CCT 068: CISSP Insights on Data Collection, Location, and Destruction (D2.4)

Ready to decode the mystery of AI in digital forensics? I'm your host, Sean Gerber, and in this stimulating conversation, we're peeling back the layers on how AI is revolutionizing the digital forensics landscape. From automating log analysis and malware detection to reshaping image and video analysis, we're talking about it all. So, buckle up as we navigate the potential legal implications of this rapid technological evolution.

Dive deeper into the tangled web of data protection and classification in the second part of this riveting episode. We'll guide you through the labyrinth of laws, such as Sarbanes Oxley and PCI DSS, that govern personal identifiable information (PII), intellectual property (IP), financial data, and health records. Learn the ropes of securing your data via encryption, access controls, and periodic audits. Let's get ready to demystify the laws and methods that protect your digital footprint.

Finally, prepare to be fascinated as we explore the complexities of health data storage, compliance requirements, data mapping, and destruction methods. We'll shine a light on regulations like SEC, FFIEC, NERC and how they relate to the CISP exam. We'll also discuss data sovereignty, jurisdictional risks and the pros and cons of physical data centers versus cloud storage. We're arming you with knowledge to navigate the increasingly complex world of data destruction, from physical methods to electronic ones like secure race and cryptographic shredding. Now, let's set sail on this voyage of cyber discovery!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content:

Data Collection

Types of Data

Personal Identifiable Information (PII)

• Definition: Information that can uniquely identify an individual.
• Examples: Social Security numbers, email addresses, phone numbers.
• Sensitivity Levels: Varies from highly sensitive (Social Security numbers) to low sensitivity (names).
• Handling Recommendations: Encryption during storage and transmission; strict access controls; periodic audits.

Intellectual Property (IP)

• Definition: Legal term for creations of the mind, such as inventions or artistic works.
• Examples: Patents, copyrights, trade secrets.
• Measures to Protect: Use of Digital Rights Management (DRM), strong legal contracts, restricted access.

Financial Data

• Types: Corporate earnings reports, user credit card numbers, banking transactions.
• Applicable Laws: Sarbanes-Oxley Act (SOX) for publicly traded companies; Payment Card Industry Data Security Standard (PCI DSS) for cardholder data.
• Storage Guidelines: Data should be encrypted; multi-factor authentication for access; regular audits.

Health Records

• Definition: Medical history, treatments, and other health-related information.
• HIPAA Requirements: Secure data storage, limited access, and strong encryption for electronic patient health records.
• Data Retention: Defined by regulation, often requiring secure archival.

Operational Data

• Definition: Data relating to the day-to-day operations of an organization.
• Types: Log files, system status reports, user activity.
• Handling: Regular monitoring; anomaly detection systems; restricted access.

Authorized Data Collection Methods

User Consent

• Explicit vs Implicit Consent: Explicit involves a direct action like ticking a box, whereas implicit is often assumed based on user behavior.
• Legal Implications: Non-compliance can lead to legal repercussions, including fines.
• Best Practices: Transparent privacy policy, easy opt-out methods, and regular reviews to ensure compliance.

Data Scraping Policies

• Definition: Data scraping refers to automated methods of gathering data from websites or databases.
• Acceptable Methods: Respect robots.txt, avoid burdening server resources, and gather only publicly accessible data.
• Unacceptable Methods: Bypassing security measures, scraping personal data without consent.

APIs

• Safe Use: Always use secure connections (e.g., HTTPS), validate input/output, and employ rate limiting.
• Security Considerations: API keys should be kept secure, monitor for unauthorized access, implement OAuth for better security where applicable.

Direct Input Methods

• Forms, Surveys, etc.: These are often used for collecting data directly from users.
• Encryption: Use HTTPS and encrypt sensitive fields.
• Validation: Employ input validation to prevent SQL injection or other exploits.

Compliance Requirements

General Data Protection Regulation (GDPR)

• Key Features: Right to be forgotten, data portability, mandatory breach notification.
• Fines and Penalties: Can go up to 4% of annual global turnover or €20 million, whichever is higher.
• Compliance Checklist: Data protection impact assessment (DPIA), appoint a Data Protection Officer (DPO) if needed, and keep records of data processing activities.

California Consumer Privacy Act (CCPA)

• Key Features: Similar to GDPR but specific to California; includes right to opt-out of data sale.
• Differences from GDPR: Focuses more on consumer rights regarding the sale of data.
• Compliance Checklist: Identify in-scope consumer data, develop a mechanism for handling consumer requests, update privacy policies.

Health Insurance Portability and Accountability Act (HIPAA)

• Protected Health Information (PHI): Any information about health status, provision of health care, or payment for health care that can be linked to an individual.
• Compliance Requirements: Risk assessments, encryption, regular audits.
• Penalties: Vary based on the level of negligence; can go up to $1.5 million per year.

Industry-specific Regulations

• Financial Sector: SEC regulations, Federal Financial Institutions Examination Council (FFIEC) guidelines.
• Energy Sector: North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards.

