Data Protection Regulations and Risk Assessment: A Comprehensive Guide - Prof. Pham, Study notes of Compilers

An in-depth understanding of data protection processes and regulations, focusing on risk assessments. It covers the definition of data protection, the importance of data protection regulations, and the steps involved in risk assessment. The document also discusses the concept of data protection in relation to an organization's availability and management of data.

Typology: Study notes

2019/2020

Uploaded on 10/01/2021

nam-nguyen-15
nam-nguyen-15 🇻🇳

5 documents

1 / 47

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f

Partial preview of the text

Download Data Protection Regulations and Risk Assessment: A Comprehensive Guide - Prof. Pham and more Study notes Compilers in PDF only on Docsity!

  • I. Risk Assessment Procedures (P5):
      1. Definition of risk and risk assessment:
      1. Asset and threat identification procedures:
      • 2.1. Asset and threat:...........................................................................................................................................
      • 2.2. Threat identification procedures:
      1. Risk assessment procedure:
      1. Risk identification steps:
  • II. Data protection processes and regulations as applicable to an organization (P6):...............................................
      1. Definition of data protection:
      1. Data protection processes with relations to organization:
      1. The importance of data protection regulation:
  • III. Design and implement a security policy for an organization (P7):
      1. Definition and discussion of security policy:
      1. Examples of security policies:
      1. The elements of creating security policy:
      1. Steps to design a policy:
  • IV. Main components of an organizational disaster recovery plan, justifying the reasons for inclusion (P8):..........
      1. Business continuity:
      1. Components of recovery plan:
      1. Disaster recovery process steps:
      1. Some of the policies and procedures required for business continuity:
  • Figure 1: What is risk?
  • Figure 2: IT risk assessment
  • Figure 3: Asset and threat identification
  • Figure 4: Data protection
  • Figure 5: Data protection process
  • Figure 6: IT security policy
  • Figure 7: Business Continuity Plan
  • Figure 8: Components of disaster recovery plan
  • Figure 9: BCP Lifecycle

I. Risk Assessment Procedures (P5):

1. Definition of risk and risk assessment:

a) Security risk Security risk encompasses the consequences that could arise due to the risks and weaknesses associated with the operation and use of information systems and the environments under which such systems function for an entity and its stakeholders. In terms of the types of effect that may arise from the occurrence of a security-related event, security risk overlaps with many other types of risk. Factors attributed to other risk categories, including strategic, budgetary, program management, investment, political, legal, supply chain, and enforcement risk, also affect it. Financial losses, loss of privacy, reputational damage, legal consequences, and even loss of life are examples of risk. b) Risk assessment A Security Risk Assessment (or SRA) is an assessment that includes defining the risks in your company, your technology, and your processes to verify that security threats are covered by controls in place. Compliance norms, such as PCI-DSS requirements for payment card authentication, usually include security risk assessments. As part of a SOC II audit for service organizations, they are mandated by the AICPA and are also, just to name a few, criteria for ISO 27001, HITRUST CSF and HIPAA compliance. Because of this, security risk assessments can go by several names, often referred to as a risk assessment, a risk assessment of IT infrastructure, a safety risk audit, or a safety audit. Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyze all aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more complicated problems, such as insecure business processes. The appraiser is going to typically review everything from HR policies to firewall configurations while working to identify potential risks. Figure 1: What is risk?

2 nd^ step: Decide who might be harm and tell how 3 rd^ step: Assess the risks and take actions 4 th^ step: Make a record of the findings 5 th^ step: Review risk assessment

2. Asset and threat identification procedures:

Figure 3: Asset and threat identification 2.1. Asset and threat: a) Definition of asset: An asset is any data, system, or other component of the environment that supports information-related activities in information protection, computer security, and network security. Hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and sensitive information are usually included in

the properties. Assets should be protected against unauthorized entry, use, disclosure, modification, damage and/or theft, resulting in the organization's loss. b) Definition of threat: A security threat is a possible negative behavior or event facilitated by a weakness in computer security that resulting in an unintended effect on a computer system or application. A danger can be either a negative "intentional" event (i.e. hacking: a person cracker or a criminal organization) or an "accidental" negative event (e.g. the possibility of a computer failure or the possibility of an event of a natural disaster such as an earthquake, a fire, or a tornado) or a condition, ability, behavior, or event otherwise. This is distinct from a threat actor who is a person or group that can perform the action of the threat, such as leveraging a vulnerability to have a negative effect. 2.2. Threat identification procedures: The method of identifying threats is a way of collecting data on possible threats that can assist management in identifying information security risks. A systematic methodology that helps an organization to aggregate and measure possible threats is threat modeling. Institutions should consider using threat modeling to better understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to information security; and apply this awareness to the information security program of the institution. The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving actions: Identify and assess threats. Use threat knowledge to drive risk assessment and response. Design policies to allow immediate and consequential threats to be dealt with expeditiously.

