Bài giảng Romney_ais13 - Chapter 9: Confidentiality and Privacy Controls

Confidentiality and Privacy ControlsChapter 99-1Learning ObjectivesIdentify and explain controls designed to protect the confidentiality of sensitive information.Identify and explain controls designed to protect the privacy of customers’ personal information.Explain how the two basic types of encryption systems work.9-2Protecting Confidentiality and Privacy of Sensitive InformationIdentify and classify information to protectWhere is it located and who has access?Classify value of information to organizationEncryptionProtect information in transit and in storageAccess controlsControlling outgoing information (confidentiality)Digital watermarks (confidentiality)Data masking (privacy)Training9-3Generally Accepted Privacy PrinciplesManagementProcedures and policies with assigned responsibility and accountabilityNoticeProvide notice of privacy policies and practices prior to collecting dataChoice and consentOpt-in versus opt-out approachesCollectionOnly collect needed informationUse and retentionUse information only for stated business purposeAccessCustomer should be able to review, correct, or delete information collected on themDisclosure to third partiesSecurityProtect from loss or unauthorized accessQualityMonitoring and enforcementProcedures in responding to complaintsCompliance9-4EncryptionPreventative controlFactors that influence encryption strength:Key length (longer = stronger)AlgorithmManagement policiesStored securely 9-5Encryption StepsTakes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)To read ciphertext, encryption key reverses process to make information readable (receiver of message)9-6Types of EncryptionSymmetricAsymmetricUses one key to encrypt and decryptBoth parties need to know the keyNeed to securely communicate the shared keyCannot share key with multiple parties, they get their own (different) key from the organizationUses two keysPublic—everyone has accessPrivate—used to decrypt (only known by you)Public key can be used by all your trading partnersCan create digital signatures9-7Virtual Private NetworkSecurely transmits encrypted data between sender and receiverSender and receiver have the appropriate encryption and decryption keys.9-8Key TermsInformation rights management (IRM)Data loss prevention (DLP)Digital watermarkData maskingSpamIdentity theftCookieEncryptionPlaintextCiphertextDecryptionSymmetric encryption systemsAsymmetric encryption systemsPublic keyPrivate keyKey escrowHashingHashNonrepudiationDigital signatureDigital certificateCertificate of authorityPublic key infrastructure (PKI)Virtual private network (VPN)9-9