Privacy & Intellectual Property MindMap (2 of 3) | CISSP Domain 1

hey I'm Rob Witcher from destination certification and I'm here to helping you pass the cisp exam we're going to go through a review of the major topics related to privacy and intellectual property in domain 1 to understand how they interrelate and to guide your studies this is the second of three videos for domain one I've included links to the other mindmap videos in the description below these mind maps are one part of our overall cisp master lse let's begin with a definition of privacy it's the state or condition of being free from being observed or

disturbed by other people and you should remember that exact definition of the exam but what does it mean being free from being observed and Disturbed essentially privacy is the idea that an individual can withhold parts of their personal information from wider Society to control what personal information others know about them as their personal information can potentially be used against them in ways that they would find disturbing could limit what jobs they can get where they can travel whether they can get health insurance Etc implementing strong privacy controls within an organization begins with a good privacy

policy and the most important part of a good privacy policy is well- defined roles with clear accountabilities and responsibilities many regulations Around the World require that a company we have a data controller essentially an owner for the Privacy program that is accountable for the Privacy controls within an organization the privacy policy should also clearly articulate what types of personal data the organization collects how the data is used stored op out procedures and the relevant security policies to protect the data further there should be well- defined standards procedures baselines and guidelines that are based on the

privacy policy the major thing we are protecting from a privacy perspective is personal data which can be defined as information that can be used on its own or in combination to identify an individual different laws and regulations refer to personal data in different ways personally identifiable information sensitive personal information personal health information personal information lots of different ways there is also the concept of what data can identify an individual and to what degree direct identifiers identify an individual on their own so direct identifiers are things like government IDs social insurance numbers Social Security numbers driver's

license numbers passport numbers Etc and other examples are things like a bank account number maybe a certificate number maybe your biometric data these are examples of direct identifiers indirect identifiers do not on their own directly identifying individual but if you have enough indirect identifiers you can uniquely identify an individual indirect identifiers are things like age gender ethnicity city state ZIP code postal code where someone lives Etc you can also group identifiers used online together things like email address IP address cookies Etc these are online identifiers now let's talk about the data life cycle the idea

of a data life cycle is to identify all the stages that data goes through from when it's first created all the way to when it's destroyed as Security Professionals we can then determine what controls should be put in place to protect a in each of these stages we ultimately want to protect the data that powers and organizations processes systems and applications the first stage in the data life cycle is creation SL update where new data is generated or existing data is altered updated or modified in some way as soon as data is created or updated

we immediately need to store it somewhere the storage stage is therefore where data is committed to some sort of storage repository to memory or a hard drive next the data will be used by people or processes from across the organization the use stage covers viewing processing or otherwise using the data in some way but not modifying the data as that fits up in the first creation update stage data needs to be shared made accessible to others across the organization and to customers business partners Regulators Etc the sharing stage is where we think about who the

data can be shared with under what circumstances and with what controls in place eventually some data is no longer being actively used by the organization and so to free up storage spas on the systems and to save costs this data can be archived in a long-term storage solution like tapes the data should be retained for as long as necessary based on the data retention policy and the final stage of the data life cycle is when data is no longer needed by the organization this data should be permanently destroyed using physical or logical means depending on

require requirements data may need to be defensively destroyed check out the link to the first domain 2 video where I go through the different Data Destruction methods and talk about what is defensible destruction what is the most important thing to do right at the very start of the data life cycle classify the data the classification indicates how valuable the data is to the organization and therefore drives the controls that should be in place in each stage of the data life cycle where the data can be stored and with what level of encryption and access controls

who can use the data and for what purposes who can the data be shared with and with what security controls in place how long does the data need to be retained and the requirements for how securely the data needs to be destroyed are we melting hard drives or selling them on Craigslist without even formatting the organization for economic cooperation and development the oecd have come up with a set of privacy guidelines or principles I'm emphasizing using the word guidelines because guidelines are not mandatory they are best practices this is very much true of the oecd