3. Risk assessment procedure:

Risk assessment procedures are audit procedures carried out in order to gain an understanding of the organization and its environment, including internal monitoring of the entity, to recognize and determine the risks of material misrepresentation, whether due to fraud or mistake, at the level of the financial statements and at the level of the related claim. The Risk Assessment divides 5 steps: 1st step: Identify the hazards

Determined who would be affected Controlled and dealt with obvious hazards Initiated precautions to keep risks low Kept your staff involved in the process 5th step: Review assessment and update if necessary Your workplace is always changing, so your organization's threats are also changing. Each brings the risk of a new danger as new equipment, procedures, and individuals are implemented. To keep on top of these new risks, constantly evaluate and upgrade the risk management process.

4. Risk identification steps:

There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring. 1 st^ step: Risk identification The goal of risk identification is to expose what where, where, why and how anything could affect the ability of an organization to work. A business in central California; for example, may include the possibility of wildfire" as an occurrence that could interfere with business operations. 2 nd^ step: Risk analysis This step includes determining the likelihood of a risk event occurring and the likely outcome of each event. Using the example of the California wildfire, safety managers may determine how much rainfall has occurred in the last 12 months and the degree of harm that the organization could face if a fire occurs. 3 rd^ step: Risk evaluation Risk evaluation compares and rates the severity of each risk according to prominence and consequences. For example, it is possible to balance the effects of a possible wildfire against the effects of a possible mudslide. It will rank higher regardless of which event is calculated to have a higher likelihood of occurring and causing harm. 4 th^ step: Risk treatment Risk treatment is often referred to as Preparation for risk response. Risk reduction techniques, preventive treatment, and contingency measures are built in this process based on the measured importance of each risk. Risk managers can opt to house additional network servers offsite, using the wildfire example, so business

operations may still continue if an onsite server is destroyed. Evacuation plans for staff can also be created by the risk manager. 5 th: Risk monitoring Risk management is a non-stop process which, over time, adapts and changes. It will help to ensure optimum coverage of known and unknown threats by repeating and constantly tracking the processes.

II. Data protection processes and regulations as applicable to an

organization (P6):

1. Definition of data protection:

a) Definition: The process of safeguarding important information from corruption, compromise or failure is data protection. As the volumes of data generated and processed continues to expand at exponential rates, the value of data protection increases.

Figure 5: Data protection process

3. The importance of data protection regulation:

Data is becoming increasingly precious. Skills and possibilities for retrieving various kinds of personal data are also evolving extremely rapidly. Unauthorized, reckless or ignorant personal data processing can cause great harm to individuals and businesses. As the volume of data generation and procession continues to expand at exponential rates, the value of data security increases. There is also little downtime tolerance that can render it difficult to access critical data. Three explanations why Data Protection Regulation is relevant are given below: v First, the object of personal data protection is not only to protect the data of individuals, but also to protect the fundamental rights and freedoms of individuals related to such data. Although preserving personal data, it is possible to guarantee that the rights and freedoms of individuals are not violated. Incorrect processing of personal data, for example, may lead to a situation where a person is ignored for a job opportunity or, worse, loses current jobs. v Secondly, failure to comply with the regulations on personal data security will lead to even harsher circumstances in which it is possible to remove all the money from the bank account of an individual or even establish a life-threatening situation by manipulating health information. v Thirdly, data protection regulations are essential for fair and consumer-friendly trade and service provision to be guaranteed. Personal data security laws establish a situation where personal data can not

be openly sold, for instance, which ensures that individuals have more control over who sells them and what kind of offers they make.

4. The methods of data protection procedures:

You will be given 6 methods that you can protect your data better: Risk assessments: The riskier the data, the more security it has to be provided. Critical data should be tightly guarded, although less security can be given for low-risk data. The cost advantage is the key justification for these evaluations, as better data protection means higher expenditure. It is, however, a good test to decide what information needs to be more tightly guarded and to make the entire data processing system more efficient. The possible severity in the event of a data breach and the likelihood of a breach are two axes on which your risk assessment should be based. On both of these axes, the greater the risk, the more vulnerable the data is. Such tests will also include the assistance of a Data Protection Officer (Privacy Officer) who will assist you in the creation of valid ground rules. If you are completely confident that you know what you are doing, stop doing it on your own. Mischaracterized data could prove devastating if lost. Backups: Backups are a way to avoid data loss that can sometimes occur due to user errors or technological malfunctions. Backups should be made and updated on a regular basis. Daily backups will place an extra expense on your company, but it will cost much more to potentially disrupt your normal business operations. Money is time! Backups should be carried out in line with the above-explained principle-low-important information does not have to be backed up as much, however sensitive information does. These backups should be saved, and likely encrypted, in a secure location. Never store in the cloud sensitive data. According to manufacturer instructions, regularly review storage media for degradation and ensure that they are stored according to official recommendations (check for humidity, temperature, etc.) Compared to hard disks, tape-storage methods are still a cheaper alternative (by two-thirds). Hard drives, however, are more compact and better-suited to operations on a small scale. With disk-storage methods, data access is often much quicker. Encryption:

Destruction: There will come a time when it would be appropriate to destroy the data you have. At first glance, data destruction may not seem like a form of security, but it really is. This way, the data is secured against unauthorized recovery and access. Under the GDPR, you are allowed to delete the data you do not need, and more extensive methods of destruction are required for confidential data. Using degaussing, hard discs are most commonly lost, while paper records, CDs and tape drives are torn into tiny bits. For confidential data, on-site data destruction is recommended. Through simply deleting the decryption keys, encrypted data may easily be destroyed, meaning that the data remains unreadable... for at least the next several decades, after which it would possibly become redundant anyway.

III. Design and implement a security policy for an organization (P7):

1. Definition and discussion of security policy:

a) Definition: Security policy is a definition of what a system, company or other individual means to be protected. For an organization, it discusses the limitations on the actions of its members as well as the limitations imposed by structures such as doors, locks, keys and walls on adversaries. For systems, the security policy addresses work and flow constraints within them, access constraints by external systems and adversaries, including programs, and access by people to data.

Figure 6: IT security policy b) Discussion: We live in a world where computers are globally connected and available, making fraud, exploitation, and destruction of digitized information extremely vulnerable. Violations of protection are inevitable. The decisions and defensive actions of Crucia must be swift and accurate. In order to secure information stored on computers, a security policy sets out what needs to be done. A well-written policy provides a sufficient description of "what" to do in order to define and quantify or determine the "how". Any company can be left open to the world without a security policy. It is necessary to remember that a risk assessment must first be performed in order to evaluate the policy needs. In terms of knowledge, processes, procedures and structures, this can enable an entity to identify standards of sensitivity. c) The importance: A key step in preventing and minimizing security breaches is to establish an efficient security strategy and take action to ensure compliance. Update it in response to changes in your business, new threats, lessons drawn from previous breaches, and other changes to your security posture to make your security policy truly successful. Make your policies on information protection realistic and enforceable. To meet requirements and emergencies that come from various parts of the organisation, it should have an exemption system in place. If it is important to be secure, then it is important to be sure that all security measures are implemented by

  1. Any employee, contractor or individual with access to systems or data.
  2. Definition of data to be protected (you should identify the types of data and give examples so that your users can identify it when they encounter it) PII Financial Restricted/Sensitive Confidential IP 3.0 Policy – Employee requirements
  3. You need to complete ’s security awareness training and agree to uphold the acceptable use policy.
  4. If you identify an unknown, un-escorted or otherwise unauthorized individual in you need to immediately notify .
  5. Visitors to must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.
  6. You are required not to reference the subject or content of sensitive or confidential data publically, or via systems or communication channels not controlled by . For example, the use of external e-mail systems not hosted by to distribute data is not allowed.
  7. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.
  8. You need to use a secure password on all systems as per the password policy. These credentials must be unique and must not be used on other external systems or services.
  1. Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
  2. You must immediately notify in the event that a device containing in scope data is lost (e.g. mobiles, laptops etc).
  3. In the event that you find a system or process which you suspect is not compliant with this policy or the objective on information security you have a duty to inform so that they can take appropriate action.
  4. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from if you are unsure as to your responsibilities. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car.
  5. Data that must be moved within is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc). will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with .
  6. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from . b) Data leaked prevention – data in motion: Using this policy This example policy is intended to act as a guideline for organizations looking to implement or update their DLP controls. Adapt this policy, particularly in line with requirements for usability or in accordance with the regulations or data you need to protect. This policy provides a framework for classes of data that may wish to be monitored. You should expand them to cover the sensitive assets in your business and subject to the types of you hold. Background to this policy