Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 9 : CONFIDENTIALITY AND PRIVACY CONTROLS - Coggle Diagram
CHAPTER 9 : CONFIDENTIALITY AND PRIVACY CONTROLS
9. DIGITAL CERTIFICATES AND PUBLIC KEY INFRASTRUCTURE
certificate authority
- An organization that issues public and private keys and records the public key in a digital certificate.
public key infrastructure (PKI)
- The system for issuing pairs of public and private keys and corresponding digital certificates.
digital certificate
- An electronic document that certifies the identity of the owner of a particular public key and contains that party’s public key.
2. Privacy
a. PRIVACY CONTROLS
data masking
- Protecting privacy by replacing sensitive personal information with fake data. Also called tokenization.
b. PRIVACY CONCERNS
spam
- Unsolicited e-mail that contains either advertising or offensive content
identity theft
- Assuming someone’s identity, usually for economic gain.
4. Encryption
plaintext
- Normal text that has not been encrypted.
ciphertext
- Plaintext that was transformed into unreadable gibberish using encryption.
encryption
- The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
decryption
- Transforming ciphertext back into plaintext.
6. TYPES OF ENCRYPTION SYSTEMS
Public key
- One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
Private key
- One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys.
asymmetric encryption systems
- Encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt.
key escrow
- The process of storing a copy of an encryption key in a secure location.
symmetric encryption systems
- Encryption systems that use the same key both to encrypt and to decrypt.
8. DIGITAL SIGNATURES
nonrepudiation
- Creating legally binding agreements that cannot be unilaterally repudiated by either party.
digital signature
- A hash encrypted with the hash creator’s private key
10. VIRTUAL PRIVATE NETWORKS (VPNS)
virtual private network (VPN)
- Using encryption and authentication to securely transfer information over the Internet, thereby creating a “virtual” private network.
3. PRIVACY REGULATIONS AND GENERALLY ACCEPTED PRIVACY PRINCIPLES
Access - An organization should provide individuals with the ability to access, review, correct, and delete the personal information stored about them.
Disclosure to third parties - Organizations should disclose their customers’ personal information to third parties only in the situations and manners described in the organization’s privacy policies and only to third parties who provide the same level of privacy protection as does the organization that initially collected the information.
Use, retention, and disposal - Organizations should use customers’ personal information only in the manner described in their stated privacy policies and retain that information only as long as it is needed to fulfill a legitimate business purpose.
Security - An organization must take reasonable steps to protect its customers’ personal information from loss or unauthorized disclosure.
Collection - An organization should collect only the information needed to fulfill the purposes stated in its privacy policies.
Choice and consent - Organizations should explain the choices available to individuals and obtain their consent prior to the collection and use of their personal information. The nature of the choices offered differs across countries.
Quality - Organizations should maintain the integrity of their customers’ personal information and employ procedures to ensure that it is reasonably accurate.
Notice - An organization should provide notice about its privacy policies and practices at or before the time it collects personal information from customers, or as soon as practicable thereafter.
Monitoring and enforcement - An organization should assign one or more employees to be responsible for ensuring compliance with its stated privacy policies.
Management - Organizations need to establish a set of procedures and policies for protecting the privacy of personal information they collect from customers, as well as information about their customers obtained from third parties such as credit bureaus.
5. FACTORS THAT INFLUENCE ENCRYPTION STRENGTH
b.
ENCRYPTION ALGORITHM
The nature of the algorithm used to combine the key and the plaintext is important. A strong algorithm is difficult, if not impossible, to break by using brute-force guessing techniques. Secrecy is not necessary for strength.
c.
POLICIES FOR MANAGING CRYPTOGRAPHIC KEYS
The management of cryptographic keys is often the most vulnerable aspect of encryption systems. No matter how long the keys are, or how strong an encryption algorithm is, if the keys have been stolen, the encryption can be easily broken.
a.
KEY LENGTH
Longer keys provide stronger encryption by reducing the number of repeating blocks in the ciphertext. This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext.
1. Preserving Confidentiality
c. CONTROLLING ACCESS TO SENSITIVE INFORMATION
information rights management (IRM) - Software that offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform.
Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
data loss prevention (DLP)
- Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
b. PROTECTING CONFIDENTIALITY WITH ENCRYPTION
Encryption (to be discussed later in this chapter) is an extremely important and effective tool to protect confidentiality.
It is the only way to protect information in transit over the Internet. It is also a necessary part of defense-in-depth to protect information stored on websites or in a public cloud.
a. IDENTIFY AND CLASSIFY INFORMATION TO BE PROTECTED
The first step to protect the confidentiality of intellectual property and other sensitive business information is to identify where such information resides and who has access to it.
This sounds easy, but undertaking a thorough inventory of every digital and paper store of information is both time-consuming and costly because it involves examining more than just the contents of the organization’s financial systems.
digital watermark
- Code embedded in documents that enables an organization to identify confidential information that has been disclosed.
7. HASHING
hashing
- Transforming plaintext of any length into a short code called a hash.
hash
- Plaintext that has been transformed into short code.