Data Sharing: Preventing Privacy Harms

When implementing access control as a privacy tool, my organization:

1. Requires users to authenticate using a unique employer-provisioned identifier
3. Forbids user accounts, passwords, or other sensitive material from being stored in any unapproved tools such as Wikis, Google Docs, analytics events, or local development workstations
5. Requires passwords and authentication mechanisms to satisfy certain requirements like minimum length

To improve those access controls, my organization:

1. Locks out users for at least 30 minutes after a certain number of failed login attempts
3. Enforces password rotation at least every 90 days for the PCI environment or where MFA is not enforced
5. Requires MFA for break glass access - admin or root - to production machines; do not exceed 20 hours
7. Enforces a time out, i.e. require users to re-authenticate and re-activate after no more than 30 minutes of being idle to access resources
9. Prevents passwords and secrets on managed information resources from using vendor-specified default values

To minimize harm if data is accessed, my organization:

1. Encrypts data using end-to-end transit encryption at the service layer with mutual TLS
3. Encrypts metadata
5. Checks for errors in architecture, policy, or coding that can reveal secrets
7. Checks for partners who may not be completely reliable, like rogue employees or contractors
9. Aligns with stakeholders to ensure they understand the business impact of encryption

11. Key manages encryption

    If YES, which of the following apply?

12. 1. Rotates encryption keys on a regular basis
    2. Distributes any public keys in a certificate
13. Tailors encryption to the state of the data
15. Uses HTTPS or TLS (mTLS if possible) for data in motion