[ISN] ITL Bulletin for April 2010

From: InfoSec News <alerts_at_private>
Date: Thu, 29 Apr 2010 00:06:56 -0500 (CDT)
ITL BULLETIN FOR APRIL 2010

ITL BULLETIN FOR APRIL 2010
GUIDE TO PROTECTING PERSONALLY IDENTIFIABLE INFORMATION
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Federal organizations maintain significant amounts of information about 
individuals and have a special responsibility to protect that 
information from loss and misuse. Security incidents involving 
personally identifiable information can result in considerable harm, 
embarrassment, and inconvenience to the individual and may lead to 
identity theft or other fraudulent use of the information. Organizations 
can experience a loss of public trust, legal liability, or remediation 
costs.

Personally identifiable information (PII) is any information about an 
individual that is maintained by an agency, including information that 
can be used to distinguish or trace an individual's identity, such as 
name, social security number, date and place of birth, mother's maiden 
name, or biometric records; and any other information that is linked or 
linkable to an individual, such as medical, educational, financial, and 
employment information (based on General Accountability Office and 
Office of Management and Budget definitions).

Concerns about the security of PII have been raised over the past few 
years as some federal agencies have reported the loss or theft of 
equipment containing personal information or unauthorized access to 
information on agency systems.


Federal Requirements to Protect Information and Information Systems

The Privacy Act of 1974 and the E-Government Act of 2002 establish 
federal agency responsibilities to protect personal information, and to 
ensure its security. Under the Federal Information Security Management 
Act (FISMA) of 2002, federal agencies must develop, document, and 
implement programs to protect their information and information systems. 
This policy applies to the systems that support the operations and 
assets of the agency, and includes those systems provided or managed by 
another agency, contractor, or other source. FISMA calls for agencies to 
apply a risk-based policy to achieve cost-effective results for the 
security of their information and information systems.

Standards and guidelines developed by the Information Technology 
Laboratory of the National Institute of Standards and Technology (NIST) 
assist agencies in carrying out effective information security programs 
based on the management of risk. Federal Information Processing Standard 
(FIPS) 199, Standards for Security Categorization of Federal Information 
and Information Systems, specifies that federal organizations categorize 
their information and information systems based on the potential impact 
on the organization should adverse events occur which could jeopardize 
the information and information systems needed by the organization to 
accomplish its mission, protect its assets, fulfill its legal 
responsibilities, maintain its day-to-day functions, and protect 
individuals.

FIPS 200, Minimum Security Requirements for Federal Information and 
Information Systems, helps organizations use the categorization results 
obtained under FIPS 199 to designate their information systems as 
low-impact, moderate-impact, or high-impact for the security objectives 
of confidentiality, integrity, and availability. For each information 
system, agencies then select an appropriate set of security controls 
from NIST Special Publication (SP) 800-53, Revision 3, Recommended 
Security Controls for Federal Information Systems and Organizations, to 
satisfy their minimum security requirements.

NIST has developed the Risk Management Framework (RMF) to guide agencies 
through a structured process to identify the risks to the information 
systems, assess the risks, and take steps to reduce risks to an 
acceptable level. NIST SP 800-37, Revision 1, Guide for Applying the 
Risk Management Framework to Federal Information Systems: A Security 
Life Cycle Approach, explains the basic concepts to be applied to the 
management of security risks to information systems. It covers planning 
and building information security capabilities into information systems 
throughout the system life cycle; implementing up-to-date management, 
operational, and technical security controls; and maintaining awareness 
of the security condition of information systems through improved 
monitoring.

The Office of Management and Budget (OMB) has issued guidance concerning 
agency responsibilities to protect information, including actions that 
agencies should take to protect personally identifiable information from 
unauthorized use, access, disclosure, or sharing. In addition, OMB has 
issued requirements for reporting security breaches and the loss or 
unauthorized access of personally identifiable information, and has 
directed agencies to develop policies for notifying those affected by 
such breaches.


