Enterprises must deal with a large and constantly growing volume of data, and they require the capacity to manipulate and process this information while protecting data sources. Key stakeholders such as clients, regulators, investors and the public are affected by how enterprises manage the risk related to collecting, storing and sharing information. For example, personally identifiable information (PII) such as name, email address and Internet Protocol (IP) address is expected to be protected in the context of its use, access, location and confidentiality.1
Enterprises must understand how to adopt a risk management process focused on both data protection and mitigation strategies to address security risk related to privacy and confidentiality.
Privacy and Confidentiality
In recent years, privacy and confidentiality and their impact on enterprises have become relevant topics. Privacy can be understood as the freedom from intrusion into an individual’s private life or affairs when that intrusion results from undue or illegal gathering and use of data about that individual.2 Similarly, confidentiality aims to preserve authorized restrictions on information access and disclosure, including the means of protecting personal privacy and proprietary information and distinguishing authorized and unauthorized users through access levels.3 In sum, there is an expectation that information in a trusted environment will not be disclosed and that security mechanisms will be implemented to make this information unusable by unintended parties or adversaries.
Risk Assessment and Mitigation
So why do enterprises need to invest in mechanisms for data protection and IT security? As Richard Clarke, cybersecurity special advisor to the US President, observed, “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”4 Investments in technology are intended, among other objectives, to reduce the security risk related to privacy and confidentiality breaches. Enterprises need to align business objectives with risk and understand which threats need to be controlled. The results may be a better alignment of growth and risk, compliance with legal and regulatory requirements, and increased resilience.
A security risk assessment provides the basis for an enterprise to identify, protect against, detect, respond to and recover from security threats. This assessment can also be useful when prioritizing areas of investment. For instance, an enterprise with a centralized IT environment with only local staff has a different security risk profile than an enterprise with decentralized activities and a mobile workforce. A 2019 study conducted in Canada shows that Canadian enterprises are deploying more security layers to increase their protection, including Domain Name System (DNS) firewalls (57 percent), password managers (51 percent), penetration testing (39 percent) and cybersecurity insurance (25 percent).5 These results indicate that enterprises are considering several aspects of security. However, it is difficult to determine whether the implementation of these measures is aligned with risk-based strategies that ultimately protect privacy and confidentiality at critical endpoints or whether these measures are a reaction to the occurrence of security-related incidents. An enterprise can benchmark its security against the general industry, and it should be able to identify the measures that best fit its own security needs.
ENTERPRISES SHOULD UNDERSTAND THE LIKELIHOOD OF A SECURITY RISK AND ITS POTENTIAL IMPACT TO DETERMINE WHICH TECHNOLOGY SECURITY FEATURES ARE REQUIRED TO MAINTAIN OPERATIONS ON A CONTINUOUS BASIS.
Enterprises should understand the likelihood of a security risk and its potential impact to determine which technology security features are required to maintain operations on a continuous basis. This can be achieved by understanding the common types of cybersecurity attack vectors that can deliver malware such as email, corrupted Internet traffic, stolen credentials and malicious code.6 Organizations must also determine the level of risk they are willing to assume to achieve a desired result (risk tolerance).7 For example, an enterprise may concentrate on addressing the risk of denial-of-service attack (e.g., web application firewall) but, because of budgetary constraints, may have only limited resources to defend against phishing attempts (e.g., predictive email security).
How can data security mitigate risk related to privacy and confidentiality? A risk mitigation plan involves recognizing how a single control or suite of controls can address multiple, related risk factors.8 For instance, a risk mitigation plan to protect personal privacy and proprietary information relies on measures to protect data or prevent their further use if acquired by unauthorized parties. The mitigation plan can be considered an additional layer of security in a defense-in-depth strategy: If one control turns out to be inadequate or even fails, the additional layer prevents a more harmful outcome.
More specifically, data security to protect PII and proprietary information commonly uses the following methods:
- Encryption—The process of converting plaintext information to ciphertext using a cryptographic algorithm (e.g., Advanced Encryption Standard [AES]) and a password key
- Anonymization (or de-identification)—A process that removes the association between the identifying data set and the data subject9
- Tokenization—A technique that replaces the original value with a token value and in which centralized data tokenization stores both the data and the tokens, allowing the tokenizing and de-tokenizing of data
An illustration of this is a sample data set of four users whose first names, last names, zip codes, email accounts and credit card numbers have been collected in comma-separated values (.csv) files (figure 1). In this case, one can observe the results when encryption, anonymization and tokenization are applied (figure 2) to prevent an adversary from accessing these data.
* Keller, J.; “Cryptr,” Github, http://github.com/nodesocket/cryptr
** Hendricks, P.; “Anonymizer,” Github, http://github.com/paulhendricks/anonymizer
*** Porsteinsson, V.; “Tokenizer,” PyPI, http://pypi.org/project/tokenizer/
Approximately 80 countries worldwide have enacted policies and regulations regarding privacy and confidentiality, illustrating the importance of adopting a risk management strategy to protect the collection, storage and sharing of sensitive data.
Understanding the principles of data classification, defining privileges and access controls at the time of data creation, and protecting the data-at-rest and data-in-transit environments are essential to meeting privacy and confidentiality requirements. Among the security methods discussed, encryption offers the highest level of data protection because it results in ciphertext—an unreadable mix of letters and symbols.10 However, it is important to understand that each method has advantages and disadvantages under specific circumstances.
It is recommended that enterprises establish security risk assessment as a permanent process to ensure an understanding of the technological environment and to support the management of security vulnerabilities that could affect data privacy and confidentiality.
Endnotes
1 McCallister, E.; T. Grance; K. Scarfone; “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology Special Publication (SP) 800-122, USA, April 2010, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
2 Garfinkel, S. L.; “De-Identification of Personal Information,” National Institute of Standards and Technology Internal Report (IR) 8053, USA, October 2015, http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf
3 Joint Task Force Transformation Initiative, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations,” Building Effective Assessment Plans, National Institute of Standards and Technology Special Publication (SP) 800-53A, revision 4, USA, December 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
4 Lemos, R.; “Security Guru: Let’s Secure the Net,” ZD Net, 19 February 2002, http://www.zdnet.com/article/security-guru-lets-secure-the-net/
5 Canadian Internet Registration Authority (CIRA), “2019 CIRA Cybersecurity Survey,” http://cira.ca/resources/cybersecurity/report/2019-cira-cybersecurity-survey
6 Rapid7, “Common Types of Cybersecurity Attacks,” http://www.rapid7.com/fundamentals/types-of-attacks/
7 Kissel, R.; “Glossary of Key Information Security Terms,” National Institute of Standards and Technology Internal Report (IR) 7298, USA, 25 April 2006, http://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7298.pdf
8 Nicholson, F.; C. Baker; Certification in Risk Management Assurance, 1st Edition, Institute of Internal Auditors Research Foundation (IIARF), USA, 2013
9 Op cit Garfinkel
10 US Department of Health and Human Services, “Health Information Privacy,” http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Thiago de Oliveira Teodoro, CISA
Is a consultant in governance, risk and compliance (GRC). He has 10 years of professional experience in the areas of auditing and internal controls in both the public and private sectors.