Customers in industry segments from financial services to healthcare have struggled to protect personally identifiable information. Now the National Institute of Standards and Technology have released guidelines to help manage the process of securing PII data. Special publication 800-122, titled “Guide to Protecting the Confidentiality of Personally Identifiable Information”, helps customers to identify, classify and provide appropriate levels of protection for PII data.
The document suggests a risk based approach where resources and controls are focused on the most critical information. It also suggests controls for a given level of protection and provides guidance for developing incident response plans in the case of a breach.
To make such a risk based approach work a key step is identifying PII and classifying the data appropriately. NIST recommends the following steps for organizations:
o Identify all PII residing in their environments. Examples of PII include full names; identification numbers such as Social Security numbers, driver’s license numbers or account numbers; addresses; and personal characteristics such as photographs or biometric data.
o Limit the collection and retention of PII to what is necessary for the mission. Only the information that is necessary to meet business requirements should be collected, and that should be purged when not needed. Disposal should be done in accordance with retention schedules approved by the National Archives and Records Administration, as well as with any litigation holds placed on information.
o Data Classification -categorize PII by its impact level. The guidelines define impact as low, moderate or high, depending on the potential harm posed to the individual or agency by its loss. Factors to consider include how distinguishable personal information is, how it is organized and used, and how accessible it is.
o Apply the appropriate safeguards based on the impact level. Some PII, such as public directories, is not considered confidential and does not need to be protected. Customers should create policies and procedures for protecting PII that is confidential, conduct training on these policies, remove data from PII when possible to make it less identifiable, use access controls and encryption to protect the data, and audit events.
o Develop an incident response plan for PII breaches, including how and when individuals affected are to be notified, when a breach should be reported publicly and what remedial services such as credit monitoring should be offered to potential victims.
o Encourage close coordination between privacy officers, chief information officers, information security officers and legal counsel in addressing PII issues.
We have helped many customers successfully implement such risk based information security plans. This new work from NIST will hopefully raise the awareness and increase visibility as well as help illustrate the payback associated with carrying out an information protection plan.