• PII (Personally Identifiable Information): Data identifying individuals (SSN, passport, biometrics, email combos); breach triggers notification laws
• PHI (Protected Health Information): Health records under HIPAA; subset of PII
• Regulated: Data under specific mandates (PCI-DSS=payment cards, HIPAA=health, SOX=financial, GDPR=privacy)
• IP (Intellectual Property): Trade secrets, patents, source code, R&D; competitive advantage asset
• Legal: Attorney-client privileged, litigation holds, contracts; subject to legal hold (cannot delete)
• Financial: Tax records, audits, credit data; SOX/GLBA compliance
• Sensitive: Umbrella for PII, PHI, IP; unauthorized disclosure causes harm
• Classification Levels: Public → Internal → Confidential → Restricted (based on impact of disclosure)
Software Licensing Compliance
• Types: Perpetual (buy once), Subscription (SaaS/monthly), Concurrent (limited simultaneous users), Open Source (GPL copyleft requires disclosure, MIT/Apache permissive)
• Risk: Unlicensed software = vendor audit fines, legal liability, malware injection (cracked software), loss of support
• SAM (Software Asset Management): Inventory tracking, ensuring entitlements match deployments, preventing over-purchasing or true-up penalties
• Data Sovereignty: Data subject to laws of physical location; dictates storage residency (EU GDPR, China Cybersecurity Law, Russia data localization)
• Individual Rights:
– Access: View personal data held by organization
– Correction: Rectify inaccurate data
– Deletion (Right to Be Forgotten): Request erasure under GDPR Article 17 (exceptions for legal obligations/public interest)
• Retention: Keep only as long as legally required or business necessary; secure disposal after period expires; indefinite retention increases breach blast radius
• Organizational Impact: Reputational damage, customer identity theft/fraud, regulatory fines (GDPR up to 4% global revenue), IP theft (competitive loss), operational downtime
• Public Notification:
– GDPR: 72 hours to supervisory authority, "without undue delay" to data subjects
– US State Laws: Vary by state (e.g., CA requires AG notification); generally 30-60 days
– Content: What happened, what data, steps taken, contact info
• Social Media Use: Restrictions on posting corporate info, travel schedules, or system details; OSINT protection; policy on official account management
• Clean Desk Policy: Documents secured in locked drawers, screens locked (Ctrl+Alt+Del), no passwords on sticky notes, clear whiteboards; prevents shoulder surfing and after-hours data exposure
• Personally Owned Devices: BYOD/COPE policies; MDM enrollment required, containerization (work/personal separation), remote wipe capability, no sensitive data on unencrypted devices
• Separation of Duties (SoD): Split critical functions among multiple people (e.g., requester vs. approver vs. reviewer); prevents fraud and errors; preventive control
• Mandatory Vacations: Consecutive time off required (e.g., 1-2 weeks); another person performs duties; detects fraud/embezzlement; detective control
• Job Rotation: Cross-training staff; reveals errors/fraud by predecessor, prevents boredom, ensures coverage; requires knowledge transfer protocols
• Institutional Expertise: Document critical processes; avoid single points of failure ("bus factor"); succession planning; prevents knowledge loss when employees leave
• The Risk: Untrained users = primary attack vector; susceptible to social engineering, phishing, accidental data leakage (misdirected email), and malware
• Tailoring: Role-based training (developers=secure coding, HR=PII handling, Admins=privileged access, Execs=whaling awareness); technical depth appropriate to function
• Training Techniques:
– CBT (Computer-Based Training): Self-paced modules, LMS tracking, annual compliance checkbox
– Gamification: Points, badges, leaderboards for security achievements (phishing reporting, policy completion)
– Phishing Simulations: Controlled fake emails testing user vigilance; educational (not punitive) remediation for clickers
– Situational Awareness: Recognizing physical threats (tailgating, USB drops), pretexting, unusual behavior
– Reporting & Escalation: Clear procedures (Phish Alert buttons, SOC hotline, incident escalation paths); positive reinforcement for reporting suspected incidents quickly
Quick Distinctions: SoD prevents fraud by requiring multiple people; Mandatory Vacation detects fraud by forcing absence. Retention must balance legal hold requirements vs. Right to Be Forgotten. Data Sovereignty dictates where data can be stored; Data Classification dictates how it should be protected.