CHAPTER 9: CONFIDENTIALITY AND PRIVACY CONTROLS

PRESERVING CONFIDENTIALITY

Information rights management (IRM)

(1) identify and classify the information to be protected

(2) encrypt the information

(3) control access to the information

(4) train employees to properly handle the information

  • Software that offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download, etc) that individuals
    who are granted access to that
    resource can perform.

Data loss prevention (DLP)

Software which works like
antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Digital watermark - Code
embedded in documents that enables an organization to identify confidential information
that has been disclosed

Training is arguably the most important control for protecting confidentiality. Employees need
to know what information they can share with outsiders and what information needs to be
protected.

PRIVACY CONTROLS - the first step to protect the privacy of personal information collected from customers, employees, suppliers, and business partners is to identify what information the organization possesses, where it is stored, and who has access to it

Data masking - Protecting
privacy by replacing sensitive personal information with fake data. Also called tokenization

PRIVACY CONCERNS

Spam - Unsolicited e-mail that
contains either advertising or
offensive content.

identity theft - Assuming someone’s identity, usually for economic gain.

Encryption - The process of
transforming normal text, called
plaintext, into unreadable gibberish, called ciphertext

Plaintext - Normal text that has
not been encrypted.

Ciphertext - Plaintext that was
transformed into unreadable
gibberish using encryption

Decryption - Transforming
ciphertext back into plaintext

TYPES OF ENCRYPTION SYSTEMS - symmetric encryption systems - Encryption systems that use the same key both to encrypt and
to decrypt.

Asymmetric encryption systems -
Encryption systems that use two keys (one public, the other private);either key can encrypt,
but only the other matching key can decrypt.

Public key - One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.

Private key - One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys

key escrow - The process of
storing a copy of an encryption key in a secure location.

Hashing - Transforming plaintext
of any length into a short code
called a hash.

Hash - Plaintext that has been
transformed into short code

Nonrepudiation - Creating
legally binding agreements that cannot be unilaterally repudiated by either party

Digital signature - A hash
encrypted d with the hash
creator’s private key.