PII & NIST, two great tastes that go great together!
Protecting Personally Identifiable Information (PII) is an issue that continues to grow in importance for individuals, companies big and small, multi-national corporations and governments. . PII is defined as ‘information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc’.
It is in the news often (and it seems daily lately), as you can see from a few headlines I pulled through a quick search of breaches that occurred this week:
- Massive Data Breach in South Korean Portal Effects 35 Million Users
- EMC Foots a $66 Million Bill for RSA Attack
- UNLV Admits a Possible 2008 Security Breach
The National Institute of Standards & Technology’s (NIST) take on it
In regards to these seemingly daily breaches there is a newly proposed NIST set of standards for Security and Privacy which is due to be published as Appendix J: Security and Privacy Controls for Federal Information Systems and Organizations in the NIST Special Publication 800-5 document in December, 2011. It is of great curiosity how the government is tackling this sticky problem. Since the Appendix has its own review cycle separate from the review of the entire document one can surmise that the government is taking it very seriously.
So what is covered in this Appendix and can we apply it to the issues facing the Private Sector as well as the Public Sector?
The NIST approach is risk based. Identifying and managing risk factors in PII information is crucial. First, examining the existing data for PII criteria is suggested all the way down to the data fields themselves. This is data that is directly under an organizations control and would also be utilized by contractors or may be stored and available in a virtual environment. There are two types of data defined, ‘Linked Data’ and ‘Linkable Data.’
Linked Data is data already associated with other PII where Linkable Data (currently “unlinked”) can conceivably be linked together to form information to find a specific individual. PII data is not all equal either and as such it should be rated on a defined ‘PII confidentiality impact level.’ This level is determined by the amount of harm that could result from an information breach. The rating levels are suggested as low (limited adverse effect), medium (serious adverse effect) and high (severe or catastrophic adverse effect). At issue in the document is that a combination (‘linked data’) of lower rated pieces of information can cause a serious high breach such as ‘mother’s maiden name, place of birth and birth-date.’ In most states these three pieces of information supplied will get you a birth certificate. Thus information marked as low if combined correctly can be a much higher risk and might signify a higher rating. When determining PII impact level this of critical importance to keep in mind.
The NIST document also provides recommendations on how much PII should be collected by an organization or agency. Carefully making sure that redundant information and non-essential information is not collected and stored also reduces the amount of risk that is being taken on. For example, if you have already collected the email address can it be verified and referred to instead of collected again?
Reviewing how long PII retention is necessary also takes on important levels of risk so it is highly recommended to regularly determine what can be purged from the system. Literally, put this on your schedule and make it a repeated activity!
Also extremely important is Access Control: Who has access? Do they need it and for how long? In most cases the math is simple, the less people with access to PII, the less risk there is. If employees need access only to certain data for a project, give them limited access and an end date instead of the ‘keys to the kingdom.’ This is a good time to mention governance and training. Comprehensive policies for handling PII and utilizing that to train employees to utilize and handle the data correctly with as little risk of exposure as possible also lessens the concerns that a ‘mistake’ or other incident will happen.
These follow the common areas:
- Access Control
- Separation of Duties (SOD)
- Least Privilege
- Remote Access
- Auditable Events, Monitoring and Reporting
Basically how do we minimize risk to our customers, organizations, etc and still are able to get the job done well.
The Appendix also discusses minimizing PII information in another way that is important in organizations large and small. Instead of using complete data for environments other than ‘Production,’ strip the data or ‘sanitize’ it for use. Remove any fields that will identify the person referred in the object as much as possible. This means removing PII data and still be able to develop and test with valid ‘production-like’ data sets.
Lastly, the document recommends having a plan for when a breach happens, not if it happens. The plan should include initial notification of responsible and concerned parties, assessing the possible impact to the company and individuals and how to handle different scenarios that might occur. The time to plan is in advance, not in the moment. Things that seem basic can sometimes get overlooked during a crisis unless it is documented with a checklist and test driven in advance.
In summation, the NIST document is for use as a guideline outside of the Government and at times inside. Your mileage may vary depending upon the regulatory laws that govern your business or organization and even your country.
Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS