Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
PrivacyImplicationsGuide
for
theCISCriticalSecurityControls™(Version6)
PrivacyImplicationsGuidefortheCISCriticalSecurityControls(Version6)Acknowledgements:TheCenterforInternetSecuritygratefullyacknowledgesthecontributionsprovidedbyMaryEllenCallahan,ChairofJenner&Block’sPrivacyandInformationGovernancePractice;RickDoten,ChiefofCyberandInformationSecurityattheCrumptonGroupLLC;andotherexpertvolunteersfromtheCISCommunityforthecontentandeditingofthisguide.
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
2
PrivacyImplicationsGuidefortheCISCriticalSecurityControls(Version6)Introduction.................................................................................................................................................................................................................................................................3AudienceandUseofPrivacyGuide...................................................................................................................................................................................................................3Scopeofthisdocument...........................................................................................................................................................................................................................................4PrivacyPrinciples......................................................................................................................................................................................................................................................5PrivacyReferences.................................................................................................................................................................................................................................................20
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.TofurtherclarifytheCreativeCommonslicenserelatedtothecontentofthisPrivacyImplicationsGuidefortheCISCriticalSecurityControls(the“PrivacyGuide”),youareauthorizedtocopyandredistributethecontentofthePrivacyGuideforusebyyou,withinyourorganizationandoutsideofyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,and(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuilduponthisPrivacyGuide,youmaynotdistributethemodifiedmaterials.CommercialuseofthePrivacyGuideissubjecttothepriorapprovalofTheCenterforInternetSecurity.
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
3
Introduction
Manyprofessionalswithinthecybersecurityindustrystruggletounderstandthedifferencesbetweenprivacyandsecurity.Someviewbothasaninterrelatedmeanstoanend:privacymeansusingencryptiontoprotectconfidentiality.ThisconfusionmakesitchallengingforITprofessionalstoprotectprivacyeffectively:youcan’thaveprivacywithoutsecurity,butcanhavesecuritywithoutprivacy.Additionally,legalstaffgrappleswiththeimplicationsofchangesintechnologythatoftenoutpacethelaw.
ThisdocumentisacompaniontotheCISCriticalSecurityControlsforEffectiveCyberDefensev.6(CISControls),whichareasetofprioritizedbestpracticesdesignedtoprotectinformationsystemsandassetsagainstinternalandexternalthreats.ThePrivacyGuidesupportstheseobjectivesbyaligningprivacyprinciplesandhighlightingpotentialprivacyconcernsthatareimplicatedbytheCISControls.TheCISControlsprovideguidelinesandexamplesforITsecurityprogramsbydescribingacomprehensivelistofkeysecurityareastobeaddressed,includingthreatstopersonalinformationandprivacy.ThisGuideisintendedtoidentifyopportunitiestointegrateprivacyconsiderationsintodatasecuritycontrols.
AudienceandUseofPrivacyGuide
TheNationalAcademyofSciences(NAS)PrivacyResearchandBestPracticesreportposesthat,“organizationsmustdevelopandcontinuouslyadapttheirowninternalpoliciesandpracticestoprotectprivacy—beyondthosethatarelegallymandated—inordertobeeffectiveandmaintainthetrustoftheirstakeholdersandthepublic.”
ThisPrivacyGuideisaresourcemeantforbothITSecurityprofessionalswhoarefamiliarwiththeCISControls,andprivacyorlegalstaffwithinorganizations.ThedocumenthopestoprovidebridginginformationforbothITSecurityprofessionalslookingtobetterunderstandhowprivacyappliestoITsecuritycontrolsandprivacyorlegalprofessionalswhoneedtobetterunderstandhowmoderntechnologyandITprocessesmightimpactprivacy.
Wehopethatthedocumentstartsalineofcommunicationbetweenthesetwokeygroups,andenhancesthegovernanceprocessbywhichbusinessandlegalmanagementcommunicatewithITandITsecurityteams.Properdatagovernancewill
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
4
helptobetterunderstandtheprivacyimplicationsanddevelopandimplementappropriateprivacycontrols.WehopethatprivacyprofessionalslearnabouttheCISControlsandhowitcanbeatooltosupportprivacyrequirements.
