Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 9 : Confidentiality and Privacy Controls - Coggle Diagram
Chapter 9 : Confidentiality and Privacy Controls
Protecting Confidentiality and Privacy of Sensitive Information
Identify and classify information to protect
Where is it located and who has access?
Classify value of information to organization
Encryption
Protect information in transit and in storage
Access controls
Controlling outgoing information (confidentiality)
Digital watermarks (confidentiality)
Data masking (privacy)
Training
Generally Accepted Privacy Principles
Management
Procedures and policies with assigned responsibility and accountability
Notice
Provide notice of privacy policies and practices prior to collecting data
Choice and consent
Opt-in versus opt-out approaches
Collection
Only collect needed information
Use and retention
Use information only for stated business purpose
Access
Customer should be able to review, correct, or delete information collected on them
Disclosure to third parties
Security
Protect from loss or unauthorized access
Quality
Monitoring and enforcement
Procedures in responding to complaints
Compliance
Encryption
Preventative control
Factors that influence encryption strength
Key length (longer = stronger)
Algorithm
Management policies
Stored securely
Encryption Steps
Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)
To read ciphertext, encryption key reverses process to make information readable (receiver of message)
Types of Encryption
Symmetric
Uses one key to encrypt and decrypt
Both parties need to know the key
Need to securely communicate the shared key
Cannot share key with multiple parties, they get their own (different) key from the organization
Asymmetric
Uses two keys
Public—everyone has access
Private—used to decrypt (only known by you)
Public key can be used by all your trading partners
Can create digital signatures
Virtual Private Network (VPN)
Securely transmits encrypted data between sender and receiver
Sender and receiver have the appropriate encryption and decryption keys.