Page 720 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 720

personnel and general property. The business continuity plan (BCP)
               and disaster recovery plan (DRP) address IT and business continuity

               and recovery issues.


               Privacy Responsibilities and Legal Requirements

               The safety of personal information also needs to be addressed in any
               organization’s security policy. In addition, the security policy must
               conform to the regulatory requirements of the industry and
               jurisdictions in which it is active.

               Privacy means protecting personal information from disclosure to any
               unauthorized individual or entity. In today’s online world, the line

               between public and private information is often blurry. For example, is
               information about your web-surfing habits private or public? Can that
               information be gathered legally without your consent? And can the
               gathering organization sell that information for a profit that you don’t
               share in? In addition, your personal information includes more than
               information about your online habits; it also includes who you are

               (name, address, phone, race, religion, age, and so on), your health and
               medical records, your financial records, and even your criminal or
               legal records. In general such information falls under the heading of
               personally identifiable information (PII), as described in the National
               Institute of Standards and Technology (NIST) publication Guide to
               Protecting the Confidentiality of Personally Identifiable Information
               (PII), available online at

               https://csrc.nist.gov/publications/detail/sp/800-122/final.

               Dealing with privacy is a requirement for any organization that has
               employees. Thus, privacy is a central issue for all organizations.
               Protection of privacy should be a core mission or goal set forth in the
               security policy for any organization.

               The General Data Protection Regulation (GDPR) Regulation (EU)
               2016/679 is an EU regulation focused on the protection of citizens and

               their rights and control over their personal data. While the United
               States does not have an equivalent set of laws protecting U.S. citizens,
               many U.S. companies adopt some of the GDPR elements in order to
               attract and maintain employees and customers as well as gain the
   715   716   717   718   719   720   721   722   723   724   725