WEBVTT

00:00.770 --> 00:05.300
A real challenge to I.T. Security is how do we deal with our data.

00:05.510 --> 00:08.430
Now there's data and there's data if you know what I mean.

00:08.480 --> 00:14.000
And in this episode what I want to do is talk about the different types of data so that we can sort

00:14.000 --> 00:17.160
of label how careful we have to be with our data.

00:17.240 --> 00:22.640
And then also to the different types of roles that people play in terms of how they handle that data.

00:22.640 --> 00:26.940
So let's start off with data sensitivity and data labeling.

00:26.960 --> 00:32.810
In this case all the different data that we are in control of has a different amount of importance to

00:32.810 --> 00:35.030
us and we have some pretty standard terms here.

00:35.090 --> 00:37.970
So let's go ahead and go through these real quick.

00:37.970 --> 00:43.820
First of all we have what's known as public data public data is data that has no restriction of any

00:43.820 --> 00:44.490
form.

00:44.540 --> 00:46.380
It is within the public domain.

00:46.400 --> 00:48.000
Everybody knows about it.

00:48.170 --> 00:53.420
Your postal address or at least the postal address not necessarily who lives at the house would be an

00:53.420 --> 00:55.040
example of public data.

00:55.340 --> 01:01.510
Also GISS information graphical information of the town and where the rivers and bridges are and such

01:01.520 --> 01:07.870
that would be an example of public data so public data basically as far as we're concerned has no restrictions.

01:08.000 --> 01:14.360
And it's the data that we're least concerned about next is going to be confidential data confidential

01:14.360 --> 01:19.610
data is data that one party offers to a second party but only to that party.

01:19.640 --> 01:24.660
So I'm going to give you some information about me but I'm not going to let.

01:24.800 --> 01:26.930
I don't want you to have anybody else have it.

01:26.930 --> 01:33.500
In fact these are the cases where we'll do things like make you or your organization fill out a nondisclosure

01:33.500 --> 01:42.470
agreement that basically says OK as a vendor you're going to know how much metal we're selling to everybody.

01:42.470 --> 01:46.320
So in that particular case you don't tell anybody else.

01:46.350 --> 01:54.610
And that's why we do the DA's private information is information that is private to an individual in

01:54.610 --> 01:55.750
this one particular case.

01:55.750 --> 01:58.690
For example would be your social security number.

01:58.690 --> 02:07.000
So what we're doing with private information we also deal with something called PIII or privately identifiable

02:07.000 --> 02:13.540
information so privately identifiable information is private information it's the same animal but whereas

02:13.540 --> 02:16.820
private information might just be a social security number.

02:17.040 --> 02:22.900
PIII would include your name your address your Social Security number and your cell phone number.

02:22.900 --> 02:30.870
So PIII is most certainly private but one piece of private information is not necessarily PIII.

02:31.330 --> 02:36.910
Next is going to be proprietary proprietary is kind of like private information but really just for

02:36.910 --> 02:38.020
a corporation.

02:38.230 --> 02:46.420
So if a corporation has information that gives it some form of competitive advantage we call that proprietary

02:46.420 --> 02:47.410
information.

02:47.620 --> 02:55.270
So the formula for Coca-Cola would be a great example of proprietary information here a total seminars

02:55.660 --> 03:01.450
my ability to stay good looking for all these many decades and be example of proprietary information.

03:01.830 --> 03:02.180
OK.

03:02.210 --> 03:04.960
So it's I thought it was funny and it was so blast.

03:04.960 --> 03:12.160
We're going to have private health information and private health information is any form of information

03:12.430 --> 03:16.390
that has to deal with the health of a particular person.

03:16.390 --> 03:23.980
This became a big deal not that long ago when here in the United States about 15 years ago we had our

03:23.980 --> 03:29.380
hiper laws that came out because basically it was becoming really easy for insurance companies and health

03:29.380 --> 03:33.080
centers to exchange information that well they probably didn't need to have.

03:33.310 --> 03:38.290
So that's what we're talking about is going to be the health information.

03:38.290 --> 03:41.710
Also keep in mind with high holies it turns of your health itself.

03:41.830 --> 03:47.440
But it's also the PIII so that we know that that health insurance has health information has to do with

03:47.440 --> 03:52.910
you personally so ph I often include some amount of PIII as well.

03:53.270 --> 03:59.830
OK so now we've gone through some of the types of different types of data labels or data sensitivity

03:59.840 --> 04:01.070
we hear that term a lot.

04:01.120 --> 04:06.510
What I want to do now is I want to start talking about the people who actually deal with this data in

04:06.520 --> 04:12.070
what we call data rolls.

04:12.080 --> 04:14.420
Your organization has lots of data.

04:14.420 --> 04:21.680
Now the problem that we have here is that if we've labeled the data that's great but then we have all

04:21.680 --> 04:23.640
these different globs of data.

04:23.660 --> 04:28.630
No organization has one single database that everybody does everything from.

04:28.700 --> 04:35.240
We have all kinds of different chunks of data that different people within our organization have to

04:35.240 --> 04:36.260
deal with.

04:36.260 --> 04:41.360
So what I want to do real quick is go over what we call data rules it's easy there's only three of them.

04:41.360 --> 04:47.960
First of all there is the owner of the data now the owner of the data is the person who has the legal

04:47.960 --> 04:54.320
responsibility of the person who can actually make money the person who is responsible for that data.

