ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today I’ll be working through my last reading from the Security+ Exam Cram (chapter 35), “Sensitive Data and Privacy”.

Data Sensitivity Labeling and Handling

Common data classification labels:

Data often changes its sensitivity level depending on its stage of use (for example, quarterly financials move from sensitive → public).

Privacy Laws and Regulatory Compliance

Keep in mind that PII, like any kind of data classification, is contextual. A set of data points which is not PII by itself can become PII when combined with other data (deanonymization, etc.).

PHI needs to be protected for 50 years after the individuals death (!!!).

Data Roles and Responsibilities

Key roles:

Note that it’s not uncommon for a single person to have multiple roles w.r.t. a given piece/type of data.

ITPro.TV: CompTIA Security+ (SY0-601)

Privacy and Data Sensitivity — Breaches & Data Types

Initial steps when containing a data breach:

PHI breaches require that the USDHHS be notified, and may trigger mandatory media notifications.

Broad data categories:

Governmental data classifications:

Equivalent common business data classifications:

The idea here is to combine both categories and classifications to determine who should have access to a given piece of data.

Privacy and Data Sensitivity — Privacy Enhancing Tech

Data masking can either be “static” (a completely altered data set) or “deterministic” (mapping “fake” data to the actual data in a one-to-one fashion). Masking sometimes is done one-the-fly when it is transferred between systems (“on-the-fly” masking is called “dynamic” masking when there is no “testing” datastore on the other side, just a process/application of some kind).

Data masking techniques:

The key difference between pseudonymization and anonymization is that the former is theoretically reversible (and may be functionally reversible with access to the original mapping / lookup table), while the latter is not. Anonymization is actually quite difficult for real-world data without purposefully destroying the patterns/relationships within the data set.

Privacy and Data Sensitivity — Roles & Responsibilities

“Roles” correspond to a particular job, while “responsibilities” correspond to that job’s functions.

Privacy and Data Sensitivity — Other Areas

Information lifecycle:

Note that “use” and “share” are optional steps, and one or both may actually not happen.

A “privacy impact assessment” is just an assessment covering how PII is collected, used, shared, and maintained… And what the impact to the business would be should any of these processes have a CIA breakdown. The goal is to make sure that privacy protections are integrated into the entire SDLC.

A “privacy notice” is the externally-facing version/description of a “privacy policy”.

Nathan Acks
May 7, 2022