Privacy vs confidentiality - alishahbaz/ITGRC GitHub Wiki

Privacy and Confidentiality in Cybersecurity and ITGC

Privacy and confidentiality are closely related but have distinct meanings, especially in cybersecurity and compliance contexts:

Privacy

Privacy: Refers to an individual's right to control their personal information—how it's collected, used, and shared. It focuses on protecting personal data from unauthorized access or disclosure. For example, GDPR and HIPAA regulations enforce privacy rights.

Confidentiality

Confidentiality: Refers to the duty to protect sensitive information from unauthorized access, regardless of whether it's personal or business-related. It applies to company secrets, trade secrets, financial data, and any information that must be restricted to authorized parties.

Key Differences

Privacy is about personal rights, while confidentiality is about data security.
Privacy applies to individuals, while confidentiality applies to information in general.
Privacy is governed by laws (e.g., GDPR, CCPA, HIPAA), whereas confidentiality is often enforced through agreements (e.g., NDAs) and security controls.

Cybersecurity Perspective

Privacy: Protecting user data, such as Personally Identifiable Information (PII), from being misused or collected without consent.

Example: A bank ensures that customer account details are only accessible by authorized employees and not sold to third parties without consent (e.g., GDPR compliance).

Confidentiality: Preventing unauthorized access to sensitive data, whether personal or business-related, through security controls.

Example: An organization encrypts its internal financial reports to ensure only executives can access them (e.g., CIA Triad—Confidentiality, Integrity, Availability).

ITGC Perspective (SOX, PCI DSS, ISO 27001)

Privacy in ITGC:

SOX: Ensures financial data privacy through access control and audit trails.
PCI DSS: Protects credit cardholder data (e.g., storing only necessary data and encrypting it).
ISO 27001: Establishes policies on data privacy and user consent.

Confidentiality in ITGC:

SOX: Restricts access to financial reports to prevent insider fraud.
PCI DSS: Uses encryption and role-based access control (RBAC) to secure payment data.
ISO 27001: Implements security controls like least privilege, multi-factor authentication (MFA), and data classification.

Practical Example

A healthcare provider handling patient records must ensure:

Privacy: Patients' personal health data is not shared with third parties without consent (HIPAA compliance).
Confidentiality: Only authorized doctors and nurses can access the records, using secure authentication methods.

XYZ Corp ITGC Case Study

Security Challenges

XYZ Corp, a multinational financial services firm, handles customer financial records, credit card transactions, and internal audit reports. The company is undergoing a compliance audit and has identified the following security concerns:

Unauthorized Data Sharing: Some employees have access to customer personal information (PII) that is not required for their roles.
Weak Access Controls: Internal financial reports are stored on a shared drive accessible to all employees.
Unencrypted Payment Data: Credit card transaction logs are stored in plaintext in the database.
Lack of Audit Trails: No logs exist to track who accesses customer financial records.

Exercises

Exercise 1: Identify Privacy vs. Confidentiality Issues

For each of the security concerns above, classify whether it’s a privacy issue or a confidentiality issue and justify your answer.

Exercise 2: ITGC Compliance Mapping

Match each issue to the relevant compliance framework (SOX, PCI DSS, or ISO 27001).

Which standard mandates access control for financial reports?
Which standard enforces encryption of payment data?
Which framework requires logging of data access?

Exercise 3: Risk Mitigation Plan

For each issue, propose ITGC controls to fix it. Consider:

Implementing role-based access control (RBAC)
Encrypting sensitive data
Enforcing audit logging
Conducting periodic access reviews

ITGC Implementation Plan

1. Unauthorized Data Sharing (Privacy Issue)

Compliance Impact:

ISO 27001 (A.9.4.1 - Access Control Policy)
SOX (Section 404 - Internal Controls)

Solution: Implement Role-Based Access Control (RBAC)

Data Classification: Categorize data and restrict PII access.
Access Control Policy: Define roles and apply least privilege.
Technical Implementation: Use Active Directory (AD) or IAM for enforcement.
Monitoring & Review: Conduct quarterly access reviews.

2. Weak Access Controls (Confidentiality Issue)

Compliance Impact:

SOX (Section 302 - Data Integrity & Protection)
ISO 27001 (A.9.2 - User Access Management)

Solution: Implement Least Privilege & MFA

Restrict Access: Move financial reports to a secured drive.
Implement Multi-Factor Authentication (MFA): Require for sensitive data access.
Audit Access Logs: Enable detailed logging.
Periodic Review: Conduct semi-annual access reviews.

3. Unencrypted Payment Data (Confidentiality Issue)

Compliance Impact:

PCI DSS (Requirement 3 - Encryption of Cardholder Data)
ISO 27001 (A.10 - Cryptographic Controls)

Solution: Enforce Encryption & Tokenization

Encrypt Stored Payment Data: Use AES-256 encryption.
Encrypt Data in Transit: Enforce TLS 1.2 or higher.
Implement Tokenization: Replace stored credit card numbers with tokens.
Regular Compliance Scans: Conduct quarterly PCI DSS vulnerability scans.

