• PrivacybyDesign:the7FoundationalPrinciples• OECD,GuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData,

http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata• DepartmentofHomelandSecurity,FairInformationPracticePrinciples:FrameworkforPrivacyPolicy,

https://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf• OrganizationforEconomicCo-operationandDevelopment(OECD)PrivacyPrinciples:http://oecdprivacy.org/• RobertGellman,FAIRINFORMATIONPRACTICES:ABasicHistory:http://bobgellman.com/rg-docs/rg-FIPShistory.pdf


HIPAA Privacy and Security Operational Guide Services, Inc. HIPAA Privacy and Security Operational Guide This guide has been created for Ensign-affiliated facilities and entities to

Privacy and Security Training Guide

Information Security, Privacy, Acknowledgement Security, Privacy, and Acceptable Use...I understand that applicable information security and privacy laws, policies and requirements

Federal: Privacy and Security - SCPMCS Privacy & Security 031914… · security so that patient privacy is protected. Following good privacy and security practices is also good sense

Privacy & Security Training - Texas CASAtexascasa.org/.../Privacy-and-Security-Course-Companion.pdfguidelines for confidentiality, privacy, physical and information security, breach

Privacy Matters - TELUS WISE · guide to help Canadians protect their online and offiine privacy Privacy Matters ... privacy and security risks. Facebook estimates that 7 percent

Privacy and Security Work Group Draft Privacy & Security Policies & Recommendations

drcrhono’s Privacy and Security Guide - drchrono · Web viewOne of these requirements is related to privacy and security. Please use this as a guide to complete your security risk

Privacy and Security of NPI - Office of HIPAA Privacy & Security

(English Version) Guide to Security and Privacy of Geolocation Tools

Public Feeling on Privacy, Security and Surveillance · Public Feeling on Privacy, Security ... on Privacy, Security and Surveillance ... upon the right to privacy. Over 60s do not

Personal Security and Privacy inPersonal Security and Privacy

Guide to the HL7 Healthcare Privacy and Security Classification System .... HCS Guide Final 2013... · Security Classification System (HCS) suitable for automated privacy and security

A GUIDE TO DATA PRIVACY AND SECURITY...•Plan in advance – Budget for proper security controls and infrastructure – Provide privacy and information security details in your grant

Guide for companies on cloud computing: security and privacy implications

NHIN Privacy & Security

A Practical Guide to Networking, Privacy & Security in iOS 10 (1.0

the usable security & privacy group · the usable security & privacy group. overview • framing privacy and security decisions • privacy and IoT • privacy on mobile devices

GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION · GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists (“AAO”) has

Privacy - Introductie Beware of privacy – security fallacies ! Privacy

Auditing Cloud Computing - A Security and Privacy Guide by Ben Halpert

Business: Security & Privacy

PGP & IP Security Pretty Good Privacy – PGP Pretty Good Privacy IP Security. IP Security

ISACA Privacy Principles and Program Management Guide Conferen… · ISACA Privacy Principles and Program Management Guide ... costs and risk of information security ... APO0 3 Privacy

HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair, Privacy and Security Workgroup Walter Suarez, Co-Chair, Privacy and Security

A Legal Guide to Privacy and Data Security 2016

Privacy Security

IoT Security & Privacy - SentryBay - Security that works security and privacy_040715.pdfPage 3: © 2015 SentryBay Corporation / IoT Security & Privacy!!! IoT Security & Privacy The

Healthcare Privacy and Security Classification System (HCS) Guide

IT Security Procedural Guide: Security and Privacy ... Security_and_Privacy...2020/05/01  · CIO-IT Security-05-29, Revision 6 Security and Privacy Awareness and Role Based Training

Data Security & Privacy for School Districts: Policy Guide ... Workshops/2018... · Digital Data Security & Privacy Slide 1 Data Breaches ... CIPA - Children’s Internet Protection

Security & Privacy

Li Xiong CS573 Data Privacy and Security Healthcare privacy and security

HMIS Security & Privacy Plan - sacramentostepsforward.org · HMIS PRIVACY & SECURITY PLAN Sacramento County CoC PRIVACY & SECURITY Privacy refers to the protection of the client's

Privacy and security