Data Ownership and Unauthorized Data Sharing – CompTIA Security+ SY0-401: 2.2

If you’ve partnered with another organization, there will probably be data that is shared between you and the third-party. In this video, you’ll learn how to manage data between parties and what can happen when shared data is not properly secured.

<< Previous Video: Risk Awareness with Third-PartiesNext: Data Backups with Third-Parties >>

We’ve talked a lot in this video series about the ownership of data. That’s because who owns the data is an extremely important aspect, especially when working with a third-party. When there’s more than one person involved, you have to know who the ownership of the data happens to be. Is part of the ownership owned by one person, and part of the ownership of the data by another person? This is one of the problems that has to be resolved prior to putting the partnership in place. That’s why in the very beginning of creating the business relationship, there needs to be a clear line of delineation and understanding about who owns the data. You also have to understand what happens to the data once the business relationship is over. And ultimately, if the data does need to be destroyed, what is the process in place and who handles the destroying of that data.

When you’re in a third party relationship. There is certainly going to be data that’s shared between the organizations. There’s probably going to be network connections in place so that this data can be shared very easily. And you do have to make sure the proper controls are in place. If you’re accessing data at a third-party, you should only be able to access the data that’s important for your particular business function. You should not be able to access other types of data or even other systems at the third-party organization. So it’s very important that you are able to audit and ensure that these data controls are in place.

If this data is not being shared with a partner, but is instead being shared with someone else who might be outside of the organization, there’s usually an agreement in place with the owners of the data so that if you’re providing this data to someone, what’s going to happen to that data later on. Sometimes data is shared without the explicit permission of the end user. And in those cases, it’s usually a terms of service or privacy policy that makes the determination of how that data is to be shared.

Sometimes data is shared with others accidentally. This happened when Facebook announced in 2013 that for the past year, information was made available for over six million users that was beyond the scope of what those users wanted to share. There was email and telephone numbers and other information that were at risk. This accidental data sharing occurred because of a feature in Facebook that allowed you to download your friends list and have that list local on your computer. What many people didn’t realize is that behind the scenes, Facebook was going to third-party databases and getting email addresses and phone numbers that were also associated with you, even though you didn’t explicitly provide that information to Facebook. And when your friends downloaded the friends list, that information was also downloaded along with that friends list.

It’s these types of security controls and privacy concerns that should be thought about and considered, especially when sharing data with third parties.