1. Secure Data Disposal
    1. Types
      1. Formatting (Clearing)
        1. The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities.
        2. The data may still be recoverable, but not without special laboratory techniques.
        3. When physical hardware will be re-used within an organization, it is formatted (cleared). This removes data on the device, but does not account for digital remanence.
      2. Sanitizing (Purging)
        1. The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique.
      3. Destruction
        1. The storage media is made unusable for conventional equipment.
    2. Methods
      1. Overwriting
        1. Saving over the data with new data
        2. Also called Wiping or Shredding
      2. Degaussing
        1. Removing the magnetic field of a storage medium, making it impossible to be used for data storage
      3. Encryption
      4. Destruction
        1. Physical
          1. Breaking
        2. Chemical
          1. Incineration
          2. Exposure to Caustic or Corrosive Chemicals
        3. Phase Transition
          1. Melting
          2. Vaporizing
        4. Raising the Temperature
        5. Exposure to EMI
          1. Microwaves
          2. Electric Current
  2. Data Sensitivity Labeling and Handling
    1. Public
      1. Information available to anyone. Also referred to as unclassified or nonclassified.
    2. Internal, Private, or Proprietary
      1. Information used internally by a company
      2. Types
        1. Confidential
          1. Information that can cause financial and operational loss to the company.
        2. Secret
          1. Data that should never become public and is critical to the company.
        3. Top Secret
          1. The highest sensitivity of data; few people should have access, and security clearance may be necessary. Information is broken into sections on a need-to-know basis.
  3. Personally Identifiable Information (PII) and Personal Health Information (PHI) Laws and Regulations
    1. Privacy Act of 1974
      1. Establishes a code of fair information practice.
      2. Governs the collection, use, and dissemination of personally identifiable information about persons’ records maintained by federal agencies.
    2. Sarbanes-Oxley (SOX)
      1. Governs the disclosure of financial and accounting information. Enacted in 2002.
    3. Health Insurance Portability and Accountability Act (HIPAA)
      1. Governs the disclosure and protection of health information. Enacted in 1996.
    4. Gramm-Leach-Bliley Act (GLBA)
      1. Enables commercial banks, investment banks, securities firms, and insurance companies to consolidate. Enacted in 1999.
      2. Protects against pretexting. Individuals need proper authority to gain access to nonpublic information such as Social Security numbers.
    5. Help America Vote Act of 2002 (HAVA)
      1. Main goal was to replace punchcard and lever-based voting systems.
      2. Governs the security, confidentiality, and integrity of personal information collected, stored, or otherwise used by various electronic and computer-based voting systems.
    6. California SB 1386
      1. Requires California businesses that store computerized personal information to immediately disclose breaches of security. Enacted in 2003.
  4. Data Roles
    1. Key Concepts
      1. The definition of roles is needed to maintain clear responsibility and accountability.
      2. Protecting the security of information and assets is everyone’s responsibility.
    2. Roles
      1. Executives and Senior Management (C Suite)
        1. Have ultimate responsibility over the security of data and assets.
        2. Involved in and approve access control policies.
      2. Data Owner
        1. Maintains ownership of and responsibility over a specific piece or subset of data.
        2. Responsibilities:
          1. Determine the appropriate classification of the information
          2. Ensure that the information is protected with controls
          3. Periodically review classification and access rights
          4. Understand risks associated with the information
      3. Data Custodian
        1. Performs day-to-day tasks on behalf of the data owner.
        2. Responsibilities:
          1. Ensure that the information is available to the end user
          2. Ensure that security policies, standards, and guidelines are followed
      4. System Owner
        1. Ensures that the data is secure while it is being processed by the system they own.
        2. Responsibilities:
          1. Security of the systems that handle and process information owned by different data owners
      5. Security Administrator
        1. Manages the process for granting access rights to information.
        2. Responsibilities:
          1. Assigning privileges
          2. Granting access
          3. Monitoring and maintaining access logs
      6. End User
        1. The final users of information.
        2. Responsibilities:
          1. Adhering to the organization’s security policy
      7. Auditor
        1. Responsibilities:
          1. Determining whether owners, custodians, and systems are compliant with the organization’s security policies
          2. Providing independent assurance to senior management
  5. Data Retention
    1. The continued storage of an organization's data for compliance or business reasons.
    2. Data retention policies weigh legal and privacy concerns against economics and need-to-know concerns to determine the retention time, archival rules, data formats, and the permissible means of storage, access, and encryption.