• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Why is privacy an issue?
  • How is privacy different from information security?
  • Privacy laws
  • Threats to privacy in the information age
  • Principles of privacy protection in information systems

Legal Issues in Information Security

Privacy Overview

Privacy Overview
Introduction to Privacy
Imagine a 14-year-old boy asking his mother to give him privacy. What do you think the boy means when he says he wants privacy? What impact does privacy have in a person's life? Is it similar to security? Let us review some basic concepts related to privacy.

Think about the answers to the following questions and then click each question to reveal its answer. Next, click the ACTIVITY button to attempt a simple activity related to privacy.
  • What is privacy?
  • Why is privacy an issue?
  • What is the difference between information security and privacy?
X
Privacy refers to your not wanting to disclose your personal information to any other individual or a third-party entity.

With the advances in technology, all types of information are readily available on the Internet, which raises a concern for privacy.
The difference between information security and privacy is that the former is a process and the latter is an outcome, or result, of the information security process.
Loadin is a boot loader that can boot Linux from DOS. Since the launch of the Microsoft Windows Millennium and XP editions, users do not have DOS installed on their personal computers. Therefore, the loadin boot loader is no more used.
Privacy Protection
Privacy is important for everyone. Think of the steps you would follow to ensure privacy in your home. Well, the steps for privacy protection in an organization would be no different. Check it out!

Position the mouse pointer over each step to learn more. Then, click the ACTIVITY button to attempt a scenario-based activity.
Step 1:
Allocating
Step 2:
Identifying
Step 3:
Evaluating
Step 4:
Creating
Step 5:
Implementing
Step 6:
Monitoring
Step 1:
Appoint an individual who will be responsible for privacy.
Step 2:
Identify all sources, uses, and locations containing critical information.
Step 3:
Assess discrepancies between current privacy policies and required privacy policies and procedures.
Step 4:
Create privacy policies and procedures according to the requirements.
Step 5:
Develop and implement a detailed change management plan for privacy.
Step 6:
Monitor compliance and report any discrepancy.
Organizational Roles
Different roles in an organization contribute toward managing privacy issues. Let us look at each role.

Click each role to learn more.
  • Legal Officer
  • Information Technology Officer
  • Senior Management
  • Chief Information Security Officer
  • Chief Privacy Officer
This individual is responsible for interpreting existing laws and regulations to ensure compliance. This individual plays a major role in steps 3 and 6.

This individual is responsible for maintaining the network and the operating systems to ensure their availability to business users. This individual plays a major role in steps 2-6.

These individuals are responsible for the overall well-being and success of the organization. They need to balance security, availability, efficiency, and cost factors to maximize profits and success. These individuals monitor the complete process.

This individual is responsible for ensuring the total security of the information created, used, and stored by the organization. This individual maintains compliance with the privacy policies as created by senior management and interpreted by the legal officer. This individual is also responsible for the overall functioning of privacy policies.

This individual is responsible for managing the risks and business impacts of privacy laws and policies. This individual is also responsible for the overall functioning of privacy policies.

Private vs. Public Information
Privacy laws are adopted on the basis of individual or organizational requirements in various contexts. The context of information decides whether information should be hidden or made public.

Review the following characterization of public versus private information. Can you think of other types of private or public information? Try categorizing the type of information as public or private. Then, click the ACTIVITY button to answer a simple question on categorization of information.

Private Information

Social security numbers
Financial details
Health information
Biometric data
Criminal history data

Public Information

Birth and death certificates
Minutes of meetings of government agencies
Real estate filings
Sex offender registration lists
Court records

Privacy Laws
Imagine a life without any privacy. What will happen if someone gets access to your credit card information? Isn't it frightening even to imagine?

With regard to privacy in a world where the Internet is so much a part of our lives, the importance of privacy laws is quite evident. Let us look at some important privacy laws. Click each privacy law given to review its importance. Then, click the ACTIVITY button to attempt a simple activity related to privacy laws.
  • The Fourth Amendment to the Constitutional Law
  • The Health Insurance Portability and Accountability Act
  • The Sarbanes-Oxley Act of 2002
The Fourth Amendment to the constitutional law protects individuals against unreasonable government searches and seizures.

The Health Insurance Portability and Accountability Act (HIPAA) is an important act for health care professionals. It protects the information of patients and their families by ensuring it does not become public, unless required.

The Sarbanes-Oxley (SOX) Act of 2002 protects shareholders and the public from accounting errors and fraudulent practices in any business unit.

X

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

In your lab, you have suggested remedies for the Department of Veterans Affairs. Do you think all your suggestions will be incorporated in the system, or do you need to provide a rationale for implementing each remedy?

You meet the chief security officer of your company for the discussion on the next steps. Click the image of the chief security officer to find out what happens next.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
I have just finished a meeting on data theft with the board of directors. As you know, the situation is critical, so the board has decided to strengthen the information technology systems in the department. The board has looked at all the remedies you have provided to prevent information loss, and I must say that all the directors are really impressed by your suggestions.

We have planned another meeting next week, where the board will finalize the remedies to implement in the systems. So, the board wants you to create a summary that supports your list of suggested remedies. I will send you an e-mail that will detail what all is required in your summary.

Contributing Factors
From where do you think you can gather information on this case? Let us find out by clicking each contributing factor. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Ask a Consultant
Review Documents
Read E-mail

Select the icon from the top to receive additional
information related to the situation


Richard Dow
Project Manager Well, I will answer all the three questions. First, if you really want to know about our primary mode of communication with the client, it is e-mail. At times, we do transfer confidential files by e-mail. For your second question, I will say that when the work pressure is high, we do take our work home using office assets, such as laptops, external hard drives, or CDs. I think most of the employees here do this. The response to your third question is yes. The logon details and system access of the former employees are still active.
Hi,

As discussed with you, you need to create an executive summary of your suggestions provided in the lab. Analyze the mistakes committed by both employees and the Veterans Affairs Administration that lead to data loss. Include a rationale for each remedy that will mitigate or eliminate the mistakes. In addition, include methods that will ensure proper monitoring and enforcement of the existing security policies.

The summary should look professional and highlight your suggested remedies with appropriate reasons. So, before you write it, consider all the factors that contributed to the data loss.

All the best!

Kind regards,
Andrew Symonds
Chief Security Officer
Department of Veterans Affairs
Click here to access the Department of Veterans Affairs case study provided in the lab. In addition, refer to the document you created in your lab for the suggested remedies.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Discuss with the chief security officer.
  • Consider all the factors that contribute to the challenge.
  • Review the case of the Department of Veterans Affairs.
  • Analyze the mistakes of employees and the Veterans Affairs Administration.
  • Create a summary, in a bullet-point list, of all the suggested remedies.
  • Write your rationale for each suggested remedy.
  • Prioritize your suggested remedies for the given challenge.
  • Write your final recommendations
  • Do a self-review of the executive summary with respect to the evaluation criteria mentioned in the assignment requirements.
  • Submit the assignment to your instructor.
At the end of this lesson, you should be able to:
  • Contrast information security and the concept of privacy.
  • Examine the sources of privacy law.
  • Describe threats to personal privacy in the information age.
  • Identify the general principles for privacy protection in information systems.
In this lesson, you will be introduced to privacy. You will explore the differences between information security and privacy. You will learn how to implement privacy policies in organizations. Different roles in an organization contribute toward managing privacy issues. You will also learn about these roles. In addition, you will apply your learning from this lesson to solve the privacy concern in the given scenario.