4. Lack of Audit Trails (Privacy & Confidentiality Issue)

Compliance Impact:

SOX (Section 404 - Audit Controls)
PCI DSS (Requirement 10 - Logging & Monitoring)
ISO 27001 (A.12.4 - Logging & Monitoring)

Solution: Implement Centralized Logging & SIEM

Enable Logging: Activate logs for all critical systems.
Deploy SIEM: Use Splunk, Sentinel, or ELK for analysis.
Implement Log Retention: Store logs for 1+ years.
Conduct Monthly Audit Reviews: Automate anomaly detection.

ITGC Policy

1. Access Control Policy

RBAC Implementation
MFA Enforcement
Quarterly Access Reviews
Separation of Duties (SoD)
Account Termination within 24 hours

2. Data Encryption Policy

AES-256 for Data at Rest
TLS 1.2+ for Data in Transit
HSM for Key Management
Tokenization of Payment Data

3. Audit Logging & Monitoring Policy

Centralized Logging in SIEM
Log Retention (PCI: 1 year, SOX: 7 years)
Real-Time Alerts for Unauthorized Access
Quarterly Log Reviews

ITGC Compliance Audit Checklist

1. Access Control Audit (SOX, ISO 27001, PCI DSS)

#	Control Requirement	Status (✔/✘)	Comments
1.1	Is RBAC implemented?
1.2	Is MFA enabled?
1.3	Are quarterly access reviews conducted?

2. Data Encryption Audit (PCI DSS, ISO 27001)

#	Control Requirement	Status (✔/✘)	Comments
2.1	Is data encrypted at rest using AES-256?
2.2	Is data transmitted using TLS 1.2+?

3. Audit Logging & Monitoring (SOX, PCI DSS, ISO 27001)

#	Control Requirement	Status (✔/✘)	Comments
3.1	Are logs centralized in a SIEM?
3.2	Are audit logs retained per compliance standards?

4. Compliance & Incident Response Audit

#	Control Requirement	Status (✔/✘)	Comments
4.1	Is there an Incident Response Plan?
4.2	Are security teams notified of unauthorized access?

Summary

Privacy issues arise from unauthorized PII access.
Confidentiality issues stem from weak access controls and encryption gaps.
SOX, PCI DSS, and ISO 27001 require access restrictions, encryption, and logging.

XYZ Corp IT General Controls (ITGC) Case Study

Overview

XYZ Corp, a multinational financial services firm, is undergoing an ITGC compliance audit. The company handles sensitive financial records, customer data, and payment transactions. Recent security assessments have identified critical risks that need remediation to meet compliance standards, including SOX, PCI DSS, and ISO 27001.

Security Challenges

Unauthorized Data Sharing
- Employees have unnecessary access to customer personal information (PII).
Weak Access Controls
- Financial reports stored on a shared drive are accessible to all employees.
Unencrypted Payment Data
- Credit card transaction logs are stored in plaintext.
Lack of Audit Trails
- No tracking of who accesses customer financial records.

Exercise 1: Privacy vs. Confidentiality Issues

For each issue, determine whether it is a privacy issue or a confidentiality issue, and provide justification.

Exercise 2: Compliance Framework Mapping

Match each issue to relevant standards:

SOX: Internal controls for financial reporting
PCI DSS: Protection of payment card data
ISO 27001: Information security management

Exercise 3: Risk Mitigation Plan

For each issue, propose ITGC controls, including:

Role-Based Access Control (RBAC)
Encryption of Sensitive Data
Audit Logging Implementation
Periodic Access Reviews

ITGC Implementation Plan

1. Unauthorized Data Sharing

Compliance Impact: ISO 27001 (A.9.4.1), SOX (Section 404)
Solution: Implement RBAC, define access policies, and enforce quarterly access reviews.

2. Weak Access Controls

Compliance Impact: SOX (Section 302), ISO 27001 (A.9.2)
Solution: Restrict shared drive access, enforce MFA, and audit access logs.

3. Unencrypted Payment Data

Compliance Impact: PCI DSS (Requirement 3), ISO 27001 (A.10)
Solution: Implement AES-256 encryption, enforce TLS 1.2+, and introduce tokenization.

4. Lack of Audit Trails

Compliance Impact: SOX (Section 404), PCI DSS (Requirement 10), ISO 27001 (A.12.4)
Solution: Implement SIEM for centralized logging, enable log retention, and set up real-time alerts.

ITGC Policy Framework

1. Access Control Policy

Implement RBAC & MFA
Conduct quarterly access reviews
Enforce separation of duties

2. Data Encryption Policy

AES-256 for stored data
TLS 1.2+ for data in transit
HSM for key management

3. Audit Logging & Monitoring Policy

Centralized SIEM logging
Log retention per compliance standards
Real-time monitoring & alerts

Compliance Audit Checklist

Control Area	Requirement	Compliance (✔/✘)	Comments
Access Control	RBAC implemented?
Encryption	Data encrypted at rest?
Logging & Monitoring	Centralized SIEM logging?

Summary

This case study outlines ITGC security challenges, compliance requirements, and remediation strategies to align XYZ Corp with SOX, PCI DSS, and ISO 27001 standards.