Domain 1 - Privacy & Intellectual Property MindMap

Introduction

Hey, I’m Rob Witcher from Destination Certification, and I’m here to help YOU pass the CISSP exam. We are going to go through a review of the major topics related to Privacy and Intellectual Property in Domain 1, to understand how they interrelate, and to guide your studies.

This is the second of three videos for domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are one part of our complete CISSP MasterClass.

Definition of Privacy

Let’s begin with a definition of privacy. It is the State or condition of being free from being observed or disturbed by other people. And you should remember that exact definition for the exam. But what does it mean? Being free from being observed and disturbed. Essentially privacy is the idea that an individual can withhold parts of their personal information from wider society. To control what personal information others know about them, as their personal information can potentially be used against them in ways that would disturb them: limit what jobs they can get, where they can travel, whether they can get health insurance, etc.

Privacy policy

Standards
Procedures
Baselines
Guidelines

Further there should be well defined standards, procedures, baselines and guidelines that are based on the privacy policy.

Personal Data

The major thing that we are protecting from a privacy perspective is Personal data which can be defined as Information that can be used on its own or in combination to identify an individual.

PII
SPI
PHI
PI

Different laws and regulations refer to personal data in different ways:

· Personally Identifiable Information (PII)
· Sensitive Personal Information (SPI)
· Personal Health Information (PHI)
· Personal Information (PI)

Direct Identifiers

There is also the concept of what data can identify an individual and to what degree. Direct Identifiers identify an individual on their own. So direct identifiers are things like Government IDs (social insurance numbers, social security numbers, drivers license numbers, passport numbers), as well as bank account numbers, certificate numbers, names and biometric data. These are all direct identifiers.

Indirect Identifiers

Indirect identifiers, do not on their own, directly identify an individual, but if you have enough indirect identifiers you can uniquely identify an individual. Indirect identifiers are things like age, gender, ethnicity, city, state, zip or postal code.

Online Identifiers

You can also group identifiers used online together, things like email address, ip address, cookies, etc.

Data Lifecycle

Now let’s talk about the data lifecycle. The idea of an data lifecycle is to identify all the stages that data goes through from when it is first created all the way to when it is destroyed. As security professionals we can then determine what controls we should put in place to protect data in each of these stages.

We ultimately want to protect the data that powers an organization's processes, systems, and applications.

Creation / Update

The first stage in the data lifecycle is Creation / update: where new data is generated, or existing data is altered, updated, or modified in some way.

Store

As soon as data is created or updated, we immediately need to store it somewhere. The storage stage is therefore where data is committed to some sort of storage repository: to memory, or a hard drive.

Use

Next, the data will be used by people or processes from across the organization. The use stage covers viewing, processing, or otherwise using the data in some way, but not modifying the data as that fits up in the first creation / update stage.

Share

Data needs to be shared with, made accessible, to others across the organization, and to customers, business partners, regulators, etc. The sharing stage is where we think about who the data can be shared with, under what circumstances and with what controls in place.

Archive

Eventually some data is no longer being actively used by the organization and so to free up storage space on the system and save costs, this data can be archived in a long-term storage solution. The data should be retained for as long as necessary based on the data retention policy.

Destroy

What is the most important thing to do right at the very start of the data lifecycle? Classify the data. The classification indicates how valuable the data is to the organization and therefore drives the controls that should be in place in each stage of the data lifecycle:
· Where the data can be stored, and with what level of encryption and access controls
· Who can use the data and for what purposes?
· Who can the data be shared with, and with what security controls in place?
· How long data needs to be retained?
· And the requirements for how securely the data needs to be destroyed. Are we melting hard drives or selling them on craigslist without even formatting them?

OECD Guidelines

The Organisation for Economic Co-operation and Development, the OECD, have come up with a set of privacy guidelines or principles. I’m emphasizing that word guidelines, because guidelines are not mandatory, they are best practices. This is very much true of the OECD Privacy Principles; they are not mandatory requirements that an organization must meet, but rather they provide the most internationally recognized privacy framework and the basis for the creation of leading privacy programs within an organization. They help organizations structure their privacy program and consider what the program should cover. Eight principles are defined.

Collection Limitation

Beginning with collection limitation which means that organizations should limit the collection of PII, obtain it lawfully, and where appropriate, with the knowledge or consent of the data subject. The data subject being the individual for who the data is about.

Data Quality

The data quality principle means PII should be relevant, accurate, complete and kept up-to-date. In other words if an organization collects PII they are now accountable for the integrity and accuracy of the data.

Purpose Specification

The purpose specification principle means the purposes for which PII is collected should be specified when collected. Organizations should clearly articulate what the PII they collect will be used for.

Use Limitation

The Use Limitation Principle means PII should only be used / disclosed based on the purposes for which it was collected with consent of the data subject or by authority of law.

Security Safeguards

Security Safeguards means PII should be protected by reasonable security controls against loss, unauthorized access, destruction, use, modification, etc. Basically, that good security controls need to be in place to protect the PII.

Openness

The Openness Principle relates to an organization's culture. There should be a general policy of openness about developments, practices and policies with respect to PII. Organizations should not hide or be sketchy about what they are collecting and using PII for.

Individual Participation

The Individual Participation Principle means an individual, a data subject, should have the right to obtain their data from the controller, and have their data removed. Under GDPR this is often referred to as the right be forgotten.

Accountability

And the last principle, Accountability, means a data controller should be accountable for complying with the other principles. In other words, there must be an owner, a data controller, who has clear accountability to the protection of PII.

GDPR

There are loads of different privacy laws and regulations around the world, and I’m happy to report that you do not need to be an expert on all of them for the CISSP exam. You should, however, know a wee bit about GDPR, the General Data Protection Regulation, which is the core of the European Union’s digital privacy legislation. GDPR is an extremely important regulation as it is one of the most stringent in the world, and many countries around the world model their privacy regulations on GDPR. It is very much the global bellwether for privacy.

Supervisory Authority (SA)

An important piece from this extensive legislation: GDPR defines what are known as Supervisory Authorities who are independent public authorities that need to be created in each member state of the EU. The Supervisory Authorities in each state are responsible for monitoring and enforcing compliance with GDPR, helping organizations become compliant, and conducting investigations.

Data subjects have the right to lodge a complaint with a Supervisory Authority.

Breaches reported within 72 hours

One more important piece of information to remember related to GDPR: privacy breaches must be reported within…. 72 hours.

Cannot Achieve Privacy without Security

The final piece that I’ll cover here related to privacy is that you cannot achieve privacy without security. Privacy requires that we as security professionals implement the myriad of security controls to provide confidentiality, integrity, and availability of personal data.

Intellectual Property

Lets now talk briefly about intellectual property. Intellectual property refers to the legal rights that are granted to creators and owners of intangible assets, such as inventions, works or art, symbols, designs, and so forth. These rights allow the owners to have exclusive control over the use, distribution, and commercialization of their creations, and to prevent others from using or exploiting them without permission. You need to know at a super high-level what each of the following four intellectual property laws are focused on protecting.

Trade Secret

Trade secrets refer to confidential information that provides a business with a competitive advantage over its competitors. A perfect example of a trade secret is the formula for coke. Coca Cola have never shared their formula with anyone, and nor will they ever. Companies can take legal action against anyone that steals or discloses their trade secrets without authorization.

Patent

Patents are granted to inventors and provide their owners with exclusive ownership on an invention for a set period of time. Essentially so that an inventor can profit from their invention - this encourages innovation. The amount of time a patent is valid for varies widely around the world so don’t bother memorizing anything related to how long a patent is valid for.

Copyright

Copyright protects the creative expression of an idea (not the idea itself) embodied in a fixed medium such as books, movies, songs, etc. for a set period of time. You can copyright a book, movie, or song for instance, and the point of the copyright is to prevent someone from making an exact copy of your book, movie, or song and selling it. Remember that copyright protects the expression of an idea.

Trademark

And finally, trademarks are symbols, words, phrases, or designs that distinguish and identify a brand or product from others in the marketplace. Think the Nike swoosh or McDonalds arches. Companies trademark their logo, for example, so that another company can’t use the same logo on their products and create confusion in the marketplace.

And that is an overview of Privacy and Intellectual Property within Domain 1, covering the most critical concepts you need to know for the exam.

Something really cool we are providing with these MindMap videos is a completely FREE downloadable version of all the MindMaps in PDF format. We even include a blank version of each MindMap in case you want to print them out and take notes as you listen along. Link to download the MindMaps is in the description below.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies!