Data Privacy
Understanding Privacy Violations
Privacy violations largely stem from companies not knowing about their data ownership, data flows, along with state, federal and international requirements for data use and overall privacy.
Privacy Impact Assessments (PIA) / Privacy Threshold Analysis (PTA)
VerSprite provides an array of privacy services that help identify data flows and where privacy concerns are warranted. This plays a critical role in an evolving and complex world where privacy laws like the Health Insurance Portability & Accountability Act (HIPAA) as well as Global Data Privacy Regulation (GDPR) require greater assurances around privacy authorization and protection controls.
Around the technical considerations needed to demonstrate a responsible approach to data use and overall privacy, VerSprite can help you deliver a privacy strategy that is not only backed by your legal adherence to more stringent laws, but also in developing and managing technology that supports greater privacy protection for your customers. Some of the services that are offered in support of these efforts include the following:
PIA / PTA:
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Need to determine the impact level to which your data may be infringing upon personal privacy?
Both PIAs and PTAs are good indicator as to identify the following:
- Has authorization to use the data been obtained?
- Is the data retention period infringing on any retention laws for the data or a subset?
- To what degree is the data being protected (e.g. – encrypted, access controled, etc.)?
- Is there a clear business need to use the data?
- How much data is being obtained as part of the authorized business function?
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
VerSprite Addresses Your Privacy Challenges
VerSprite can provide a managed service model to deliver PIAs and/or PTAs as an ongoing and integrated service to your various projects groups. Enterprise projects can sometimes jeopardize privacy adherence via fast moving projects that have not gone through a formal process.
A security process around privacy can provide the necessary tollgate to consider privacy risks that could affect an organization. We have altered our PASTA threat modeling framework to address privacy challenges. Below is a high level infographic that provides some insight into our process stages for executing privacy engagements:
1. Define the objectives
2. Define the project data scope
3. Decompose the data flow
4. Analyze the threats
5. Analyze vulnerabilities and weaknesses
6. Model the attacks
7. Analyze risk & impact
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
VerSprite’s Process for Executing Privacy Engagements
For many businesses, privacy risks can manifest into class action lawsuits, regulatory fines, reputational loss, and more. These risks threaten unprepared companies who are ushering products, data services into countries or even states where data privacy laws are more stringent.
Non-compliance can threaten business operations and as a result, VerSprite has leveraged its PASTA threat modeling framework to restructure its approach to privacy professionals, lawyers, and CIOs who are losing sleep on how to tackle the threats of non-compliance to local and global privacy laws.
This has introduced a PASTA for Privacy framework which represents a risk centric approach to scoping data environments, evaluating data management strategies and evaluating security controls like encryption, backup policies, retention practices and other controls that affect data privacy.
PASTA for Privacy Framework
A high-level description of each phase is reflected below:
-
Defining the Objectives:
Obvious goals are to comply with a given law, however, as many laws are overarching and some even yet contrary to business objectives, defining these objectives around a product, project or overall business model needs to be defined. A good start is to conduct a PTA to see the extent to which given privacy laws affect an organization’s current policies around data usage (as supported by a privacy policy), data retention, cryptographic uses, data sharing and transfers and other common data use cases. For these reasons, a business must evaluate how and to what degree they can abide by a myriad of privacy laws that could influence how data management is conducted.
-
Defining the Project Scope:
Scope is everything. From when and where PII data flows into an environment, how it gets transmitted amongst infrastructure components, processed amongst application components, stored and ultimately managed over its given lifecycle is extremely important. For many, this is one of the most difficult steps in any privacy readiness effort. VerSprite helps to identify where and how PII is being transmitted, processed, and stored and where de-scoping opportunities can be achieved while not impairing operational or product goals.
-
Decomposing Data Flows:
One of the hardest things for any organization to fulfill is the ability to understand their data flows for a defined scope. Most resort to qualitative assessments versus combining with more conclusive technical evidence on how data is truly being shared across and beyond a defined environment or product scope. VerSprite leverages a dual process to qualify ingress and egress data flows from the defined scope achieved in phase two of VerSprite’s PASTA for Privacy framework.
-
Threats from Privacy Violations/ Non-Compliance:
This phase is not about determining how PII is sought by cybercriminals but rather examining privacy laws, cases, and lawsuits that serve as precedence to possible consequences from non-abiding organizations. This analysis builds a precedence and urgency around how a company should shore up privacy control gaps and in what amount of timeframe. VerSprite’s focus with this phase is to determine how active legal related risks are around privacy-law non-conformance.
-
Analyze Weaknesses in Privacy Protection:
Internal processes and technical controls around in scope networks, systems, and applications are reviewed to see where clear gaps exist. Direct and implied controls from privacy statutes are translated into technical controls that can be identified within and across the in-scope network or architecture. VerSprite reviews control gaps at the persistent data tier (e.g. – filesystems, databases, caches, etc.), across data transmission infrastructure, as well as applications or software that represent a processing tier.
-
Modeling [Privacy] Based Attacks:
Data protection comes in different levels of maturity and testing for the resiliency of protection helps determine how well PII controls fare against common abuse cases. Building from the prior phase, VerSprite emulates privacy based attacks to demonstrate viability of exposure. This helps to support a risk based approach and determine what prerequisites are needed for illicit data access (when and if possible). This also helps as a clear risk analysis to auditors, clients, and regulators who wish to understand a more scientific approach to how a company qualified the effectiveness of security controls for an in-scope environment.
-
Analyze Risk and Impact:
The prior 6 steps of PASTA for Privacy culminate with a risk analysis phase aimed at determining what risk reduction steps are needed. Often, this can translate to remediation efforts that are technical in level (i.e. – applying greater cryptographic controls, reducing data retention levels, etc.) or business process related (i.e. – leveraging third party tokenization or anonymization data services, divesting the receipt and use of certain data components, improved contractual clauses that transfer risk).