Data Security vs Information Privacy

Over the past several years, regulators have made a clear distinction between data security and information privacy. Data security focuses on the system controls that limit the access to data. Information privacy is focused on the data elements that are stored on a system. These data elements are generally defined as personally identifiable information (PII) or may be industry specific such as protected healthcare information (PHI).

Key Definitions:

  • Identity: The identity is typically the user ID
  • Authorized Users: These are the users that have been given permission to access files, data, etc.
  • Authentication: Authentication is the mechanism used by the user to prove they are who they say they are. Authentication is typically a password, but can and should include two factor, or multifactor authentication (2FA/MFA). Ideally, the authentication mechanism should prove non-repudiation, assurance that someone cannot deny the validity of something.
  • Data Owner: The data owner defines who is permitted  access to the data elements, how long data is to be retained, etc.
  • Data Custodian: The data custodian implements the system (IT) controls that only allow authorized users to access the data

Principle of “Least Privilege”

Least privilege is a basic security concept that limits the amount of information made available to a user. Users should only be provided the minimum amount of access that is needed for them to perform their job function. Data owners define who and how much data is to be provided to the user.

Key Concept:

Highly Privileged Accounts (HPA): HPA are network administrative accounts and should only be used when network support or maintenance is being performed. Any user that has an HPA should also have a regular user ID that should be used to perform their daily tasks. HPA access should be monitored and logged.

Information Privacy is focused on the rights of the individual, while Data Security is focused on protecting data from unauthorized access. At Quanexus, we focus on both, Information Privacy and Data Security.  It is important to understand the difference when building a secure network environment.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright