Controlling Privacy and the Use of Data Assets - Volume 1: Who Owns the New Oil?

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Ulf Mattsson leverages his decades of experience as a CTO and security expert to show how companies can achieve data compliance without sacrificing operability. Jim Ambrosini, CISSP, CRISC, Cybersecurity Consultant and Virtual CISO Ulf Mattsson lays out not just the rationale for accountable data governance, he provides clear strategies and tactics that every business leader should know and put into practice. As individuals, citizens and employees, we should all take heart that following his sound thinking can provide us all with a better future. Richard Purcell, CEO Corporate Privacy Group and former Microsoft Chief Privacy Officer Many security experts excel at working with traditional technologies but fall apart in utilizing newer data privacy techniques to balance compliance requirements and the business utility of data. This book will help readers grow out of a siloed mentality and into an enterprise risk management approach to regulatory compliance and technical roles, including technical data privacy and security issues. The book uses practical lessons learned in applying real-life concepts and tools to help security leaders and their teams craft and implement strategies. These projects deal with a variety of use cases and data types. A common goal is to find the right balance between compliance, privacy requirements, and the business utility of data. This book reviews how new and old privacy-preserving techniques can provide practical protection for data in transit, use, and rest. It positions techniques like pseudonymization, anonymization, tokenization, homomorphic encryption, dynamic masking, and more. Topics include Trends and Evolution Best Practices, Roadmap, and Vision Zero Trust Architecture Applications, Privacy by Design, and APIs Machine Learning and Analytics Secure Multiparty Computing Blockchain and Data Lineage Hybrid Cloud, CASB, and SASE HSM, TPM, and Trusted Execution Environments Internet of Things Quantum Computing And much more!

Author(s): Ulf Mattsson
Series: Security, Audit and Leadership Series
Publisher: CRC Press
Year: 2022

Language: English
Pages: 348
City: Boca Raton

Cover
Praise for the Book
Half Title
Series Page
Title Page
Copyright Page
Dedication
Table of Contents
Introduction
Why do we need this Book?
Who should read the Book?
Guide to read the Book
The Business-oriented Chapters
The Technical Chapters
Acknowledgments
About the Author
Section I: Introduction and Vision
Chapter 1: Privacy, Risks, and Threats
Introduction
Is Data the New World Currency or Is Trust?
Data, User, and App
The Balance Between Privacy, Security, and Compliance
Privacy Engineering Talent Shortage
New Uncertainty and More Security Breaches
Risk and Trust
The Edelman Trust Barometer
Privacy and Trust
Privacy
What Is Data Privacy?
Why Is Data Privacy Important?
Privacy Definitions
According to GAPP
GDPR and CCPA Definitions of Data (Sensitive and Personal)
In the European Union
California Consumer Privacy Act
Who Is Accountable for Privacy?
Good for Business
Privacy Protection
Privacy-Preserving Analytics and Secure Multiparty Computation
Risk
Data Security Is Keeping IT Professionals Concerned
Legacy Data Security Approaches Leave IT Professionals Scrambling
Who Is Sharing and Selling Your Data?
Who Owns Your Data?
Protect Data, Users, and Applications
That’s Where the Money Is
Privacy, Security, and Compliance
Security Does Not Imply Privacy
Security Controls Can Enforce a PRIVACY POLICY
Privacy vs. Security
Asking “Why, What, and How”
Threats
Concerns of Breaches and Sharing Data
Ransomware and Other Attacks
Supply Chains
SolarWinds Attack
A Breach for the Ages Went Unnoticed
The Threat Landscape
Healthcare Organizations Are Increasingly Targeted
Ransomware Is Costly and Disruptive to Operations
Compliance Risks Can Hamper Business for Years
Ransomware Poses an Existential Threat to Your Company
eCrime Ecosystem
Breaches, Data Leaks, and Security Spending
Breaches and Security Spending
Breaches and Security Spending
Data Leaks per Industry
Security Spending and Breaches
Data Leaks and Security Spending
Data Leaks and Security Spending
Data Breach Costs Increased
Healthcare Data Breach Costs Increased
The Cost of a Data Breach Is a 10% Rise
The Cost of Doing Business
Protect Your Data from Ransomware
Attacks on Data
Attacks at Different Layers
Awareness Training May Not Be Enough
A Balanced Security Approach
A Layered Data Security Approach
Summary
Bibliography
Chapter 2: Trends and Evolution
Introduction
Data Growth
Estimated Terabytes of Data Worldwide, 2019–2024
Trends in Control of Data
More Data Is Outside Corporate Control
What Can We Do?
Trends in Data Protection Integration
Confluence of Data Security Controls
DSP Future State
Major Changes in Regulations, Attacks, and Use of Data
Changing Security Postures
Enforcement of Security Compliance
Evolving Technologies for Data Protection
Privacy-Preserving Techniques
Evolution of Fine-Grained Data Protection
Comparing TCO and Performance of Some Data Protection Techniques
Hybrid Cloud
Machine Learning
Responsible Use of AI and Trends
Automation by AI Could Raise Productivity Growth Globally
Data Security Roles Are Changing
Privacy
The Future of Privacy
Evolving Global Privacy
Privacy Laws Are Changing
Actions Needed by Organizations
GDPR Is Changing
GDPR under “Schrems II”
Privacy in Transition
Data Privacy by the Numbers
Rise of Privacy Enforcement
Why Will It Happen?
What’s Driving the Pace of This Trend?
Data Privacy Enforcement Actions Worldwide
Threats
Trends in Threats, Privacy, and Trust
The Threat Landscapes
Trends in Breaches
Action Varieties in Breaches over Time
Threatening to Publicize the Data
Incident vs. Breach Definitions in the DBIR Report
Under Control? Is the Situation Getting Worse?
Identity Thefts
Cybercrime Never Ends
Sixty-Three Percent of Companies Had Suffered a Breach
Potential Cloud Barriers
Barriers to Increased Cloud Adoption
Need for Businesses to Protect the Privacy
Trust
Trust in Companies and National Government
Trust is Central to Digital Transformation
Nine Characteristics of a Trusted Organization
Trust in all Information Sources at Record Lows
The Emergence of Trusted Technology First Movers
Rise of Privacy Enforcement
Security
Layered Security
Digital Technologies and Innovation
Evolving IT Security Technologies
Hybrid or Multi-Cloud
Security Spending
Data Security Investment on the Rise
Security in Three to Five Years
Cybersecurity Market
Technology Use
Plan for Data Protection
Summary
Bibliography
Chapter 3: Best Practices, Roadmap, and Vision
Introduction
Protect Your Business
People, Process, and Technology
We Need a Common Language for Security
A Security-First Approach
Best-Practice Behavior
Your Best Defense against Cyberattacks
The Stakeholders
The Customer Is Responsible for Data Security in Cloud
Addressing the Threat Landscape
Ransomware and Securing Data
Preventing Attacks
Prevent Attacks
Recover after Attacks
Secure Data
Limit Data Exposure
Data Inference Leakage
Data at Rest Protection
Tokenization
Coarse-Grained vs. Fine-Grained Encryption
Tokenization
Application Security
WEB Application Security Risks
Top Three Web Application Security Risks
Cloud Data
Keeping Keys under Control
Data Is More Distributed
People Increasingly Work from Home
Effective Data Security Strategy
Roadmap
Protect Sensitive Data
Roadmap
Compliance with GDPR Cross-Border Privacy Restrictions
Information Security Spending
Spending by Industry
Use of Common Data Protection Techniques
Vision
Protect Sensitive Data Anywhere
Steps in the Vision
Summary
Bibliography
Section II: Data Confidentiality and Integrity
Chapter 4: Computing on Encrypted Data
Introduction
Protecting Sensitive Data in the Cloud
Data Protection Techniques Overview
Homomorphic Encryption
HE Applications
Homomorphic Encryption Can Be Used to Simplify
Categories of HE Technologies
History of HE Algorithms
Specific Use Cases
Fully Homomorphic and Other HE Algorithms
HE Quantum-Safe Lattice-Based Cryptography
A Sample Program for HE Multiplication
HE Performance
Comparing Encryption Performance
Comparing Scalability and Performance
HE Programs
HE Security
Factors That May Inhibit HE Adoption
HE Software and Algorithms
Examples of Popular Libraries and Algorithms
Examples of HE Vendors
Data Protection for Secure Analytics in Cloud
Use Case in Health Care
Mathematically Provable
The Strongest Form of Security for Outsourcing
Detailed Benchmarking
Summary
Bibliography
Chapter 5: Reversible Data Protection Techniques
Introduction
Data Protection Techniques Overview
Protection at a Fine-Grained Level
Performance
Encryption
Block Cipher and Modes
DES
AES and DES
Mode of an Encryption Operation
Performance of AES on Different Processors
Clock Cycles per Byte of AES
AES NI Instruction Set on Intel
Format Preserving Encryption
FPE Vulnerable to Guessing Attacks
Blowfish
Tokenization and Format Preserving Encryption
Partial Transformation
Partial Transformation of Credit Card
Tokenization and FPE for Many Types of Data
Lower Risk with Higher Productivity
A Balance between Usefulness and Protection
Tokenization
Tokenization Replaces Sensitive Data with Useless Ones
Difference from Encryption
Tokens Require Significantly Less Computational Resources
Validation by Third-Party Encryption Experts
Lookups of Random Values
Operational Aspects
Types of Tokens
High-Value Tokens (HVTs)
Low-Value Tokens (LVTs) or Security Tokens
Irreversible Tokens
Authenticatable Irreversible Tokens
Non-Authenticatable Irreversible Tokens
Reversible Tokens
Reversible Cryptographic Tokens
Reversible Non-Cryptographic Tokens
Transactions Are More Secure due to TOKENIZATION
What Does EMVCo Do?
Microsharding
Summary
Bibliography
Chapter 6: Non-Reversible Data Protection Techniques
Introduction
Overview of Data Protection Techniques
Some Major Attacks on Data
Medical Records Can Be Re-Identified
Why Anonymize?
Randomization Techniques
General
Noise Addition
Permutation
Microaggregation
Statistical Tools
General
Sampling
Aggregation
Pseudonymization vs. Anonymization
Anonymized Data Supports AI and Analytics Initiatives
Protected Data Drives Revenue and Satisfies Customers
Pseudonymization
Anonymization
Differential Privacy
Use Case of Differential Privacy and k-Anonymity
Examples of Differential Privacy Models
Six Different Types of Transformation Algorithms
k-Anonymity Model
Anonymization
Synthetic Data
Synthetic Data in Fintech
Example of Synthetic Data
Maximizing Access While Maintaining Privacy
Perfecting the Formula—and Handling Constraints
Artificial Data Give the Same Results
Hashing
Summary of Data Protection Techniques
Data Protected at a Fine-Grained Level
International Standard
Privacy-Preserving Data Mining
Summary
Bibliography
Section III: Users and Authorization
Chapter 7: Access Control
Introduction
Access to Data
Identification and Authentication
Passwords and Biometrics
Passwords
Biometrics
Multi-Factor Authentication
Pooled Database Connections
Authorization
Who Should See the Data?
Access Control
A Distributed Approach with a Central Point of Control
Access Control Architecture
Access Control Models
Mandatory Access Control
Discretionary Access Control
Role-Based Access Control
Issues with a Role-Based Access Control
Example of a Role-Based Access Control (RBAC)
Attribute-Based Access Control
ABAC System Definitions
RBAC – ABAC Hybrid
RBAC + ABAC Integration
RBAC + ABAC Service Data Flow Diagram
Summary
Bibliography
Chapter 8: Zero Trust Architecture
Introduction
The Old Security Model
Key Objectives
Zero Trust Strategy Assumes Breaches Are Inevitable
Point of Control Moves to the Data Layer
Dynamic Security Rules
Zero Trust, Network Segmentation, and PCI DSS
Secure Networks with Zero Trust
To Make This Happen, Follow These Principles
Data Privacy and Zero Trust Architecture
Zero Trust Protects Resources, Not Network Segments
Zero Trust Centralizes the Access Mechanisms
Trust Algorithm
Context of Request
Enterprise with Contracted Services or Nonemployee Access
Example of Device Agent/Gateway-Based Deployment
User Access Validation and Segmentation
Zero Trust, CASB, and SASE
ABAC Provides a Foundation for a Data-Oriented ZTA
The Relation between SASE and CASB
Summary
Bibliography
Section IV: Applications
Chapter 9: Applications, APIs, and Privacy by Design
Introduction
The API Economy
Definition of the API Economy
Applications and APIs
Privacy System Design
Basic Principles
Privacy by Design Is Key to Cloud
Data Protection
Agile Development
The Team and the Process
Benefits of Embracing DevSecOps
Integrating Security into the Development Process
Security in DevOps
Security Reviews
Software Bill of Materials
Application Testing and Quality Assurance (QA)
API Trends for Security in DevOps
More Microservices
Effective Testing with Application Microservices
Portability for Hybrid Cloud
Flexibility
Virtualization
Containers
Docker and Kubernetes
Kubernetes Security and Compliance Frameworks
Compliance for Containers
Server-Less
Data Privacy and Security in a Serverless Cloud Environment
Enterprise Architecture Framework (EAF)
Zachman Framework for Enterprise Architecture
Web Application Firewall
Application Development
OWASP API Security Top 10
The Pace of Change in the Software Development Industry
Low-Code Development
Trends
Security Metrics
Kafka
Data Discovery Integrated with Data Protection in Cloud
Data Lake vs. Data Warehouse
Privacy-Preserving Data Mining
Summary
Bibliography
Chapter 10: Machine Learning and Analytics
Introduction
Using AI to Gain Competitive Advantage
Data and Technology Are Driving Business Change
Data Privacy Is Good for Business
Data Privacy Can Boost the Bottom Line
How Innovative Enterprises Win with Secure Machine Learning
Race to Own the Data-Value Chain
Machine Learning and AI
The Difference between AI and Machine Learning
Supervised vs. Unsupervised Learning and Deep Learning
Gaining a Sense of Security
Cracking Open the Black Box of Automated Machine Learning
Secure AI and ML
Secure AI Defined
Secure Data
AI under Assault
Protection Is Key
Matching Governance with Risk Level
Secure AI—Extract Value from Protected Data
A New Era Emerges—AI on Protected Data
Putting Protection into Play
Most Companies Still Aren’t Set Up to Support AI and ML Initiatives
Secure AI—Extracting Value from Protected Data
Responsible AI
Responsible AI and Confidential AI
Algorithmic Trust Models
Responsible AI and Confidential AI can be integrated
Privacy-Preserving Data Mining
MLOps
Machine Learning and Cloud
Amazon AWS and Machine Learning
Google Cloud AI and Machine Learning
Microsoft Azure and Machine Learning
Case Studies
Use Case: Digital Pathology Image Analysis
Use Case: Insilico Medicine
Use Case: Reducing Fintech Risk with Machine Learning
Data Leaders and Data Laggards
How Innovative Businesses Win with Secure Machine Learning
MLOps for Responsible AI
A Growing Divide between Data Leaders and Data Laggards
Data Privacy Requires the Creation of a Top-to-Bottom Culture
Impact of New Technologies
Compliance Sets the Tone
Protect the Power of Data
Analytics Market
Taking Data to the Cloud
The Global Hadoop Big Data Analytics Market Is Growing
The Global Hadoop Big data Analytics Market
Robotic Process Automation (RPA) vs. ML
ML Is Security Products
Summary
Bibliography
Chapter 11: Secure Multiparty Computing
Introduction
A Traditional Model
Use Cases
Data Science
Secure Multiparty Computation Protects Privacy
Basic Properties
Security of an MPC protocol
Protocols
Two-Party Computation
Yao-Based Protocols
Shamir Secret Sharing
Private Set Intersection
Homomorphic Encryption
Data Marketplaces
Pseudonymization and Smart Contracts
Building an Ethical and Secure Data Sharing Ecosystem
Scope of Processing Through Pseudonymization
Security of Data Will Be Critical
Adjusting Security Approaches to Meet Data Marketplace
The Expanded Focus of a Secure Data Exchange
Sharemind MPC Platform
Summary
Bibliography
Chapter 12: Encryption and Tokenization of International Unicode Data
Introduction
Old Approaches
Major Issues
The Long Journey to a New Approach
Billions of Rows
The New Approach
Examples of Standards Used in Japan
Benefits of the New Approach
Security and Design Aspects
Unicode Character Encoding Standard
Different Character Encodings Can Implement Unicode
Optimize Design for UTF-8 Character Encoding
Summary
Bibliography
Chapter 13: Blockchain and Data Lineage
Introduction
Data Lineage and Provenance
What Is Blockchain?
Blockchain Enables Trusted Data
Blockchain Delivers Data Lineage by Default
Blockchain-Based Solutions
Blockchain Has the Potential to Reshape Industries
Healthcare Provider Directory to Illustrate Interoperability
Current State of Provider Directory Updates
Interoperability as an Architectural Layer
A Platform for Digital Transformation
Popular Platforms
Hyperledger, Ethereum Corda, Bitcoin, and Quorum
Tokenization in Blockchain
Convert a Digital Value into a Digital Token
Hyperledger Architecture and Security
Hyperledger Fabric
Risk by the Rating of Vulnerabilities
Financial Functions, DeFi, and Web3
Decentralized Applications (DApps)
Smart Contracts and DeFi
NAP—A True Cross-Blockchain Token
DApps and Web3
Blockchain Sharding
Summary
Bibliography
Section V: Platforms
Chapter 14: Hybrid Cloud, CASB, and SASE
Introduction
Businesses Continue to Run in Private Data Centers
Managing Data Encryption in Hybrid Cloud
Storing outside a National Jurisdiction—Encryption May Be an Acceptable Control
Benefiting from Cloud, but Being Responsible with Data
Shared Responsibility Model in Cloud
Responsibilities Are Split and Not Shared
Shared Responsibility Model
Defining the Lines in a Shared Responsibility
Risks
Risk Considerations
Use Cases
International Bank
Hosting Service for Data
Data Is Protected before Landing in AWS S3
Google Cloud Use Case
Cloud Security Logical Architecture
Cloud Security Glossary
Cloud Security Layers
CASB
Cloud Access Security Broker
Example of Encrypting Data in SaaS with a CASB
CASB Access via API or as a Proxy
CASB Policy and Encryption Key Management
Issues with CASB Deployment
CASB vs. SASE
Which Is Better for Your Organizational Security?
SASE
Pros and Cons of CASB
Pros
Cons
Pros and Cons of SASE
Pros
Cons
SASE—Application and Data Protection for Multi-Cloud
Benefits of Unified Defenses
Data Security and Key Management for Hybrid Cloud
Issues with Point Solutions
A Central Point of Control
Use Case—Amazon AWS Databases
Separation of Duties
Separation of Duties in Each Geographic Region
Different Hybrid Cloud Policies Slow Innovation
Local Secrets
Data Encryption Key Management
Cloud Key Management (KM)
Key Management for Enterprise Data Encryption
Automated Key Distribution Is Challenging
Best Practices for Protecting the Data Flow
Data Security Policy and Encryption Key Management
Bring Your Own Key (BYOK)
Amazon Web Services (AWS) S3 Client-Side Encryption
AWS Encryption Key Management
Hold Your Own Key (HYOK)
Keys Should Be Centrally Generated
Your Own Key Management Server in the Cloud
Security Depends on Where the Keys Are Stored and the Access
Selection and Migration
Leveraging Familiar Tools Also for Cloud
Quantum Key Management
A Hybrid or Fully Remote Office
Summary
Bibliography
Chapter 15: HSM, TPM, and Trusted Execution Environments
Introduction
Trusted Execution Environments
Examples of Applied Uses
Machine Learning in Trusted Execution Environments
Support for Streaming Data Applications
Adversary Model and Security Argument
Costs of Using the Technology
Availability
Existing Standards
Trusted Platform Module (TPM)
International Standard for a Secure Cryptoprocessor
Hardware Security Module (HSM)
The FIPS 140-3 Standard
Summary
Bibliography
Chapter 16: Internet of Things
Introduction
The Core of IoT
IoT Applications
Attacks on IoT
Black Out in Ukraine: BlackEnergy in Power Grid Cyberattack
A Brief History of Blackouts in New York City
Breach That Compromised Data of 50 Million People
Hackers Breached Colonial Pipeline with One Compromised Password
Water Plant Hack Led to Discovery
Ransomware Attacks on Industrial Control Systems 2021
Ransomware Threats for ICS are Growing
Expert Cybersecurity Tips
Resilient IoT Framework
Seeking Protection
Playing IT Safe
How Strong Encryption Improves IoT Security
Steps for Security
Protection Is Paramount
Edge Computing
Privacy and Security
Robotics vs. IoT
AI and Robots
Tackling Air Pollution with Autonomous Drones
How Companies Use Artificial Intelligence in Robotics
Summary
Bibliography
Chapter 17: Quantum Computing
Introduction
Opportunities with Quantum Computing
Quantum Computing—the Pros and Cons
Threats to Encryption
Intel Xeon Computers
Quantum Computers Can Break Blockchain and Public-Key Cryptography
Quantum Computers Can Break Blockchain Security
Post-Quantum Cryptography
Lattice-Based Systems Based on the Hardness of Finding Short Vectors in Lattices
Quantum-Resilient Algorithms
Symmetric-Key Cryptography Isn’t as Susceptible
Post-Quantum Cryptography Research
Homomorphic Encryption and Quantum Computing
Example of a Cryptography Roadmap
The Road to Randomness
US NIST Randomness Test
Summary
Bibliography
Chapter 18: Summary
A Responsible Approach to Data Privacy and Security
A Common Language and Framework Can Enable Dialog
Finding the Right Balance
Risks, Breaches, Regulations, and Opportunities
Risk Management and Solutions
The Roadmap
Start Small with Easy Data Protection Techniques
Protection That Balances Different Needs
Finding the Right Data Protection Solution
Barriers to Establishing Effective Defenses
The Cost of Doing Business
Security Spending and Breaches
Data Leaks by Security Spending Budget
Data Breach Costs Increased
Healthcare Data Breach Costs Increased
The Cost of a Data Breach Is a 10% Rise
Awareness Training May Not Be Enough
Protect Your Data from Ransomware
Volume II of This book
Bibliography
Appendix A: Standards and Regulations
Introduction
Major Data Privacy Regulations
Data and Security Governance (DSG) Converge
The Evolution of Privacy Regulation Continues at an Aggressive Rate
Legal and Regulatory Risks Are Exploding
How Many Privacy Laws Are You Complying With?
Example Rules for a US-Based Organization
Personal Data
European Union
California Consumer Privacy Act Defines Personal Information
GDPR
European Countries
Failure to Comply and What Are the Consequences?
GDPR Security Requirements Framework
Data Flow Mapping Under GDPR
GDPR under “Schrems II”
Encrypt Data and Hold Keys by Third Party Allows Cross-Border Transfer under GDPR
Background
Example of Insufficient Protection of Data
Cloudflare is Insufficient to Protect the Data
International Bank Secures Cross-Border Data
Guidelines on the Concepts of Controller and Processor in the GDPR
Controller
Processor
Relationship between Controller and Processor
GDPR and California Consumer Privacy Act (CCPA)
The CCPA Effect
California Privacy Rights Act (CPRA)
Data Protection
Pseudonymization
Anonymization
Summary
Bibliography
Appendix B: Governance, Guidance, and Frameworks
Introduction
CIA—The Heart of Information Security
CIA—Confidentiality, Integrity, and Availability
Do We Need to Use a Common Framework and Language?
Privacy Laws and Their Unique Definitions of Personally Identifiable Information (PII)
Privacy Risk Frameworks
IT Security Posture
Roadmap to Reduce Risk and Liability of Unprotected Data
Privacy Impact Assessment (PIA)
Privacy Impact Assessment
United States
Europe
PIAF Project
The IT Roadmap for Cybersecurity
Data-Protection Tips for Business and Consumers
Compliance with GDPR, CCPA, and HIPAA by US Companies
Privacy Officer in Australia
Skills
What Skills and Knowledge Should a Privacy Officer Have?
Skills and Knowledge
The IT Security Skills Shortage
Cybersecurity Workforce Gap
Certifications and Skills
Security Organization
CISO Role and the Organizational Map
Virtual CISOs: Security Leader or Security Risk?
When Are Virtual Chief Information Security Officers the Right Choice?
Data Protection Officer in GDPR
DPO, According to GDPR
The Role of the DPO
Office of the DPO
How to Appoint a Data Protection Officer
Where Do We Place the Privacy Function?
Should We Stay in Legal?
Creating a Privacy Engineering Capability
What Do these Privacy Superheroes Do?
Aligning Privacy with Data Governance
Different Privacy Organizational Models
Roles in Transition
Privacy Maturity Posture
Example—MITRE Privacy Maturity Model
Elements of a Privacy Program
Security Governance
Regulatory Compliance
Board Aspects
Risk Management and Liability of Unprotected Data Resonates with Board of Directors
Boards and Privacy
Rising from the Mailroom to the Boardroom
Major Frameworks
CMMC Cybersecurity Maturity Model Certification
NIST Cybersecurity Framework
NIST Secure Software Development Framework
Recommendations, Not Mandates
The PCI Security Standards Council
Payment Card Industry (PCI) Data Security Standard
CIS Critical Security Controls
CIS Controls Mapping to Payment Card Industry (PCI)
Data Risk Assessment
Red, Blue, and Purple Teams
Red Team
Blue Team
Purple Teams
Cyber Insurance
Cyber Insurance Does not Protect You from At-Fault Incidents
Best Practices for Lowering Cyber Insurance Costs and Cyber Risk
Summary
Bibliography
Appendix C: Data Discovery and Search
Introduction
Search Over Encrypted Data
Use Cases
Overcoming the Confidentiality Problem
Approaches to Search Over Encrypted Data in the Cloud
Utilize an Index Structure
Search Over Encrypted Data in the Cloud
Expansion to the Keyword-Based Search
Cryptographically Protected Database Search
Fuzzy Search over Encrypted Data
Bloom Data Search Filters
Discovery of Data
Discovery of Data in Clear
Discovery of Data that is Encrypted
What Is a Data Catalog?
Enable Initiatives With a Data Catalog
Data Governance Evolves to Address Compliance, Commercialization, Trust
Summary
Bibliography
Appendix D: Digital Commerce, Gamification, and AI
Introduction
Digital Commerce and Digital Business
Reach Your TechQuilibrium
TechQuilibrium Points Will Shift
How to Develop a Digital Commerce Strategy
Key Challenges
Augmented Reality
AR Three Basic Features
The Digital World Blend into a Person’s Perception
Possible Applications
Gamification
Key Challenges
Summary
Bibliography
Appendix E: Innovation and Products
Introduction
Data and Technology Are Driving Business Change
Organizations That Saw Opportunities Were Able to Accelerate
Legacy Companies Need to Become More Data-Driven
Innovation
The Dilemma
Eighty-five percent of the Jobs Have Not Been Invented Yet
Disruptive Innovations
Innovation Aligned with Business Objectives
Data Innovation Slowed by Compliance and Other Concerns
Data Security Viewed as Necessary
An Answer to Innovation Worries
Data Protection History and Innovation
Major Innovations in Data Protection
Major Milestones in Data Protection Technology
Data Privacy Technology Vendors
US Patent Applications
Support for Different Data Privacy Features
A Vendor Comparison Tool
Summary
Bibliography
Appendix F: Glossary
Bibliography
Index