NIST Special Publication 800-122, Guide to Protecting the 
Confidentiality of Personally Identifiable Information (PII)

NIST recently issued SP 800-122, Guide to Protecting the Confidentiality 
of Personally Identifiable Information (PII), to assist federal agencies 
in carrying out their responsibilities to protect PII in information 
systems. Written by Erika McCallister, Tim Grance, and Karen Scarfone of 
NIST, the publication discusses how to identify PII and protect the 
confidentiality of PII as part of the organization's information 
security procedures. The guide also explains the importance of 
protecting the privacy of the individuals whose personal information is 
kept by the organization, as required by federal laws and in accordance 
with Fair Information Practices.

A section of the guide outlines the factors to be considered when 
determining the impact level for the security objective of 
confidentiality of the PII. The guide explains the need to determine the 
PII confidentiality impact level, taking into account additional 
requirements for protecting personal information.

Other topics covered in the guide include the operational safeguards, 
privacy-specific safeguards, and security controls that should be 
applied as part of the organization's risk-based approach for protecting 
the confidentiality of PII; the development of policies and procedures 
for protecting PII; the establishment of training and awareness programs 
for staff members; and the development of policies and procedures for 
handling security incidents involving PII.

The appendices to the guide provide detailed information on scenarios 
for PII identification and handling; frequently asked questions (FAQs); 
terms and definitions for PII; Fair Information Practices; a glossary; 
explanation of acronyms and abbreviations; and a reference list of 
additional resources for protecting PII.

NIST SP 800-122 is available from NIST.s Web page 
http://csrc.nist.gov/publications/PubsSPs.html.


NIST's Recommendations to Organizations for Protecting PII

NIST recommends that organizations take the following steps to protect 
their PII:


Identify all PII residing in the organizational environment.

All PII should be identified on all systems, including databases, shared 
network drives, backup tapes, and sites maintained by contractors. 
Examples of PII include, but are not limited to:

* Name, such as full name, maiden name, mother's maiden name, or alias;

* Personal identification number, such as social security number (SSN), 
  passport number, driver.s license number, taxpayer identification 
  number, or financial account or credit card number;

* Address information, such as street address or email address;

* Personal characteristics, including photographic image, especially a 
  face image or other identifying characteristic; fingerprints; 
  handwriting; or other biometric data, such as retina scan, voice 
  signature, and facial geometry; and

* Information about an individual that is linked or linkable to one of 
  the above categories, such as date of birth, place of birth, race, 
  religion, weight, activities, geographical indicators, employment 
  information, medical information, education information, and financial 
  information.


Minimize the use, collection, and retention of PII to what is strictly 
necessary to accomplish their business purpose and mission.

The likelihood of harm caused by a breach involving PII is greatly 
reduced if an organization minimizes the amount of PII that it uses, 
collects, and stores. For example, an organization should only request 
PII in a new form if the PII is absolutely necessary. Also, an 
organization should regularly review its holdings of previously 
collected PII to determine whether the PII is still relevant and 
necessary for meeting the organization.s business purpose and mission. 
Disposal of PII should be conducted in accordance with National Archives 
and Records Administration (NARA) and specific agency requirements.

OMB (see Memorandum M-07-16 in the More Information section below) 
specifically requires agencies to:

* Review current holdings of PII and ensure they are accurate, relevant, 
  timely, and complete;

* Reduce PII holdings to the minimum necessary for proper performance of 
  agency functions;

* Develop a schedule for periodic review of PII holdings; and

* Establish a plan to eliminate the unnecessary collection and use of 
  social security numbers (SSNs).


Categorize all PII by the PII confidentiality impact level.