ThisGuideshouldbeagoodstartingpointtoestablishaconstructivedialogueandcooperationamongallgroups.ThePrivacyGuideisusefulforenterprisesofanysize:largeorganizationsthatmightnothavegoodcommunicationbetweenITandlegalteamsandSmall/MediumEnterprise(SMEs)thatmightnotknowwhattheyneedtoknow.TheGuideoutlinessometheprivacyimplicationsoftheCISControlsandsuggestsmitigationapproaches.
Topicslikeregulatoryrequirements,dataprotectionstandards,requirementswithinpartneragreements,andbreachdisclosurelawsmightnotbeknowntotechnicalstaffwhoshouldunderstandwhattheyneedtoprepareforreporting.Thereisnosilverbullettoapproachingprivacyconsiderationsastheyareoftencomplexandwillvarybycountry,state,industry,customertypeandotherfactors.
Scopeofthisdocument
InnotingprivacyimplicationsoftheCISControlsandsuggestingmitigations,thisdocumentfocusesonprivacyrequirementsandbestpracticesforenterprises.Ittakesabroadviewofinternationalprivacylawsastheyvaryfromcountrytocountryandprovidesguidanceonwhatisneededfororganizationstomaketheirownrisk-baseddecisions.Assuch,itiscriticalthatITsecurityandprivacy/legalteamsworktogether.
Whileafull-scopeprivacyandsecurityguidecouldrunthousandsofpages,thisGuideisonlymeantasastartingpointtooutlinethemostessentialprocessesthateveryorganizationshouldfocusonwhendealingwithdataprivacyandsecurityconcerns.AlthoughthefollowingtopicsfalloutsidethescopeoftheGuide,weencourageorganizationstobemindfulofthefollowingissues,whereapplicable:
• Evolvingnationalandinternationallaws• SafeHarbor’sreplacementbyPrivacyShieldintheEU• Breachdisclosurerequirementsnationally,regionally,andinternationally• BigDataanalysis,issuesofsecondaryuse,andderiveddata• Privacyrelatedtopersonalmobiledevicesusedintheenterprise
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
5
• PrivacyforInternetofThings(IoT),suchaspersonalwearabledevices,autos,smarthomes,etc.PrivacyPrinciples
ThefollowingoverarchingprivacyprinciplesshouldbediscussedbetweenITSecurityandcorporateprivacyorlegalteamswithinanyorganization:
• PrivacyisbasedontheFairInformationPracticePrinciples:Transparency,IndividualParticipation,Collection
Limitation,PurposeSpecification,UseLimitation,DataQuality,Security,andAccountability.
• PrivacyisahumanrightinEurope.IntheUnitedStates,influentialscholarsandjuristshavedefinedprivacyasalegalright,like“therighttobeletalone,”oranindividual’sright“tocontrol,edit,manage,anddeleteinformationaboutthem[selves]anddecidewhen,how,andtowhatextentinformationiscommunicatedtoothers.”
• Privacyisavalue;itisnormativeandvariesamongculturesinitsparticulars.Forexample,anindividual’sfinancial
informationisconsideredpersonalinformationrequiringprotectionintheU.S.,butnotinEurope;anindividual’sbusinesscontactinformation(e.g.,businessemailaddressorphonenumber)isconsideredpersonalinEurope,butnotintheU.S.
• Securityisnotnormative;itisaboutbuildingsystemsthatperformaccordingtospecifications,includingspecifications
toimplementpoliciesonprivacy.
• PrivacyisnotjusttheCofthesecuritytriadofConfidentiality,Integrity,andAccessibility.
• Securityisessentialtoprivacy:itisoneofthefoundationalprinciplesofprivacy.
6
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyCSC# ControlName PrivacyImplications PrivacyMitigationSuggestions
1
InventoryofAuthorizedandUnauthorizedDevices
Computingassetsareusuallytiedtoemployees.Knowledgeaboutadeviceandwhereitislocatedcouldprovidealinktoanindividual.
