Last week, DIR provided a link to an updated NIST document called Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf . Attached is the executive summary from the NIST document. You can read more at the URL provided above.
Organizations should identify all PII residing in their environment.
An organization cannot properly protect PII it does not know about. This document uses a broad definition of PII to identify as many potential sources of PII as possible (e.g., databases, shared network drives, backup tapes, contractor sites). PII is ―any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Examples of PII include, but are not limited to:
< Name, such as full name, maiden name, mother’s maiden name, or alias
< Personal identification number, such as social security number (SSN), passport number, driver’s license number, taxpayer identification number, or financial account or credit card number
< Address information, such as street address or email address
< Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
< Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.
The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores. For example, an organization should only request PII in a new form if the PII is absolutely necessary. Also, an organization should regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organization’s business purpose and mission. For example, organizations could have an annual PII purging awareness day.
Organizations should categorize their PII by the PII confidentiality impact level.
All PII is not created equal. PII should be evaluated to determine its PII confidentiality impact level, which is different from the Federal Information Processing Standard (FIPS) Publication 1999 confidentiality impact level, so that appropriate safeguards can be applied to the PII. The PII confidentiality impact level–low, moderate, or high–indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed. This document provides a list of factors an organization should consider when determining the PII confidentiality impact level. Each organization should decide which factors it will use for determining impact levels and then create and implement the appropriate policy, procedures, and controls. The following are examples of factors:
< Identifiability. Organizations should evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
< Quantity of PII. Organizations should consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level should only be raised and not lowered based on this factor.
< Data Field Sensitivity. Organizations should evaluate the sensitivity of each individual PII data field. For example, an individual’s SSN or financial account number is generally more sensitive than an individual’s phone number or ZIP code. Organizations should also evaluate the sensitivity of the PII data fields when combined.
< Context of Use. Organizations should evaluate the context of use–the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use. For example, suppose that an organization has two lists that contain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general-interest newsletter produced by the organization, and the second list is people who work undercover in law enforcement. If the confidentiality of the lists is breached, the potential impacts to the affected individuals and to the organization are significantly different for each list.
< Obligations to Protect Confidentiality. An organization that is subject to any obligations to protect PII should consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates (e.g., Privacy Act, OMB guidance). For example, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to specific legal obligations to protect certain types of PII.
< Access to and Location of PII. Organizations may choose to take into consideration the nature of authorized access to and the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII.
Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level.
Not all PII should be protected in the same way. Organizations should apply appropriate safeguards to protect the confidentiality of PII based on the PII confidentiality impact level. Some PII does not need to have its confidentiality protected, such as information that the organization has permission or authority to release publicly (e.g., an organization’s public phone directory). NIST recommends using operational safeguards, privacy-specific safeguards, and security controls,11 such as:
< Creating Policies and Procedures. Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII.
< Conducting Training. Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII.
< De-Identifying PII. Organizations can de-identify records by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De-identified records can be used when full records are not necessary, such as for examinations of correlations and trends.
< Using Access Enforcement. Organizations can control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).
< Implementing Access Control for Mobile Devices. Organizations can prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital
assistants (PDA), which are generally higher-risk than non-portable devices (e.g., desktop computers at the organization’s facilities).
< Providing Transmission Conf
identiality. Organizations can protect the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the information before it is transmitted.
< Auditing Events. Organizations can monitor events that affect the confidentiality of PII, such as inappropriate access to PII.
Organizations should develop an incident response plan to handle breaches involving PII.
Breaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII. Organizations should develop plans that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals.
Organizations should encourage close coordination among their chief privacy officers, senior agency officials for privacy, chief information officers, chief information security officers, and legal counsel when addressing issues related to PII.
Protecting the confidentiality of PII requires knowledge of information systems, information security, privacy, and legal requirements. Decisions regarding the applicability of a particular law, regulation, or other mandate should be made in consultation with an organization’s legal counsel and privacy officer because relevant laws, regulations, and other mandates are often complex and change over time. Additionally, new policies often require the implementation of technical security controls to enforce the policies. Close coordination of the relevant experts helps to prevent incidents that could result in the compromise and misuse of PII by ensuring proper interpretation and implementation of requirements.