Page 347 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 347

information in ways that are outside the scope of what they intend to
               use it for. For example, if an organization states it is collecting email

               addresses to communicate with a customer about purchases, the
               organization should not sell the email addresses to third parties.

               It’s common for organizations to use an online privacy policy on their
               websites. Some of the entities that require strict adherence to privacy
               laws include the United States (with HIPAA privacy rules), the state of
               California (with the California Online Privacy Protection Act of 2003),

               Canada (with the Personal Information Protection and Electronic
               Documents Act), and the EU with the GDPR.

               Many of these laws require organizations to follow these requirements
               if they operate in the jurisdiction of the law. For example, the
               California Online Privacy Protection Act (CalOPPA) requires a
               conspicuously posted privacy policy for any commercial websites or
               online services that collect personal information on California

               residents. In effect, this potentially applies to any website in the world
               that collects personal information because if the website is accessible
               on the internet, any California residents can access it. Many people
               consider CalOPPA to be one of the most stringent laws in the United
               States, and U.S.-based organizations that follow the requirements of
               the California law typically meet the requirements in other locales.
               However, an organization still has an obligation to determine what

               laws apply to it and follow them.

               When protecting privacy, an organization will typically use several
               different security controls. Selecting the proper security controls can
               be a daunting task, especially for new organizations. However, using
               security baselines and identifying relevant standards makes the task a
               little easier.

               Many legal documents refer to the collection limitation principle.

               While the wording varies in different laws, the core requirements are
               consistent. A primary requirement is that the collection of data should
               be limited to only what is needed. As an example, if an organization
               needs a user’s email address to sign up for an online site, the
               organization shouldn’t collect unrelated data such as a user’s birth
               date or phone number.
   342   343   344   345   346   347   348   349   350   351   352