• Theremightbeissueswiththe
nameofindividualtiedtodevice(ifdevicenameisalsousername).
• Sometimesorganizationsissue
differentdevicesbasedonrole,forinstancedevelopersmightgetmorepowerfullaptopsthangeneralstaff;orexecutivesmightgettablets.Knowledgeofthiscouldallowenumerationofuser’srole.
• Withpersonalmobiledevices,
devicemanagementmighttracklocationofthatdeviceatanygiventime,whichcoulddeterminewhereaboutsofauser.
Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection.
Deviceinventoriesshouldbeprotectedaspersonalinformation.
Enterprisesshouldhaveaprivacypolicythatletsusersknowtheprivacyrisksofmobiledevices,andwhatcouldbederivedfromthedevicestheyhave.
2 InventoryofAuthorizedand
UnauthorizedSoftware
Applications,tiedtodevices,thataretiedtoindividualsmayholdpersonaldata,orallowsomeonetogleam
Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection.
7
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
informationaboutthatuser. • Somesoftwareapplicationsmay
containpersonalinformation(e.g.,employer-sponsoredwellnessapplicationsorfinancial).
• Whenmanagingappsonmobile
devices,theremightbeissueswithcertainpersonalapplicationsrelatedtolifestyle,healthtracking,orpersonalfinances.
• Whenusersareusingpersonal
devicesforwork,thisbecomesmoreacute,ascertainapplicationscouldindicatelifestylesthatmightbeusedtodiscriminate.
Intheinventory,identifyapplicationslikelytocontainpersonalorconfidentialinformation.Applyappropriateprotectionstotheinventoryandtosensitiveapplications.
Note:Adatainventoryandclassificationprocesscanbecoordinatedwiththeinitialcreationandmaintenanceofthesoftwareinventory.
Softwareinventoriesofemployeepersonalmobiledevicesshouldbeprotectedaspersonalinformation.
Enterprisesshouldhaveaprivacypolicythatletsusersknowthesecharacteristics,andwhatcouldbederivedfromthedevicestheyhave.
3
SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers
Thereareoftenregulatoryrequirements,or3rdpartyagreementsforsecuritycontrolsonsystemsthatstoreprivacyinformation
• Thesecurityconfigurationscould
beacompliancerequirement;orifthereisabreach,theirabsence
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
8
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
couldprovelackofsufficientcontrolstoprotectdata.
4
ContinuousVulnerabilityAssessmentandRemediation
Theremightberegulatoryrequirementsor3rdpartyagreementsforidentifyingandmanagingvulnerabilitiestosystemsthatstoreprivacyinformation.
• Similartomanagingsecure
configurations,theidentificationofvulnerabilitiesthatcouldallowunauthorizedaccesstoprivacydatacouldbeacomplianceissue,orleadtoabreach,whichwouldrequiredisclosure.
• Ifthereisabreach,inadequate
vulnerabilitymanagementcouldprovelackofsufficientcontrolstoprotectdata.
ApplyingtheguidancefromtheCISControlsforvulnerabilitymanagementwillcontributetosituationalawarenessofvulnerabilityandbeingtobeproactiveaboutpotentialweaknessesinprivacycontrols.
5
ControlledUseofAdministrativePrivileges
Administratorsofsystems,applications,anddatabaseshavefullaccesstoanydatastoredontheplatform.
• ForPIIorPHIdata,thereisno
businessneedforsysadminsto
Technicalstaffshouldworkwithcorporateprivacyofficer,orlegalcounseltoidentifywhatrequirementsareneededforprivacydataprotection,includingthemonitoringofuserswithadministrativeprivileges,aslegallyallowed
Therearetoolsthatcanlimitadministrativeaccesstoprivacydataatthesystemorapplicationlevel.Thesetoolsalsocan
9
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
haveaccesstothisdata.Failuretocontrolaccesscouldbeacompliancerequirement,orcouldleadtounauthorizedaccessandrequiredisclosure.