Data Location

Geographical Constraints

Regulations Affecting Data Storage by Location

• GDPR: Requires that data on EU citizens be stored in a manner compliant with GDPR, often requiring data residency within the EU.
• Data Localization Laws: In countries like Russia and China, data on citizens must be stored within the country.

Physical Data Centers vs. Cloud Storage

• Security Implications: Physical centers offer more direct control but might lack the advanced security measures of a mature cloud provider.
• Compliance Considerations: Physical data centers might be subject to local laws, while cloud providers often offer compliance certifications (e.g., ISO 27001).

Risk Assessment

Data Sovereignty

• Definition: The concept that data is subject to the laws and governance structures within the nation it is located.
• Concerns: Legal repercussions, data seizure, and loss of privacy.

Jurisdictional Risks

• Legal Action: Different countries have different laws around data, and falling foul of them can lead to legal actions.
• Mitigation Strategies: Data residency solutions, legal consultations, and compliance audits.

Data Flow Mapping

Internal Data Flow

• Mapping: Visual representation of how data moves within the organization.
• Choke Points: Identify potential areas where data can be lost or compromised.
• Security Risks: Internal misuse, accidental leaks, etc.

Third-party Access and Storage

• Vendor Management: Due diligence in selecting vendors with compliant storage solutions.
• Contractual Requirements: SLAs defining data protection measures.

Cross-border Data Transfer

• Legal Considerations: International laws and treaties affecting data transfer.
• Technical Measures: End-to-end encryption, secure protocols (e.g., SFTP for file transfers).

Data Destruction Methods

Physical Destruction

Shredding

• Definition: Physical destruction of data storage media into small, unreadable pieces.
• Types: Cross-cut, strip-cut, and particle-cut shredders.
• Applicability: Useful for paper records and some types of digital storage media.
• Considerations: Ensure that shredding size meets organizational or regulatory requirements.

Incineration

• Definition: Burning of data storage media to ash.
• Applicability: Primarily for paper records; not typically used for digital storage.
• Environmental Concerns: Emission of harmful gases, energy consumption.
• Compliance: May require specific permits and must comply with environmental regulations.

Degaussing

• Definition: Use of magnetic fields to randomize data on magnetic storage devices.
• Applicability: Used for magnetic tapes, floppy disks, and some types of hard drives.
• Limitations: Not effective for SSDs and newer storage technologies.
• Verification: Should be followed by a validation step to ensure data is unreadable.

Electronic Destruction

Secure Erase

• Definition: Overwriting storage media with random data or specific patterns.
• Standards: NIST 800-88, DoD 5220.22-M for secure erase procedures.
• Software Tools: Darik's Boot and Nuke (DBAN), Secure Erase utility.
• Limitations: Not effective for damaged or failing hard drives; may not be sufficient for SSDs.

Cryptographic Shredding

• Definition: Deletion of cryptographic keys that are used to encrypt data, rendering it unreadable.
• Applicability: Mostly used for digital data and especially effective for cloud storage.
• Advantages: Quick and energy-efficient; no need for physical destruction.
• Considerations: Ensure all copies of cryptographic keys are destroyed.

Policy Requirements

NIST Guidelines

• Overview: NIST Special Publication 800-88 offers guidelines on media sanitization.
• Sanitization Methods: Clear, Purge, and Destroy are the three primary methods outlined.
• Compliance Checklist: Regular audits, documentation of destruction methods, and validation.

Corporate Policies

• Policy Elements: Definition of end-of-life for data, authorized methods of data destruction, and responsible parties.
• Compliance Monitoring: Routine checks to ensure adherence to policy.
• Employee Training: Mandatory training sessions on the importance and methods of data destruction.

Legal Requirements

• Data Retention Laws: Be aware of laws that require data to be retained for a specific period.
• Certificate of Destruction: Some regulations may require a certificate proving that data was destroyed in compliance with legal requirements.
• Penalties: Non-compliance could result in hefty fines, legal actions, and reputational damage.

Transcript:

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go, let's go, but before we get started, we are going to have a little bit of news that I saw today, today in the Infosec Industry site, and one of the things that came up was we talked about a few weeks ago. We dealt with forensics and the overall forensics as it relates to studying for your CISSP. Well, there's an article that came across and it was basically six ways AI can revolutionize digital forensics, and just kind of want to walk you through that specific article. Now, this is in dark reading and it's by DRTech and there's a gentleman that brought this up. I can't say his name, shashan Dazaar Agandhi, I think that's it, but anyway, he's a CTO at XTERO, but he brought up an interesting article as it relates to using AI in the forensics environment and all these things we've kind of probably talked about, but from a digital forensics piece and you all are getting into, going to be understanding AI here in the near future. It's going to be a big factor in studying for your CISSP, I fully expect, and it's going to be something you're going to deal with in the foreseeable future, because I have it. Right now I'm dealing with AI. There's some key questions that come out of it, so if I'm dealing with it, I can only assume you will have to deal with it too. So here are the six things that he recommended that AI can be used in digital forensics. The first one was automated log analysis, and this is where you're utilizing the AI's algorithms to potentially look for logs and actually discrepancies in those logs. One thing that you've dealt with if you've had to deal with any sort of logs at all within your company is there's a lot of them, and having AI to be able to look for the nuances will be significant. It's one of those aspects that I would say hackers will get in, and in the old days they used to change the logs. It would go in and potentially change them to keep you from knowing what they're doing, but in today's world there's so many of them that it's really hard to go in and actually make changes to those logs. So if you have a tool that can determine that, that would be very helpful in being able to understand what is actually in your environment if you utilize AI to go through those massive numbers of logs. Another one is malware detection. Obviously advanced detection methods that are from AI that are actually designing and looking for malware. I read an article yesterday that there's really only three types of deployment mechanisms that will launch malware within your environment. So they're the loaders. There's only three types that are typically used. Well, if you have AI that's looking for some of those variations, that would be very valuable. And if it looked for those signatures and how they do business, that too would be very valuable. And malware detection would be one of the six Image and video analysis that's. I could see a definitely a spot in that where it comes into your CCTV environments, because if it's looking for facial recognition, it's looking for anything out of the ordinary. Ai could be very valuable in combing through a lot of the CCTV feeds. If you've dealt with the physical security and we'll talk about that in the CISSP many of those feeds are just dumped on a computer and are not actually really even looked at unless something bad happens. So having AI run through that while you're sleeping or while no one's looking at it could be extremely valuable to find some evidence that may point to in the direction of someone who's doing something inappropriate. Natural language processing is another one of those options that could be available for you, and this is where, if you have an analyst that's looking at the files, they may not totally understand what they're reading and in many cases, especially if there's multiple languages used, they probably won't know what they're reading. So this natural language processing is extremely valuable. I think that could be a really a game changer for security analysts as they're looking at this various data. So there's lots of ways that utilizing those programs could help look for. Even if somebody's potentially sending messages back and forth from an insider threat program or insider threat process, if they're making communications with an outside entity, that AI could potentially pick all of that up. The other one is network traffic analysis. This is where you're monitoring the traffic patterns and looking for something that could be maybe anonymous anonymous out of the ordinary can't say the word. That is basically. They're looking for anomaly and this they could see that potentially with a network traffic that it's monitoring. That's another aspect. There's so much data that most people are not actually looking at that network traffic. And then the last one he had is forensic triage. This again comes down to ways to learn multiple lines of code or actually say, multiple lines of data that's going through there. It is looking for that and it allows it to learn and then it grows upon this. The only downside I see with that specifically is that if you're dealing with some sort of illegal capability or you have to deal with chain of custody, if the AI is reading it, you could have a situation come up where there could be an argument against its use. Where it maybe it's I don't know it's touching the software and it could do something bad to it. However, there's all kinds of that now, so I struggle with that even being a proper defense. But again, the forensic aspects of it it can determine what is out there and what is in that file and then learn, and then it can use that same knowledge on the next situation and the next situation after that. So there's a lot of value, and especially as it relates to digital forensics. So just a little article, again out of dark reading Check it out. I think it's an important factor, especially as you're studying for your CISP, and since we have been talking about forensics, that is an article that could be appropriate for your study. All right, so let's move on to what we're going to be talking about today. So I'm going to go over about five specific buckets of what kind of data would you anticipate to see. Now, they can be a little bit different than this, but this is really the five types of data that you will do with within your organization. Pii is information that can be uniquely identified for a specific individual. Now, this can vary from jurisdiction to jurisdiction, but what I mean by that is what I have in the United States, or even in the state of Kansas. That is considered personal information may be different than what is called out within the European Union, but in reality, they're very similar. It's just some of them are a bit deeper in what they're asking for. So I'll give you an example In the United States, if your social security number is considered a personal identifiable information, and if you're listening to this and you don't know what that is, it's basically an ID that is tied to each