Privacy principles they are not mandatory requirements that an organization must meet but rather they provide the most internationally recognized privacy guidelines and the basis for the creation of leading privacy programs within an organization they help organizations structure their privacy program and consider what the program should cover eight princip are defined beginning with a collection limitation which means that organizations should limit the collection of pii or personal data obtain it lawfully and where appropriate with the knowledge or consent of the data subject the data subject being the individual For Whom the data is about the data

quality principle means pii should be relevant accurate complete and kept up to date in other words if an organization collects pii they are now accountable for the integrity and accuracy of the data and by the way when I'm saying pii that's just another way of saying personal data the purpose specification principle means that the purpose for which pii is collected should be specified when collected organization should clearly articulate what the pii they collect will be used for the use limitation principle means pii should only be used disclosed based on the purpose for which it was

collected with the consent of the data subject or by authority of law security safeguards means pii should be protected by reasonable security controls against loss unauthorized access destruction use modification Etc basically that good security controls need to be in place to protect the pii you can't have privacy without security the openness principle relates to an organization's culture there should be a general policy of openness about developments practices and policies with respect to pii organization should not hide or be sketchy about what they're collecting and using pii for the individual participation principle means an individual a

data subject should have the right to obtain their data from the controller and maybe even have their data removed under gdpr this is often referred to as the right to be forgotten and the last principle accountability means a data controller should be accountable for complying with other principles in other words there must be an owner a data controller who has clear accountability to protect the pii there are loads of different privacy laws and regulations around the world and I'm happy to report that you don't need to be an expert on all of them to pass

the cisp exam you should however know a wee bit about gdpr the general data protection regulation which is the core of the European Union's digital privacy legislation gdpr is an extremely important regulation as it is one of the most stringent in the world and many countries around the world model their privacy regulations on gdpr it is very much the global bellweather for privacy an important piece from this extensive legislation gdpr defines what are known as supervisory authorities who are independent public authorities that need to be created in each member state of the EU So within

Germany within Spain within Hungary Etc the supervisory authorities in each state are responsible for monitoring and enforcing compliance with gdpr helping organizations become compliant and conducting investigations data subjects have the right to Lodge a complaint with a supervisory Authority an essay one more important piece of information here to remember related to gdpr privacy breaches must be reported within 72 hours the final piece that I'll cover here related to privacy is that you cannot achieve privacy without security privacy requires that we as Security Professionals implement the Myriad of security controls to provide confidentiality integrity and availability

of personal data let's now talk briefly about intellectual property intellectual property refers to the legal rights that are granted to creators and owners of intangible assets such as inventions works of artart symbols designs and so forth these rights allow the owners to have exclusive control over the use distribution and commercialization of their creations and to prevent others from using or exploiting them without permission you need to know at a super high level what each of the following four intellectual property laws are focused on protecting Trade Secrets refer to confidential information that provides a business with

a competitive advantage over its competitors a perfect example of a trade secret is the formula for Coke Coca-Cola has never share their formally with anyone and nor will they ever companies can take legal action against anyone that steals or discloses their Trade Secrets without authorization patents are granted to inventors and provide their owners with exclusive ownership of an invention for a set period of time essentially so that an inventor can profit from their invention this encourages innovation the amount of time a patent is valid for varies widely around the world so don't bother memorizing anything

related to how long a patent is valid for you'll never see a question copyright protects the creative expression of an idea not the idea itself embodied in a fixed medium such as books movies songs etc for a set period of time you can copyright a book movie or song for instance and the point of the copyright is to prevent someone from making an exact copy of your book movie or song and selling it remember that copyright protects the expression of an idea and finally trademarks are symbols words phrases or designs that distinguish and identify a

brand or product from others in the marketplace think the Nike Swoosh or the McDonald's arches companies trademark their logo for example so that another company can't use the same logo on their products and create confusion in the marketplace and that is an overview of privacy and intellectual property within domain 1 covering the most critical cont Concepts you need to know for the exam something really cool we are providing with these mindmap videos is a completely free downloadable version of all of these mind maps in PDF format we even include a blank version of each mind

map in case you want to print them out and take notes as you listen along link to download the my maps is in the description [Music] below