Of course today, privacy is an issue, and one of growing concern. Any system or situation that concerns information that identifies a person uniquely, or some element that can be traced to a specific individual, falls into the realm of a privacy concern, and generally has a law governing it in some way. Now, the typical definitions or acronyms for it are personally identifiable information, as signified by PII, protected health information, or PHI, as we find under HIPAA, and personal financial information, or PFI, as we find under Gramm-Leach-Bliley.

Now, in software development projects, such data may play a role in the design, build, and testing, and the QA processes to ensure correct operation, as well as ensuring that this particular type of data, whichever one of these it may be, will be properly identified, classified, categorized, and thus in the end, protected from any sort of mishandling or collection use and disclosure errors. Now, the thing that the CSSLP needs to understand and contributes to its team's efforts, is to associate such practices and be able to evaluate the risk, any compliance requirements, and the commensurate security to ensure that appropriate protections are designed and built into the program, and in place and are properly functioning, wherever necessary.

So, let's look at some specific elements that are included in multiple types of this individually identifiable information. Now, here we have a list of directly identifying fields associated with a person's unique identity. And if we are going to be required to enable our program design to enforce a Safe Harbor list, then each of these identifiers must be captured and removed if the requirement is there for its removable, but they should be protected from disclosure through the use of other controls when they are to be retained. Common to all of these different program elements are the privacy guidelines that are becoming more and more global each day. These OECD Guidelines harken back to a standard for privacy information protection called the GAPP, or the Generally Accepted Privacy Principles.

Here we see the principles that are captured in nearly every type of privacy legislation found around the globe. We have different titles here: data controller, data processor, data subject, and others. And these rules here, data controller, accountability, for example, data controller's responsible for protection of data holdings in accordance with regulatory requirements, these are the sorts of things that we find present in virtually every form of privacy legislation encountered. More to the point though, these are the kinds of things that must translate into functional and non-functional requirements for any program that will be handling the type of data for which these rules were placed.

So we have the privacy Safe Harbor. Fundamental to the collection use and disclosure is the ability to capture all of the elements, but also to identify those and remove them when necessary to produce a Safe Harbor. The idea of the Safe Harbor is to ensure that the information containing these elements is secured, protected during its collection use and disclosure activities through all states. They include the standards that we see here: notice, choice, onward transfer, security, rules about data integrity, rules governing access and how it will be granted if it is, and then how it will be enforced. And these relate back to the standards that you saw on the slide with the OECD Guidelines.

In recent years, many new privacy laws have been passed, and many countries around the world now have them, where before, they may not have. But with the advent of the internet spanning the globe and more and more companies going online, and larger and larger companies being brought under scrutiny for how they collect, use, and disclose personally identifiable information, the subject of privacy has gained worldwide attention, and in some cases, alarm on the part of their governments.

Now, in nearly all of the questions regarding where these laws are, let's examine a few specific examples. We have the California Consumer Privacy Act, which was enacted in 2018; we have the yet-to-be-enacted California Privacy Rights Act to be enacted in 2023; the EU GDPR enacted in 2018; and the Egyptian Personal Data Protection Law. The US and the EU organizations, NIST and ISO, have also been very quite busy. The ISO has passed the 27018, which is about handling PII in the cloud, as guidance for data controllers. NIST has done likewise.

For us in this particular course, we pay attention to the NIST special publication, 800-64, and the security and privacy considerations in the software development lifecycle. And for those systems that will end up in cloud deployment, the special publication, 800-144, which provides guidelines for privacy and security protection in the cloud environment. Now, these laws and these guidelines all talk about the same conditions that have to be met, including ensuring a Safe Harbor state can be put into place, that identification, classification, and categorization of the information can be performed competently, and that the necessary controls, both proactive and reactive, can be put in place and function correctly.