• Controlrecommendsmulti-factor
authentication;someimplementationsloggeolocationoftheuserisattimeoflogin.
monitoraccess,andsetalertsforunauthorizedaccess,orprovidelogreportstoproveadministratorsdidnotaccessdata.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
6
Maintenance,Monitoring&AnalysisofAuditLogs
Someaccessorerrorlogsfromapplicationsmightcontainprivacydata.
• Theremightbeissueswithtypeof
datathatiscollected,especiallyaboutuseractivity,personalinformationwithinanactivitylog.
• Itispossiblethatprivacydatais
loggedorcachedatthesystemorapplicationlevel.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwhereitisstored,andthedataflowofthatdata,includingwhatislogged
AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinlogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself,includingappropriateretentionlimits.
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
10
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
7
EmailandWebBrowserProtections
Emailisthemostprominentbusinesscommunicationchannel,theemailserverholdsallemailssentbyusersfromtheirworkaccounts,betheybusinessorpersonal.
Mostlargeorganizationshavegatewaysforprotectionandmonitoringofemailandwebtraffic,whichstoreactivityaboutwebsearches,andareanotherrepositoryofemails.
Webbrowsershavelocalhistoriesofallsitesvisitedbytheuser.
Therearetrackingcookiesusedbywebsitesto“followandrecord”allthesitesvisitedbyauser;additionally,webbrowserssometimeshavevulnerabilitiesthatallowexternalsitestocaptureprivacydata.
Personalinformationcouldbewithinemails,historyofwebactivity,orcaptureofpersonalinformationineventlogs.
AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinwebandemaillogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself.
Userswillneedtobetrainedonappropriateemailandwebactivityrelatedtohandlingprivacydata.Theyshouldnotsendprivacydataoverunencryptedchannels,ortonon-authorizedlocationsorindividuals.
SimilartoCSC2,theregularupdatingandpatchingofwebbrowsers,aswellasuseofscript-blockingadd-ons,orrestrictuseofapplications,suchasFlash,willcontributetoprotectinguserprivacyandthatofotherswhosepersonalinformationusershandle.
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
11
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
8
MalwareDefenses
Sometimesmalwarecollectspersonalinformation,suchascontacts.Sometimesthealertsorlogsfromendpointorperimetermalwaredefensescontainthisdata.
Malwaremightcollectandsendprivacydataoutsideofthenetworkoverinsecurechannels.
Somehostandperimetermalwaretoolsmightrecordsensitivedata.Thesealertsandlogscouldcontainprivacyinformationthatshouldbeprotectedaccordingly.
AdministratorsshouldworkwithcorporatePrivacyOfficer,orlegaldepartment,tounderstandwhatpotentialPIIisstoredinlogsandalerts,andthatdatashouldbeprotectedatthesamelevelasthedataitself.
9
LimitationsandControlofNetworkPorts,ProtocolsandServices
Thereareoftenregulatoryrequirementsforsecureconfigurationsandcontrolsonsystemsthatstoreprivacyinformation
• Thesecurityconfigurationscould
becomeacompliancerequirement;orifthereisabreach,theycouldprovelackofsufficientcontrolstoprotectdata.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
12
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
10
DataRecoveryCapability
Personaldatamightbebackedupandstoredinaninsecuremanner,orinacountrythatviolatestheprivacyrequirementsregardingthedatasubjects.
MakesuredatagovernanceprocessidentifiesallPIIandprivacyrelateddata.Developbackupplansthataccountforanyspecificprivacyprotections,orgeographicrestrictions.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
11
SecureConfigurationsforNetworkDevicessuchasFirewalls,RoutersandSwitches
Thereareoftenregulatoryrequirements,or3rdpartyagreementsforsecuritycontrolsondevicesthatrouteprivacydatawithinorbetweennetworks.
• Networkandsecuritydevice
configurationscouldbeacompliancerequirement;orifthereisabreach,theycouldprovethelackofsufficientcontrolstoprotectdata.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwherethatdataflowsinandoutofthenetwork.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
13
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
12
BoundaryDefense
Theremightbeissueswiththetypeofdatathatiscollected,especiallyaboutuseractivity,emaillogs,orpersonalinformationwithinanactivitylogtowebsites.