individual and it is with our IRS or our tax people and they track that and so that's any taxes you make, any taxes you send, are based on that social security number. Well, that would be a normally that would be a PII kind of situation. Now, if you deal with person's username, let's just say Gerber ST 567, that's your username, that in Europe that would be considered a personal identifiable information. But in other parts of the United States that is not considered personal identifiable information, so it will vary from location to location. But some typical examples of PII are obviously social security numbers, email addresses, phone numbers. In the GDPR, actually in Europe it is IP addresses. So a specific IP address 192.168.blblblbl even that's that probably wouldn't work so much because it's your home IP address. But if you had a very unique IP address given to you by your internet service provider, that would be considered PII. So it does. It is something that is very specific to the individual and it will vary from highly sensitive and obviously, like we talked about earlier, our social security numbers, to a lower sensitivity, like your name. That is a lower sensitivity because it's out there, especially if you have any level of social media. When you're dealing with PII there are some handling requirements and these are brought on by numerous regulatory agencies that actually define what you should would do with them. They're also defined in best practices. So example encryption during storage and transmission, strict access controls, periodic audits all of those are all different types of handling requirements that you would use as it relates to PII data. So you and I think those go along the lines of best practices right. So if you, if you deal with all of that, you need to, if you deal with PII, you need to do all those aspects. Had a situation that occurred a while back and there was, there was PII involved and we had put controls in place, but audit and audit did not occur. So when you go back and you do an audit of that area, you realize, oh, I didn't have this control in place, but yes, I also had this and I will confirm it. So those are important things of the audit piece that you really must go, and a lot of times the audit is missed just because it adds additional time and complexity. Another type of data would be intellectual property. This is where your company is, the secret sauce at what makes your company work, and therefore you would highly recommend you use it right With its illegal terms, such as your copyrights, trade secrets. All of that is information that would fall under the intellectual property. A lot of come conversation around AI and what it generates and if it is IP, but in reality that something that has to be worked out in the courts because this little guy can't figure that part out. You want to use digital rights management. We talked about this in the CISSP training courses. Drm is the software that's typically put on top of your IP. That will help protect it. So just additional layer of protection. But you don't necessarily need that. If you have other types of mechanisms, they can be used just as easily as DRM. Drm is just a good, easy way to put some protections in place and kind of wrap it in a bubble. You also want to have legal contracts. You want to have restricted access. All of those are key areas that you want to protect your IP. Another term of data would be financial data, so we've talked about this on this podcast numerous times. It's more of a business, confidential piece of this, but it'll deal with your corporate earnings, your credit card numbers, any banking transactions. That all of that is a financial piece of it. Now, depending on the organization, your financial data could be considered IP, depending upon if there's specific algorithms that you must use to help derive a certain whatever outcome of some kind, that could be considered an intellectual property, but in most cases it is. At a minimum, it is business confidential. Now I've talked to some of my peers and they've made comments where they, if the financials get out, you know, it's not a big deal because they are a publicly traded company. Primarily held companies probably don't want their data to be out there from their financials just because they don't want people snooping around what's going on. It just depends upon the company, but they can have more levels of restrictions based on what the company desires. Now there's various laws that are in place for this. You got Sarbanes Oxley that this is for companies that, like I mentioned, are publicly traded. You have payment card industry data security standards, which is your PCI DSS, and that's another one you should consider as it relates to financial aspects. So if you do have credit cards, you do have to follow what the PCI DSS team is requiring, because if you don't, they won't let you keep your credit card charging capabilities. Storage guidelines around this type of data again should be encrypted, multi-factor authentication and then basically restricted access and audits. Now, if you're listening to this and you go. Well, I see a theme. Well, pray tell, there is a theme. Any of the same types of handling requirements or recommendations that you would have for any of this data is very similar. Amongst all of the pieces of data, another one is health records. This falls under PII, but it's also just a specific type of health record. It may be one of those where it's not specifically tied to you Maybe your name has been anonymized but just having the health record itself would be a situation where it would be in violation of potential HIPAA privacy laws. Now, what I mean by that is if Sean's ID is 1, 2, 3, 4, 5 and it's not tied to Sean no one knows that Sean has this big gaping hole in his chest and but it's in my documentation just the fact of someone having that could be potential grounds for some sort of legal action just because you shouldn't have it. And if you haven't done a good job of protecting it, then you definitely shouldn't have it. So health records are another one. This deals with history, treatments and other health related information that's tied to you. Now HIPAA will require you to have secure data storage, limited access, encryption for electronic health records, so on and so forth. So again, again, seen a bit of a trend, right? So that's where you're dealing with health records. And then the last one is what we call operational data. This is data related to day-to-day operations of your organization, and this depends upon a lot of things. It could be your network log files that are associated with your network, your switches, your any sort of connections you have to the cloud, your VPNs. It could be all of that. That's an operational type data, well. But if you're also in the manufacturing space, it could be the pressures, the temperatures, the sensors. All of that data would be considered operational as well. So you all of that would fall into the same type of bucket per