Data Privacy
Slides & Presentations, VerSprite Security Resources, Webinars
Data Management: Best Practices for Security & Privacy
Watch Now
Cybersecurity Library, Ebooks & Guides, VerSprite Security Resources
How to Minimize Data Risk & Strengthen Your Security Posture
Watch Now
Security Training, VerSprite Security Resources
How To Keep Company Data Secure in Remote Office Settings
Watch Now
Slides & Presentations, VerSprite Security Resources
Understanding Data Privacy in a Digital Age
Watch Now- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Privacy Impact Assessments (PIA) / Privacy Threshold Analysis (PTA)
VerSprite provides an array of privacy services that help identify data flows and where privacy concerns are warranted. This plays a critical role in an evolving and complex world where privacy laws like the Health Insurance Portability & Accountability Act (HIPAA) as well as Global Data Privacy Regulation (GDPR) require greater assurances around privacy authorization and protection controls.
Using our PASTA methodology, VerSprite helps you deliver a privacy strategy that is not only backed by your legal adherence to more stringent laws, but also to develope and manage technology that supports greater privacy protection for your customers.
PIA / PTA:
Need to determine the impact level to which your data may be infringing upon personal privacy?
Both PIAs and PTAs are good indicator as to identify the following:
- Has authorization to use the data been obtained?
- Is the data retention period infringing on any retention laws for the data or a subset?
- To what degree is the data being protected (e.g. – encrypted, access controled, etc.)?
- Is there a clear business need to use the data?
- How much data is being obtained as part of the authorized business function?
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
VerSprite Addresses Your Privacy Challenges
VerSprite provides a managed service model to deliver PIAs and/or PTAs as an ongoing and integrated service to your business. Mergers and acquisitions and third-party vendors can jeopardize data privacy and compliance adherence.
Our holistic security process considers privacy risks that could affect an organization. We employ our PASTA threat modeling framework to address privacy challenges.
PASTA for Privacy Framework
We introduced a PASTA for Privacy framework which represents a risk-centric approach to scoping data environments, evaluating data management strategies, and evaluating security controls like encryption, backup policies, and retention practices.
1. Defining the Objectives:
Obvious goals are to comply with a given law, however, as many laws are overarching and some even yet contrary to business objectives, defining these objectives around a product, project or overall business model needs to be defined. A good start is to conduct a PTA to see the extent to which given privacy laws affect an organization’s current policies around data usage (as supported by a privacy policy), data retention, cryptographic uses, data sharing and transfers and other common data use cases. For these reasons, a business must evaluate how and to what degree they can abide by a myriad of privacy laws that could influence how data management is conducted.
2. Defining the Project Scope:
Scope is everything. From when and where PII data flows into an environment, how it gets transmitted amongst infrastructure components, processed amongst application components, stored and ultimately managed over its given lifecycle is extremely important. For many, this is one of the most difficult steps in any privacy readiness effort. VerSprite helps to identify where and how PII is being transmitted, processed, and stored and where de-scoping opportunities can be achieved while not impairing operational or product goals.
3. Decomposing Data Flows:
One of the hardest things for any organization to fulfill is the ability to understand their data flows for a defined scope. Most resort to qualitative assessments versus combining with more conclusive technical evidence on how data is truly being shared across and beyond a defined environment or product scope. VerSprite leverages a dual process to qualify ingress and egress data flows from the defined scope achieved in phase two of VerSprite’s PASTA for Privacy framework.
4. Threats from Privacy Violations/ Non-Compliance:
This phase is not about determining how PII is sought by cybercriminals but rather examining privacy laws, cases, and lawsuits that serve as precedence to possible consequences from non-abiding organizations. This analysis builds a precedence and urgency around how a company should shore up privacy control gaps and in what amount of timeframe. VerSprite’s focus with this phase is to determine how active legal related risks are around privacy-law non-conformance.
5. Analyze Weaknesses in Privacy Protection:
Internal processes and technical controls around in scope networks, systems, and applications are reviewed to see where clear gaps exist. Direct and implied controls from privacy statutes are translated into technical controls that can be identified within and across the in-scope network or architecture. VerSprite reviews control gaps at the persistent data tier (e.g. – filesystems, databases, caches, etc.), across data transmission infrastructure, as well as applications or software that represent a processing tier.
6. Modeling [Privacy] Based Attacks:
Data protection comes in different levels of maturity and testing for the resiliency of protection helps determine how well PII controls fare against common abuse cases. Building from the prior phase, VerSprite emulates privacy based attacks to demonstrate viability of exposure. This helps to support a risk based approach and determine what prerequisites are needed for illicit data access (when and if possible). This also helps as a clear risk analysis to auditors, clients, and regulators who wish to understand a more scientific approach to how a company qualified the effectiveness of security controls for an in-scope environment.
7. Analyze Risk and Impact:
The prior 6 steps of PASTA for Privacy culminate with a risk analysis phase aimed at determining what risk reduction steps are needed. Often, this can translate to remediation efforts that are technical in level (i.e. – applying greater cryptographic controls, reducing data retention levels, etc.) or business process related (i.e. – leveraging third party tokenization or anonymization data services, divesting the receipt and use of certain data components, improved contractual clauses that transfer risk).
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Download Envisions 2023: Critical Threat Report
Explore how cyberwarfare and geopolitics intersect to fuel threat campaigns targeting remote work, medical services, global logistics, cyberattacks on cost-effective business support services, and more.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Related Resources
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