• Thesecurityarchitecturecould
becomeacompliancerequirement;orifthereisabreach,insufficientperimetercontrolscouldprovelackofsufficientcontrolstoprotectdata.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,andwherethatdataflowsinandoutofthenetwork.
Makesureyouknowwhatdataisrecordedinperimetersecuritytools.Thesealertsandlogscouldcontainprivacyinformationthatshouldbeprotectedaccordingly.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
14
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
13
DataProtection
Thiscontrolrecommendsdatalosspreventiontools,whichcancollectPII.Aspartofthatprocess,sweepsofdevicescanrevealPII.
• Thesecurityconfigurationscould
becomeacompliancerequirement;orifthereisabreach,theycouldprovelackofsufficientcontrolstoprotectdata.
• Incorrectimplementationofencryption,useofweakencryptionalgorithms,orinsecuremanagementofencryptionkeyscouldleadtoprivacyrisks.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.BesuretoaddressportabledevicesandmediathatmaycarryPII.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
14
ControlledAccessBasedontheNeedtoKnow
Privacyisnotsimplyamatterofprotectingdatafromunauthorizedaccess,butalsooftheappropriateuseofdatabythosewithbusinessneedtoaccessthedata.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.
Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.
15
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
15
WirelessAccessControl
Wirelessaccessisubiquitous.Withinanorganization,guestsmightconnecttheirpersonal,ortheircompany-issueddevices,andemployeesmightconnecttheirpersonaldevicestolocalWiFi.
• Beawareofwhatinformationis
collectedaboutthedevice,andwhetheritmighthaveprivacyprotectionrequirements,orwhethercertaininformationshouldnotbecollectedoncitizensofsomecountries,ordataonWiFInetworksinofficesofthosecountries.
• Theremightbeissueswithtypeof
datathatiscollected,couldrelatetotrackingofdevice,oruseractivity,personalinformationwithinanactivitylog.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andthedataflowofthatdata.Thatway,appropriateprotectionscanbeappliedtoallsystemsinthedataflowchain.Forexample,aseparateWiFinetworkforusebyguests,preventsthemfromaccessingtheregularorganizationalnetwork.
Implementauditingofregulatoryand3rdpartyagreementrequirementstoverifythelocationandappropriateprotectionofallprivacydata.
16
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
16
AccountMonitoringandControl
IntheUSA,employeeshaveonlylimitedexpectationsofprivacyfortheiraccountsoncorporatenetworks.Butinothercountries,therearestillexpectationsofprivacy,evenoncompanynetworks.Formultinationalcompanies,it’simportanttoknowtheserules.
• Therecouldbeinformationabout
whenandwhereauseraccessesinformation.
• Someremoteaccessand
multifactorauthenticationmechanismslogthegeolocationofuserswhentheyconnect.
• Whilethisvisibilityisappropriate
fortrackingunusualactivity,suchasauserknowntobeinonelocationlogginginfromanother.Orforinvestigations,toseewhereauserwasattimeofalogin,therearecountrieswherethiscouldbeaprivacyissuefortheircitizens.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.
Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.
Beawareofthecitizenshipofusers,andtheprivacyrequirementsforanyinternationalofficesofyourorganizations.
17
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
17
SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
Thisisaprivacytrainingopportunity
Trainingalllevelsoftechnicalstaffonprivacy,socializingprivacypoliciestousers,andpromotinggoodbehaviorinprotectingprivacyinformationareopportunitiestoimproveoverallenterpriseprivacyprograms.Coordinateorintegrateprivacyandsecuritytrainingforstaff.
18
ApplicationSoftwareSecurity
Applicationscanbeprimarycollectorsofprivacyinformation,andtheapplicationofthiscontrolcouldintroduceissuesifthisdataisloggedorrecordedaspartoferrororeventlog.
