Mẹo về Which of the following represents the definition of information compliance? 2022
Lê Minh Phương đang tìm kiếm từ khóa Which of the following represents the definition of information compliance? được Cập Nhật vào lúc : 2022-12-27 22:28:04 . Với phương châm chia sẻ Thủ Thuật về trong nội dung bài viết một cách Chi Tiết Mới Nhất. Nếu sau khi đọc Post vẫn ko hiểu thì hoàn toàn có thể lại phản hồi ở cuối bài để Admin lý giải và hướng dẫn lại nha.At a glance
- The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparencyPurpose limitationData minimisationAccuracyStorage limitationIntegrity and confidentiality (security)Accountability
In brief
What are the principles?
Article 5 of the UK GDPR sets out seven key principles which lie the heart of the general data protection regime.
Nội dung chính Show- At a glance What are the principles? Why are the principles important?DefinitionsData CollectionsReclassificationCalculating ClassificationAppendix A: Predefined Types of Restricted InformationWhich of the following represents the definition of information secrecy quizlet?Which of the following defines information security?What are the first 2 lines of defense a company should take when addressing security risks?Which of the following is an example of acting ethically?
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
For more detail on each principle, please read the relevant page of this guide.
Why are the principles important?
The principles lie the heart of the UK GDPR. They are set out right the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the UK GDPR.
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
This guideline aims to establish a framework for classifying institutional data based on its sensitivity, value, and criticality to the University as required by the University's Information Security Policy. Classification of data will aid in determining baseline security controls for data protection.
Applies To
These guidelines apply to all faculty, staff, and third-party agents of the University and any other University affiliate authorized to access Institutional Data. In particular, this guideline applies to those responsible for classifying and protecting Institutional Data, as defined by the Information Security Roles and Responsibilities.
Definitions
Confidential data is a generalized term that typically represents data classified as Restricted according to the data classification scheme defined in this guideline. This term is often used interchangeably with sensitive data.
A Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. See the Information Security Roles and Responsibilities for more information.
Institutional Data is defined as all data owned or licensed by the University.
Non-public Information is any information classified as Private or Restricted according to the data classification scheme defined in this guideline.
Sensitive Data is a generalized term that typically represents data classified as Restricted according to the data classification scheme defined in this guideline. This term is often used interchangeably with confidential data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact on the University should that data be disclosed, altered, or destroyed without authorization. Data classification helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels or classifications:
ClassificationDefinitionRestrictedData should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant risk to the University or its affiliates. Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.PrivateData should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.PublicData should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the University who oversee the lifecycle of one or more sets of Institutional Data.
Data Collections
Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a data collection, the most restrictive classification of any individual data elements should be used. For example, if a data collection consists of a student's name, address, and social security number, the data collection should be classified as Restricted even though the student's name and address may be considered Public information.
Reclassification
Periodically, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. This evaluation should be conducted by the appropriate Data Steward. Conducting an evaluation on an annual basis is encouraged; however, the Data Steward should determine what frequency is most appropriate based on available resources. If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected promptly, commensurate with the level of risk presented by the gaps.
Calculating Classification
The goal of information security, as stated in the University's Information Security Policy, is to protect institutional data's confidentiality, integrity, and availability. Data classification reflects the level of impact on the University if confidentiality, integrity, or availability is compromised. Unfortunately, there is no perfect quantitative system for calculating the classification of a particular data element. In some situations, the appropriate classification may be more obvious, such as when federal laws require the University to protect certain types of data (e.g., personally identifiable information). If the appropriate classification is not inherently obvious, consider each security objective using the following table as a guide. It is an excerpt from Federal Information Processing Standards (FIPS) publication 199, published by the National Institute of Standards and Technology, which discusses the categorization of information and information systems.
POTENTIAL IMPACTSecurity ObjectiveLOWMODERATEHIGHConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.Integrity
Guarding against improper information modification or destruction includes ensuring information non-repudiation and authenticity.The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.Availability
Ensuring timely and reliable access to and use of information.The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
As the total potential impact on the University increases from Low to High, data classification should become more restrictive, moving from Public to Restricted. If an appropriate classification is still unclear after considering these points, contact the Information Security Office for assistance.
Appendix A: Predefined Types of Restricted Information
The Information Security Office and the Office of General Counsel have defined several types of Restricted data based on state and federal regulatory requirements. This list does not encompass all types of restricted data. Predefined types of restricted information are defined as follows:
1.Authentication VerifierAn Authentication Verifier is a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:
- PasswordsShared secretsCryptographic private keys
- Electronic storage truyền thông includes computer hard drives and any removable and/or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.Transmission truyền thông used to exchange information already in electronic storage truyền thông. Transmission truyền thông includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks and the physical movement of removable and/or transportable electronic storage truyền thông. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic truyền thông because the information being exchanged did not exists in electronic form before the transmission.
Export Controlled Materials is defined as any information or materials that are subject to United States export control regulations including, but not limited to, the Export Administration Regulations (EAR) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (ITAR) published by the U.S. Department of State. See the Office of Research Integrity and Compliance's FAQ on Export Control for more information.
5.Federal Tax Information ("FTI")FTI is defined as any return, return information or taxpayer return information that is entrusted to the University by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.6.Payment Card InformationPayment card information is defined as a credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:
- Cardholder nameService codeExpiration dateCVC2, CVV2 or CID valuePIN or PIN blockContents of a credit card’s magnetic stripe
Payment Card Information is also governed by the University's PCI DSS Policy and Guidelines (login required).
7.Personally Identifiable Education RecordsPersonally Identifiable Education Records are defined as any Education Records that contain one or more of the following personal identifiers:- Name of the studentName of the student’s parent(s) or other family thành viên(s)Social security numberStudent numberA list of personal characteristics that would make the student’s identity easily traceableAny other information or identifier that would make the student’s identity easily traceable
See Carnegie Mellon’s Policy on Student Privacy Rights for more information on what constitutes an Education Record.
8.Personally Identifiable InformationFor the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:- Social security numberState-issued driver’s license numberState-issued identification card numberFinancial account number in combination with a security code, access code or password that would permit access to the accountMedical and/or health insurance information
- NameAddress (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)Telephone numbersFax numbersElectronic mail addressesSocial security numbersMedical record numbersHealth plan beneficiary numbersAccount numbersCertificate/license numbersVehicle identifiers and serial numbers, including license plate numberDevice identifiers and serial numbersUniversal Resource Locators (URLs)Internet protocol (IP) addressesBiometric identifiers, including finger and voice printsFull face photographic images and any comparable imagesAny other unique identifying number, characteristic or code that could identify an individual
Per Carnegie Mellon’s HIPAA Policy, PHI does not include education records or treatment records covered by the Family Educational Rights and Privacy Act or employment records held by the University in its role as an employer.
10.Controlled Technical Information ("CTI")Controlled Technical Information means "technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination" per .11.For Official Use Only ("FOUO")Documents and data labeled or marked For Official Use Only are a pre-cursor of Controlled Unclassified Information (CUI) as defined by National Archives (NARA)12.Personal Data from European Union (EU)The EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier including
- NameAn identification numberLocation dataAn online identifierOne or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Any personal data that is collected from individuals in European Economic Area (EEA) countries is subject to GDPR. For questions, send email to [email protected]