se. Now, your operational data may contain very sensitive financial data. It also could contain very sensitive intellectual property, so it could be a mixed mash of different types that you may have to struggle with. So just keep that in mind. Those are the that when you're talking about the data, it's all about the data it really does. If you hold yourself to what is in that operational space, then, and you focus on what is the data that I'm specifically looking for, you can then help categorize what it is that you're actually trying to protect. The handling requirements for operational data would be monitoring, anomaly detection and then restricted access. So, again, you just want to make sure that you have those aspects in place. I would say, if you have some sort of IP, that's in that environment, maybe you have a higher level of encryption as it relates to the data, where it's data in transit. And then how are you protecting it while it's being at rest, while it's being stored? So all of those are key factors. Okay, so we're going to talk about authorized data collection methods. There's four areas that I'm going to touch on today. First one is user consent. Then is data scraping policies, apis and direct input methods. So, under user consent, you have explicit and implicit consent. So if you're signing up for CISSP cyber trainings email, you will have explicit consent, which means you'll have a direct action, like basically checking a box, going yes, I agree to be part of the email distribution list, whereas implicit consent is often assumed based on one's behavior. So if you go to a certain website and just by you going to that website, maybe you have implicit consent because you went there or there's a paywall that gets you through there, that's implicit consent. So there's that aspect. Now there's legal implications. Implications See these big $10 words I struggle with, especially at 5 am when I'm doing this podcast. Legal implications there's non-compliance that can lead to legal repercussions, including fines. So if you don't do what you're supposed to do, you can have fines. Example CISSP cyber training. If you do not check the, if I would not have that checkbox and have that available to you, you could go ahead and you could say there's problems with that and then you could cause issues with me. But that's why it's there. Is you? By being part of my email distribution list, you're agreeing to my terms that I have on my site. Best practices again transparency, privacy policies policies are important. I live in the world of transparency. The more you can make things transparent of what people are actually getting into, that better you are. This comes with security. I highly recommend this as a security professional. Be transparent on everything that comes down to your privacy policies, opt-out methods, regular reviews to ensure compliance of all of these aspects. You need to do that, one as a security professional and two as a business owner. It's imperative just because things happen right. I've made mistakes and people have said something and you fix it, but you want to make sure that you're transparent to everything that you do, no matter what. As it relates to security, your data scraping policies. These are referred to automated methods of gathering data from websites and from databases. Now out there on the web, there are some tools that will do data scraping, depending upon the jurisdiction in which you operate. That could be acceptable. It also could be unacceptable it just depends. So this risk the difference is robotstxt. This is a thing you see a lot in the WordPress, but it will run automatically to do data scraping and it can also cause a lot of problems with your servers. It's also can get. It's only designed to gather public information. Now what ends up happening is is if, for some reason, your data starts collecting information that maybe is in the public domain but it's not meant to be public, that can start causing you challenges as well. So if you have your development team is using some sort of scraping technology, I would highly recommend that you ensure that your compliance folks are aligned with what is occurring and what is the target in which they're scraping this information, because real quickly it could get out of hand and it could open you up to some sort of legal ramifications, some things that are unacceptable. If it bypasses security measures in place and it is scraping personal data without approval can really start getting wonky and get you in trouble, so you want to avoid that. Okay, api's Now. Api is a application programmable interface, and we've talked about that a lot in the CIS's piece of training. It's always you want to make sure that it's always a secure connection. Now, this doesn't always happen. I've seen a lot of times where API's are actually wide open and they're not designed to be a secure connection. So you want to ensure that that is in place and, especially as you're dealing with personal data, you want to validate that it's got an input and output and then that you have that the data that it's collecting is specific to what you're trying to accomplish. It's not because in many cases, these API's are based on some automated process. You don't want it to be collecting data that it should not be. Also, understand API's can be used for nefarious purposes. Bad guys can use API's and collect data off of them. So if you had an API that was not secure and basically it didn't it wasn't using HTTPS or something like that to to secure the protocol and the information was intercepted while it was being transmitted and it's personal information that's being transmitted via the API. You could be open yourself up for some sort of legal issues that run into that. Now, again, I want to caveat everything I mentioned about legal. I'm not a lawyer, nor do I play one on TV, and I'm not going to give you legal advice on any of these aspects. However, I will say that if you did have an API connection in place and personal data would be exposed, you could be subject to some sort of fines. I at the time, when I was doing my hip of stuff, it was around $250 a record. I don't know what it is today, but it would cost you money and the record could be. It could be anything from the actual individual name to the actual address, depending on if the records are separate versus all in one bunch, they could be charged separately. There's lots of things that could get you in that. So you want to ensure that if you are using an API connection, you have a secure location, you are actually storing the keys in a proper way and the connections between the two are secure. So, again, api's scare me because in the old days of VPNs, we used to want to limit the VPN connection between organizations. Well, api's are really basically a Gucci VPN. I mean, that's what they are. So you want to make sure that you have them properly secured and protected. Direct input method this would be forms, surveys, anything of the like. This is often used for