Protecting PII (Personally Identifiable Information) is an important task for any organization that holds it. If you’re planning to take the SY0-401 or the SY0-501 Security+ exam, you should have a basic understanding of privacy concepts.
For example, can you answer this question?
Q. Your organization has decided to increase the amount of customer data it maintains and use it for targeted sales. However, management is concerned that they will need to comply with existing laws related to PII. Which of the following should be completed to determine if the customer data is PII?
A. Privacy threshold assessment
B. Privacy impact assessment
C. Tabletop exercise
D. Affinity scheduling
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Privacy Impact and Threshold Assessments
Two tools that organizations can use when completing a BIA are a privacy threshold assessment and a privacy impact assessment. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” covers these in more depth, but refers to a privacy threshold assessment as a privacy threshold analysis.
The primary purpose of the privacy threshold assessment is to help the organization identify PII within a system. Typically, the threshold assessment is completed by the system owner or data owner by answering a simple questionnaire.
If the system holds PII, then the next step is to conduct a privacy impact assessment. The impact assessment attempts to identify potential risks related to the PII by reviewing how the information is handled. The goal is to ensure that the system is complying with applicable laws, regulations, and guidelines. The impact assessment provides a proactive method of addressing potential risks related to PII throughout the life cycle of a computing system.
Remember this
A privacy threshold assessment is typically a simple questionnaire completed by system or data owners. It helps identify if a system processes data that exceeds the threshold for PII. If the system processes PII, a privacy impact assessment helps identify and reduce risks related to potential loss of the PII.
Recovery Time Objective
The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. Many BIAs identify the maximum acceptable outage or maximum tolerable outage time for mission-essential functions and critical systems. If an outage lasts longer than this maximum time, the impact is unacceptable to the organization.
For example, imagine an organization that sells products via a web site generates $10,000 in revenue an hour. It might decide that the maximum acceptable outage for the web server is five minutes. This results in an RTO of five minutes, indicating any outage must be limited to less than five minutes. This RTO of five minutes only applies to the mission-essential function of online sales and the critical systems supporting it.
Imagine that the organization has a database server only used by internal employees, not online sales. Although the database server may be valuable, it is not critical. Management might decide they can accept an outage for as long as 24 hours, resulting in an RTO of less than 24 hours.
Recovery Point Objective
A recovery point objective (RPO) identifies a point in time where data loss is acceptable. As an example, a server may host archived data that has very few changes on a weekly basis. Management might decide that some data loss is acceptable, but they always want to be able to recover data from at least the previous week. In this case, the RPO is one week.
With an RPO of one week, administrators would ensure that they have at least weekly backups. In the event of a failure, they will be able to restore recent backups and meet the RPO.
In some cases, the RPO is up to the minute of the failure. For example, any data loss from an online database recording customer transactions might be unacceptable. In this case, the organization can use a variety of techniques to ensure administrators can restore data up to the moment of failure.
Remember this
The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. The recovery point objective (RPO) refers to the amount of data you can afford to lose.
Q. Your organization has decided to increase the amount of customer data it maintains and use it for targeted sales. However, management is concerned that they will need to comply with existing laws related to PII. Which of the following should be completed to determine if the customer data is PII?
A. Privacy threshold assessment
B. Privacy impact assessment
C. Tabletop exercise
D. Affinity scheduling
Answer is A. A privacy threshold assessment helps an organization identify Personally Identifiable Information (PII) within a system, and in this scenario, it would help the organization determine if the customer data is PII.
A privacy impact assessment is done after you have verified that the system is processing PII, not to determine if the data is PII.
A tabletop exercise is a discussion-based exercise used to talk through a continuity of operations plan.
Affinity scheduling is a load-balancing scheduling scheme using the client’s IP address and is unrelated to PII.
See Chapter 9 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
or
Chapter 9 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
for more information on privacy issues.