• Generallytheguidanceinthis
controlpromotesprivacy. • Applicationsmighthaveloggingor
errormessagesthatwritedatatohelpidentifyandtroubleshootproblems.Thereisachancethatsomeofthisdatamighthaveprivacyrequirements;it’simportanttoevaluatealllogs,backups,andcachestoreswhereprivacydatamightbepermanentlyortemporarilystored.
MakesurethereisadatagovernanceprocessthatidentifiesallPIIorprivacyrelateddata,whereitisstored,andwhoshouldhaveaccess.Applycontrolsandmonitoringtotheseaccounts.
Implementregularauditingofregulatoryand3rdpartyagreementrequirementstoverifywhohasaccesstoprivacydata.
Mostorganizationsmusthaveprivacypoliciesontheirwebsites,andcustomerfacingapplications(webormobile).Thesepoliciesdefinewhatinformationiscollected,howit’susedandshared,andhowit’sprotected.Considerhavingandpostingaprivacypolicyforinternalbusinessapplications.
18
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
19
IncidentResponseandManagement
Therecouldbepersonalinformationrevealedorcollectedaspartofdatacollectionforanincident.Protectionofthisinformationisimportantforprivacy.
• Therearepacketcapturetools
thatorganizationsusetoasasourceofevidencewithdoinginvestigations.Becausetheylogalldatatotheweb,thesetoolsoftenhaveprivacyinformationfromemployeesaccessingtheirpersonalfinancialorhealthcareaccounts.
Builddatabreachreportingrequirementsintoincidentresponseplans.Whileconductinganinvestigation,orcollectingevidenceforforensics,workwithprivacyorlegalteamtounderstandwhatdatamighthaveprivacyrequirementsandprotectthatdataappropriately.Thisincludespossiblyredactingitinreportsthatcouldhavewidedistribution.
Considerlegalteamoverseeingincidentstoalloworganizationstomarkincidentreportsas“attorneyclientprivileged.”
Descriptionofincidentresponseofforensicproceduresshouldbeintheemployeeprivacystatement,soemployeesareaware.
Itisimportanttoprotectforensicdata,andtheaccesstothisdatasimilartootherprivacydata.
19
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
CISCriticalSecurityControls(Version6):PrivacyControlName PrivacyImplications PrivacyMitigationSuggestions
20
PenetrationTestsandRedTeamExercises
Therecouldbepersonalinformationrevealedorcollectedaspartofthetestingprocess,especiallywithPhishing.Protectionofthisinformationcouldbeanissue.
• Inadditiontotheconsiderations
intheincidentresponseControl#19,partofmodernpenetrationtestingissocialengineering.Thisinvolvescollectinginformationabouttargetstouseinthescam.Somemethodologiessendphishingemailstotargetstosendthemtositestoenterpersonalinformation,laterusedforsocialengineeringortoresetapasswordwithhelpdesk.
Penetrationtestersshouldbeinformedbyprivacyorlegalteamsonwhatdataisconsideredprivacydata,andtolimitthecollectionofthatdata,protectanyprivacydatacollectedappropriately,andnotincludePIIinreports.
Considerlegalteamoverseeingpenetrationtestingtoalloworganizationstomarkfindingsreportsas“attorneyclientprivileged.”
CISCriticalSecurityControls(Version6):PrivacyImplicationsGuide
20
PrivacyReferences• NationalAcademyofSciences:PrivacyResearchandBestPractices• TheCISControlsPrivacyImpactAssessmentCompanion• OASISPrivacymanagementreferencemodel• EUGeneralDataProtectionRegulation• EUPrivacyShield• PrivacybyDesign:the7FoundationalPrinciples• OECD,GuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData,
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata• DepartmentofHomelandSecurity,FairInformationPracticePrinciples:FrameworkforPrivacyPolicy,
https://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf• OrganizationforEconomicCo-operationandDevelopment(OECD)PrivacyPrinciples:http://oecdprivacy.org/• RobertGellman,FAIRINFORMATIONPRACTICES:ABasicHistory:http://bobgellman.com/rg-docs/rg-FIPShistory.pdf