collecting data directly from the specific users and you can. You want to make sure that there's encryption in place on these connections and you want to make sure that you have them properly developed so that they're not allowing some sort of SQL injections or any type of activity, malware being put into those forms. So remember each form that you have and each input validation. Each input that you have is a window into your environment. So, by somebody typing something in, what's happening is is that information is being put inside your environment? Well, if that window allows access, you want to ensure that that window is properly secured, so all of your forms need to be some level of protection on them. You want to use HTTPS, obviously, to encrypt the sensitive data that's transmitted back and forth, and then having some sort of validation techniques on your input forms to ensure that people aren't putting data in that they shouldn't. So now I'm going to go over some compliance requirements that you may see on the CISSP Now. There's various compliance and legal requirements that are coming out today that may be in the news but may not be on the CISSP as of the writing, but I will go over the ones that I've seen that have been in the news the most and the ones that you most likely will see as it relates to the CISSP Again. There might be ones that pop in there that I have not covered, but these are ones that are in the news today, that have been around for some time, that are definitely talked about. So we're going to talk about four different ones. You got your GDPR. You got your CCPEA, which is your California Consumer Privacy Act, and then you have HIPAA, which is Health Insurance Portability and Accountability Act, and then there's a few other, obviously your industry specific regulations that we'll get into. So your compliance or crimes around GDPR this again is the key terms you can remember is the right to be forgotten. That's a key feature as GDPR, as well as data portability and mandatory breach notifications. So those are some key points that you may see in or hear about in your CISSP Now. The penalties can go as high as 4% of your global revenue. So that was a big factor. So if you had made $100 million, which are global revenue, then they could actually get up to $4 million for not meeting what they required. So that's 4% of your overall revenue for the globe. That would be bad so, especially when margins are around 7%. So let's just say, the typical business margin is a 7% margin, where you make 7% on every dollar that you make. So every dollar that comes in, you make 7% on it. So you guys, an example of $100 million. Out of $100 million, your business may typically make around $7 million in profit. That's it. Well, now, all of a sudden, if you go and you take 4% of that 7 million, you're now left with only $3 million versus $7 million of profit. That's not good, because if you're trying to make money, you just got basically cut your overall income by two-thirds. Hmm, yeah, that's not a good thing. So you wanna ensure that you have you meet GDPR. Now, again, it can go up to 4% of the annual global revenue or $20 million, whichever is higher. The data protection impact assessment this is something that you'll want to do as it relates to GDPR. So your DPIA this is a. It's one of the aspects that you will do to make sure that you meet GDPR. I have dealt with DPIAs numerous times over the life of my career and you, when you get into and working for a company, you too will deal with DPIAs, and this is something that's required to do to determine what is the level of impact for any sort of product that you put out there related to GDPR. You'll also they'll talk about appointing a data protection officer. That may or may not be needed, but the DPO typically is the one that manages the privacy aspects for your organization, and then you also wanna keep detailed records of all the activities that occur related to GDPR. The California Consumer Privacy Act, the CCPA, this is it's very similar to GDPR, but it's focused specifically around California and the United States, and it includes the right to opt out of specific data. The differences that between it and GDPR is it focuses more on the consumer rights regarding the sale of data. So, as you I mean Facebook's done a good job of this is that they'd like to sell your information to other individuals, and that's another revenue stream that they have, and in California, they want the ability for you to basically say I don't want you to do that and you can check a box and they don't make any money off you. But if you do that, odds are high that then, if you want certain types of data fed to you, they will not feed you the information you want. So there's always a tit for tat on that. Now, as a compliance checklist, you wanna identify in scope consumer data and you wanna develop a mechanism for handling the requests that come in. Could be wherever you have a phone call and people call in and you handle it that way. Could be an email address that people send emails to you and you handle it that way. But you'll need to have something in place to understand if there's people that have concerns around their privacy information. And then you also need to update your privacy policies to make sure that they reflect the CCPA requirements the Health Insurance Portability and Accountability Act. So something you're gonna be dealing with is called Protected Health Information. Do not get confused. This is not PII, which is Personally Identifiable Information. This is Protected Health Information, or PHI. Now, this is basically any information that focuses on the health status, your health care, any of those aspects that deal with the healthcare industry. It could be payments and all of that. It's all tied into PHI. Now there are some compliance requirements. This would include risk assessments, encryption and then potentially regular audits are all defined within the HIPAA guidelines. Now it's very based on the level of negligence. So this can you can have various issues that come up and, based on how badly you were negligent, the fines will be appropriate to that. So just be aware that if you are using HIPAA I'll use an example my dad deals with insurance. If his data was compromised, each record would be a HIPAA violation. Well, if you deal with that, that could get very expensive very quickly. So it could potentially go up to a million and a half dollars per year that you would have to pay. Well, if you're a small business, having to pay a fine based on not storing your data correctly, yeah, you're gonna go out of business. It's not good. So you wanna ensure that you are protecting people's patient information. Then we talk about the industry, specific regulations. Obviously the SEC, which is the Security and Exchange Commission in the United States, the Federal Financial Institution Examination Council, ffiec. These focus, I believe, on what were they there? On credit unions, I think FFIEC is or FFIEC, and so you're gonna