04:54.320 --> 05:01.240
So in most corporate situations the owner of the data is not a person but a corporation itself.

05:01.250 --> 05:05.890
So we have to know who is owning that data at any given moment.

05:05.900 --> 05:10.730
Now you would think well all that is owned by the company not necessarily there can be situations where

05:10.730 --> 05:16.760
we're using vendor data where we're taking personal information and in those types of situations we

05:16.760 --> 05:21.590
can have multiple owners sometimes even within the same database although we try to avoid that if at

05:21.590 --> 05:23.230
all possible.

05:23.360 --> 05:28.490
The next thing we're going to be dealing with is the steward or the custodian the steward or the custodian

05:28.490 --> 05:37.340
is the group the person the other organization whose job is to maintain the accuracy and the integrity

05:37.370 --> 05:38.720
of that data.

05:38.750 --> 05:44.300
So who that person might be really depends a lot in fact later in this episode when we talk about user

05:44.300 --> 05:46.300
awareness we can break this down a lot more.

05:46.460 --> 05:53.420
But there's always going to be somebody who is actually in charge of the day to day care of that particular

05:53.420 --> 05:54.110
data.

05:54.440 --> 06:01.580
And the last person who comes into play is a privacy officer a privacy officer is the person who is

06:01.610 --> 06:08.480
in charge of ensuring that we're dealing with good personal health information personally identifiable

06:08.480 --> 06:11.150
information for that particular database.

06:11.150 --> 06:16.280
So once you've got these basics let's really get in the fun part and let's talk about user awareness

06:16.370 --> 06:18.920
and the many different types of users who use data

06:22.520 --> 06:28.610
when it comes to data we really have to categorize the people who are using that data and we define

06:28.610 --> 06:30.760
this by what we call roles.

06:30.770 --> 06:36.710
Now I want to be careful here because when we talk about this type of organization we use it not only

06:36.710 --> 06:39.980
for data but also for systems.

06:40.040 --> 06:45.260
It might depend in terms of who's in charge of a particular system so there's a little bit of interlock

06:45.260 --> 06:51.150
between the idea of user roles for data and user roles for system so if you hear me sneak in the word

06:51.150 --> 06:56.050
systems these things are actually quite interchangeable within those two terms.

06:56.050 --> 06:57.900
So let's go out and run through this.

06:57.920 --> 07:02.200
Now first of all the most important one we're going to have are just users.

07:02.270 --> 07:08.870
Users have the standard amount of permissions to do whatever they need to do with that data or that

07:08.870 --> 07:09.740
system.

07:09.800 --> 07:15.230
They understand how their data functions and they're also aware of common problems like if they see

07:15.230 --> 07:21.620
corrupted data or if they're worried about malware they actually have procedures in place to deal with

07:21.620 --> 07:28.060
that even if that procedure is nothing more than dialing up to I.T. support after users.

07:28.070 --> 07:33.470
You're going to have what we call privileged users a privilege user has increased access and control

07:33.500 --> 07:35.330
over the data or system.

07:35.360 --> 07:41.420
But the big difference here is that now you need to be careful a private user almost never has the opportunity

07:41.420 --> 07:43.700
to actually delete all the data.

07:43.700 --> 07:47.870
They might be able to delete a record for example or something like that where a user can only mark

07:47.870 --> 07:49.050
things for deletion.

07:49.280 --> 07:53.900
But the big important thing is that a privileged user is going to have increased access they will be

07:53.900 --> 07:58.760
able to see more of the data and they'll have increased control relative to a user.

07:58.760 --> 08:05.750
Now an executive user is kind of a unique type of user when it comes to data and executive user is the

08:05.840 --> 08:09.310
user who makes strategic decisions about this.

08:09.350 --> 08:12.080
They'll be the person who sets policies for it.

08:12.080 --> 08:15.130
They'll be the person who verifies backups are being done.

08:15.130 --> 08:19.520
They don't actually do it but they're the person who actually watches over that type of stuff.

08:19.520 --> 08:25.430
So the is probably going to be the head of the sales department who's looking at certain strategic aspects

08:25.430 --> 08:26.700
of the data.

08:27.350 --> 08:33.710
So next when it comes to backups as we have system administrators a system administrator by definition

08:33.710 --> 08:39.290
will have complete control over the data or system and the system and the system administrator could

08:39.290 --> 08:41.020
delete the entire database.

08:41.090 --> 08:44.420
The system administrator could erase the entire system.

08:44.420 --> 08:51.790
They're in charge of the day to day manipulation and administration of that data set and they've got

08:51.790 --> 08:56.080
a big job they're the one who sets the permissions for users and privileged users.

08:56.080 --> 09:01.030
They're the ones who give the executive user's opportunities to make overviews of that particular data

09:01.030 --> 09:03.240
set whatever it might be.

09:03.250 --> 09:08.770
There are the guys who are in charge of that last is the data owner or in this case system owner as

09:08.770 --> 09:10.060
well.

09:10.090 --> 09:15.490
Now as we had already mentioned earlier in this episode These are the people or usually organizations

09:15.730 --> 09:21.940
who actually have legal ownership of this particular data set or of this particular system.

09:21.940 --> 09:27.430
So what we're talking about a owner we're talking about not only do they have ownership but they also

09:27.430 --> 09:29.670
have all the legal responsibility.

09:29.980 --> 09:35.620
So when we're talking about organizing data make sure you're familiar with every single one of these

09:35.620 --> 09:38.500
different churches because folks you're going to see it on the exam.