Privacy Safeguards

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now we're going to talk about privacy safeguards.
00:00
In this lesson, we're going to talk about
00:00
the considerations when implementing
00:00
>> privacy protection,
00:00
>> and maybe the common privacy protection measures.
00:00
Here it is again, our chart of the various types
00:00
of PII and sensitive PII.
00:00
Then one of the more important things
00:00
for an organization to consider
00:00
is where is the personally identifiable information,
00:00
how is it stored?
00:00
Then as a business,
00:00
although some PII might be necessary to function,
00:00
how is it collected, used, and retained?
00:00
How do we overall minimize
00:00
>> the amount of PII we collect?
00:00
>> Are there some piece of information
00:00
that may be collected for analysis that
00:00
really aren't worth the risk that come with
00:00
the potential legal regulatory penalties
00:00
for the disclosure of PII.
00:00
One of the ways you can really
00:00
assess your risks related to
00:00
PII is through a privacy impact assessment.
00:00
This can be done in a number of ways,
00:00
but in the same way that
00:00
data discovery was done to identify where
00:00
the sensitive or important information was
00:00
within your Cloud-based environment,
00:00
the same can be done.
00:00
Same methods can be applied to
00:00
identify in blacks to privacy,
00:00
especially when it comes to user data,
00:00
how it's stored,
00:00
what protection should be implemented around it.
00:00
Now speaking of protections,
00:00
let's talk about the safe guards
00:00
>> that can be implemented
00:00
>> to protect the privacy
00:00
of information and Cloud environments.
00:00
The first one is de-identification.
00:00
This is fairly straightforward.
00:00
It's really just changing records in a way
00:00
that the PII is removed or obstructed in some way.
00:00
Then we'll talk about
00:00
some techniques such as obfuscation,
00:00
which can be used to completely obscure this data.
00:00
The second is generalization.
00:00
This is making the data just less
00:00
precise and this can be implemented on
00:00
a role-based level so
00:00
that people with different access can
00:00
see it more and more granular views of
00:00
the data based on their need to see it.
00:00
Then there's suppression which is
00:00
deleting entire records or certain parts of
00:00
a record so that that PII is gone
00:00
>> when no longer needed.
00:00
>> Then there's the notion of introducing noise,
00:00
which is just adding small amounts of variation
00:00
or random data to strings of
00:00
information that could contain
00:00
PII as a means of just disrupting
00:00
its interpretation and stopping
00:00
that ability to connect
00:00
>> the information to an individual.
00:00
>> Swapping is another technique that's used.
00:00
This is exchanging certain data from one field of
00:00
a record with another field
00:00
>> to jumble up the information.
00:00
>> Again, make identification of
00:00
an individual more difficult.
00:00
Then there's always replacement.
00:00
This is just replacing data with average values or
00:00
other hold ends to just remove
00:00
sensitive data when again, it's not necessary.
00:00
The whole point here is to really just
00:00
understand where does this PII exist,
00:00
what risks to privacy exists
00:00
within our organization? Where is it stored?
00:00
What techniques, if any,
00:00
can we implement as
00:00
an organization to protect the privacy of our users,
00:00
decrease the risks associated
00:00
with the disclosure of PII for
00:00
our organization and protect the data in general,
00:00
wherever it is stored or used
00:00
or processed within the Cloud environment.
00:00
Let's reflect for a moment,
00:00
what PII does your organization collect?
00:00
I know this is not something we often think about.
00:00
Sometimes we're focused to just work within
00:00
a particular role and our
00:00
focus on operational objectives.
00:00
But considering the sensitivity
00:00
of information that we have access to
00:00
on a daily basis is a critical aspect of being
00:00
a cogent and effective security practitioner
00:00
in Cloud environments.
00:00
Then that should lead us to our next question.
00:00
What privacy safe guard does your organization use or
00:00
should be using to protect privacy?
00:00
Oftentimes they think, this
00:00
information's here in our organization,
00:00
we are using it for business purposes,
00:00
people provided our information,
00:00
but there really should be another level
00:00
of scrutiny regarding,
00:00
well, people are trusting us.
00:00
It's part of our brand and part of
00:00
our business cases to maintain people's trust in us.
00:00
How do we enforce that level of privacy protection,
00:00
even internally within our organization
00:00
when no one is necessarily even aware.
00:00
This is the mindset of being
00:00
ineffective data protection steward
00:00
and being a good steward of our customer's privacy.
00:00
In summary, we talked about
00:00
the considerations to protect privacy.
00:00
Basically minimizing the amount of
00:00
PII an organization has,
00:00
and being very aware of how it's used,
00:00
stored within Cloud environments.
00:00
Talked about using privacy impact assessments to
00:00
understand the privacy risks facing an organization.
00:00
Then we talked about some of
00:00
the techniques that can be used to
00:00
safeguard privacy in cloud environments.
00:00
See you in the next lesson.
Up Next