wanna understand those right. You may hear about those in the CISP exam but focused on the financial regulatory aspects. And then the other area is the energy sector, which is NERC, which is the North American Electric Reliability Corporation. Critical Infrastructure Protection Ah, that's a mouthful, it's a NERC. Sip Was dealing with NERC SIP aspects just a couple months ago. So you will deal with all of those pieces as it relates to CISP, so that this information will be used over and over again. This is not the kind of information that you just take it and you dump it. You will deal with every bit of this information on a weekly, if not monthly, basis as it relates to your CISP. So just keep in mind it's awesome as hard as you're working to study for your CISP exam. You will deal with this again. Okay, so, as we're dealing with data location, there are three main buckets we're gonna cover. One is geographical constraints, risk assessments and then data flow mapping. So geographical constraints Now there are regulations that are affecting data storage and where you can put it as an example is the GDPR does require EU citizens to be stored in a manner that will meet GDPR requirements, and it does often require them to be stored within the EU. Now it is a hard, fast rule. You don't have to store all of the data related to EU citizens within the EU, but it's highly recommended and it does make your life easier as it relates to tracking all of this information and ensuring it's complied with. There's also in countries like Russia and China. The data localization needs to stay in the specific country itself. I've dealt with this in China and I know with Russia. I've heard rumblings in the past that that was the case as well. They want to keep anything that deals with the information around their citizens in the specific countries. Now, with China, obviously this isn't totally in place at this moment, but they are moving towards that. If you look at the regulations, it seems like that's the direction in which the Chinese government is moving is wanting people to do. If you're operating in China, just consider that data localization may be a factor that you're going to have to deal with in the future. Physical data centers versus cloud storage Now, depending upon where you are in storing your data, there may be some benefits for storing it within a data center versus in the cloud. Obviously, within the physical data centers, there's more direct control of basically who has access to your information, but it may not have the same level of advanced protections you may get from a cloud provider. Now, as you're dealing with compliance again, these physical data centers will be subject to the local laws. So if you have one within Scotland, it will be subject to the laws of Scotland, whereas when you're dealing with a cloud provider, many of those laws are kind of covered within the cloud and, like I'll give you an example, in the EU, you can store data within the EU. You can store it within Scotland as well as in France, and they are designed so that they meet the requirements of what the EU is asking for. However, like anything in life, that could be always subject to change, so you just have to decide which is best for you. Now. They will have the certifications, such as ISO 27001. And the data center may have that in place for you to be able to leverage. But at the end of the day, you just need to decide is a physical data center in your organization or is it going to be in the cloud in somebody else's company? Now we're going to deal with risk assessments. The thing you're going to hear about is data sovereignty. This is a concept that the data is subject to the laws and the governance structures within the nation in which it's located. That is considered data sovereignty. Now, if you don't maintain data sovereignty, if there's a requirement that you have to maintain it and you don't maintain it, like everything else, there's legal repercussions for that. That could mean data seizure, could be the loss of privacy, it could be whatever. They'll have some sort of legal ninjitsu to basically take your information and then hold it in perpetuity yeah, for a long time. They'll be able to hold it for a long time until you pay up. So again, understand data sovereignty is the data that's subject to the laws and the governance within the nation it is located. Then there's jurisdictional risks. Now, different countries have different laws around the information again, and that's coming down to you. If you do not follow those laws, you can be into a situation where legal actions are against you. So you have data sovereignty is specifically for the data and the laws in that country. Jurisdictional aspects could be in the local area then which the data is stored. Data residency solutions, legal consultations and compliance audits can help you with this jurisdictional risk. But bottom line on all of this is I would highly recommend you have a lawyer and you talk to your compliance folks on anything dealing with data storage in other countries. Again, I'm not a lawyer, but I would highly recommend that's why you hire one because they know these things and they will keep you out of trouble Well, hopefully, from being in a situation where you might have to pay money Data flow mapping. So you're going to have different types of data flow mapping there's internal data flows, third party access and then there's cross border data transfers. You're going to be dealing with all of these, every one of them. So internal data flows is just you're mapping the information that's within your organization and looking for places in which there are choke points or basically the data could be lost or compromised, and that you need to understand your data flows, because if you don't, you don't really know where your data is going, and that's a bad thing, like when we were flying airplanes flying airplanes blind is a bad way to fly an airplane. Well, if you don't know where your data is flowing, you are flying blind. So you need to understand where it's going so that you can press protect it, and this could be from accidental misuse of the data or accidental leaks, could be from anything that comes along those lines. So you need to ensure where does the data go Third party access, due diligence around you, selecting your vendors and if they are getting your data. This is a big deal, especially as companies need more and more third parties to manage their information and to manage their infrastructure. They have that. You need to know where your data is going and you need to understand that your vendors are properly protecting your information that they are storing. You need to have SLAs in place this is your service level agreements and those need to define what they are doing to protect your data. You need to ensure that your vendors are protecting it and SLAs will help you with that. Then there's cross border data transfers. There's, maybe, data that goes from here to China. Well, you will need to maintain the data protections between here and China and you will want it to maintain applicable laws. See, I hate those big $10 words, but you want to maintain those laws because you could be legally liable for that data transfer. Same thing from here to Europe, to Canada, to Mexico. There are data transfer laws in place. Now, typically, you want you could do some sort of SFTP, which is your secure file transfer protocol. You could use IP, sec tunnels, but you want to protect the data as it traverses the networks from your network to this other parties network. Okay, so I'm going to get into data destruction methods. I'm going to talk about physical destruction and then electronic destruction. So the physical destruction there's various types of destruction that can occur. In the CISP exam questions that you will see here on Thursday you will be going over some of these questions. So shredding, this is one of them, and this, basically, is the physical destruction of the storage media into small, unreadable pieces. Basically means you shred it like a shredder, like paper, you destroy it, and this can be done in different ways. Now, it can be done. If you're doing paper, you can use cross cut shredders, you can use strip shredders. You can use all kinds of things. Now, if you're going to be using a physical paper, you want to make sure that you are using cross cut shredders. You do not want to use a strip shredder because strip means they can put it back together. It's very helpful when you're dealing with all types of media, especially when you're dealing with paper. But you want to ensure that the shredding size meets your organization or regulatory requirements, and hence that's the reason for strip or cross cut shredding. But you guess what? You can shred a hard drive? Yes, you can. That's more or less destroys it, just kind of pulverizes it. But you can do that Incineration. This is where you are burning the data and you're basically turning it into ash. So you want to make sure that you are in a situation where everything that is being incinerated is being burned and destroyed. And the one thing that this is primarily for paper records, it's typical, not used for data storage type of capabilities, and the reason I say that is the chemicals that made these types of data are the digital pieces of this. You don't want that, those toxins to be released in the air. So burning those types of media is usually not a good idea. It's just not a good idea. So I would highly can you do it? Yes, should you do it, no? So I would highly recommend not using incineration for any sort of storage media that is not paper. Again, you want to make sure that there are some concerns with environmental, as emissions can be harmful gases, especially if you're dealing with some sort of digital type of capability and it takes a lot of energy to do so. Now, there may be specific permits that you may have to do to do incineration. Just depends on your jurisdiction and your location. Another one is degausing. This is where you are actually taking magnetic fields to randomize the data on the magnetic storage device. This works really well if you have what we call the platters. If you have hard drives that are spinning, the degausing will basically turn them useless. They work really good. Now, the downside of that is making sure that, if you do that, that, you do it very well and you have high enough strong. You have strong enough magnets that can make that happen. I've seen in the past where people have not used very strong magnets and they think they degaussed it, but in reality, they didn't do any of that. It's not effective at all for ssds and the newer storage options, because there is no magnetic Capability in them. They are just physical storage of digital from a digital nature. So you must ensure, though, that you follow whatever steps you have in place to ensure that they are destroyed. Now we'll get into electronic destruction, so we're gonna get into secure race and then cryptographic shredding. Secure race is where you're overriding the media with specific patterns, so you're basically putting ones and zeros over the entire media. This does work pretty good as it relates to hard drives, because the platters are, even though they might be one terabyte or two terabytes in size. Now they that you can at least do that when you're dealing with SSDs. That's very challenging to overdo overriding. Now the NIST 888 and DOD 5222 are used for secure erase procedures and that's based on the US guidelines. Wherever country you're in, they will work for you as well. I've had data that I've had to move out of China and into other places or actions and not move it out, but I've had it in China and I want to erase the data that's there. I will send those DOD standards to them and then they will erase it based on those standards. It's just. It's just a good checklist on how to Totally get rid of the information. There's also some software out there that you can use and it's called D ban, which is Derek's boot and nuke that. I've had people use that in the past. There's also secure erase utilities out there as well. So there's all kinds of ways that you can use products to help you erase the data in there. Now again, it's not effective for damaged or failing hard drives and it may not be sufficient for SSDs as well. So you have to understand and also rewriting over the top of these platters takes forever. So you may want to consider that when you're trying to do this, cryptographic shutting just basically means the cryptographic keys that go and do the overall encryption keys are shredded, they're gone, they're deleted, and when you delete those, that makes it very well that you cannot get access to any of it, and this works good for cloud storage. It's a quick, quick and easy way to do it, but you need to make sure that all the keys are Deleted or destroyed. If they're not, then guess what? They're not, and your keys are available and the data is available as well. So you want to make sure that you have a good process to do your cryptographic shredding. All right, that's all I have for today. Thank you so much for joining me today at CISP cyber training. You can go to CISP cyber training, comm, and you can check out all the great stuff that's available to you there. You can sign up for my email list and check the box that does with in explicit consent, right, make sure you do that. And you can sign up for my email list and you can actually get access to my free monthly CISP questions. You get 30 free CISP questions each and every month available to you, just for being part of my email list, also know that there'll be some new things. It'll be coming down the pipe here soon as we get into this fall season. I have a little bit more time and I'm gonna dedicate a little bit more to get you some great, Other great content that will be coming out for you as well as like cheat sheets and so forth, to help you with your CISP exam. Okay, I hope you all have a wonderful day and we will catch you on the flip side, see ya.