All PII should be evaluated to determine the PII confidentiality impact 
level. This assessment helps the organization apply appropriate 
safeguards for PII. The PII confidentiality impact level (low, moderate, 
or high) indicates the potential harm that could result to the subject 
individuals and/or the organization if PII were inappropriately 
accessed, used, or disclosed, and may be different from the 
confidentiality impact levels that are determined by the application of 
FIPS 199. When the PII confidentiality impact level is determined, it is 
used to supplement the provisional confidentiality impact level, which 
was determined using the FIPS 199 processes. Organizations should decide 
which factors they will use to determine the PII confidentiality impact 
level, and should create and implement appropriate policy, procedures, 
and controls.

Examples of factors to be considered include:

* How easily PII can be used to identify specific individuals. For 
  example, an SSN uniquely and directly identifies an individual, but a 
  telephone area code identifies a set of people.

* How many individuals can be identified from the PII. Breaches of 25 
  records and 25 million records may have different impacts. The PII 
  confidentiality impact level may be raised but should not be lowered 
  based on this factor.

* Evaluation of the sensitivity of each individual PII data field. For 
  example, an individual's SSN or financial account number is generally 
  more sensitive than an individual's phone number or ZIP code. 
  Organizations should also evaluate the sensitivity of the PII data 
  fields when the data from different fields is combined.

* Evaluation of the context of use of the PII. The context of use is the 
  purpose for which the PII is collected, stored, used, processed, 
  disclosed, or disseminated. The context of use may result in the same 
  PII data elements being assigned to different PII confidentiality 
  impact levels based on their use. For example, an organization may 
  have two lists that contain the same PII data fields, such as name, 
  address, and phone number. The first list may be composed of people 
  who subscribe to a general-interest newsletter produced by the 
  organization, and the second list may be composed of people who work 
  undercover in law enforcement. If the confidentiality of the lists is 
  breached, the potential impacts to the affected individuals and to the 
  organization are significantly different for each list.

* Obligations to protect confidentiality. Organizations should consider 
  their specific obligations to protect PII when determining the PII 
  confidentiality impact level. Obligations to protect PII are specified 
  in laws, regulations, and other mandates, including the Privacy Act 
  and OMB guidance. Federal agencies, such as the Census Bureau and the 
  Internal Revenue Service (IRS), are subject to specific legal 
  requirements to protect certain types of PII.

* Access to and location of PII. Organizations may choose to take into 
  consideration the nature of authorized access to and the location of 
  PII. When PII is accessed more often or by more people and systems, or 
  the PII is regularly transmitted or transported off-site, then there 
  are more opportunities for the confidentiality of the PII to be 
  compromised.


Apply the appropriate safeguards for PII based on the PII 
confidentiality impact level.

Organizations should apply appropriate safeguards to protect the 
confidentiality of PII based on the PII confidentiality impact level. 
Safeguards may differ based on the confidentiality impact level. PII, 
such as the public phone directory, does not have to be protected for 
confidentiality when the organization has permission or authority to 
release such information publicly. NIST recommends using operational 
safeguards, privacy-specific safeguards, and security controls, such as:

* Developing comprehensive policies and procedures for protecting the 
  confidentiality of PII.

* Requiring that all individuals receive appropriate training before 
  being granted access to systems containing PII to reduce the 
  possibility that PII will be accessed, used, or disclosed 
  inappropriately.

* De-identifying records by removing enough PII so that the remaining 
  information does not identify an individual and there is no reasonable 
  basis to believe that the information can be used to identify an 
  individual. De-identified records can be used when full records are 
  not necessary, such as for examinations of correlations and trends.

* Controlling access to PII through access control policies and access 
  enforcement mechanisms, such as access control lists.

* Prohibiting or strictly limiting access to PII from portable and 
  mobile devices, such as laptops, cell phones, and personal digital 
  assistants (PDAs), which are generally higher-risk than non-portable 
  devices, such as desktop computers at the organization's facilities.

* Protecting the confidentiality of transmitted PII. This can be 
  implemented by encrypting the communications or by encrypting the 
  information before it is transmitted.

* Monitoring events that affect the confidentiality of PII, such as 
  inappropriate access to PII.


Develop an incident response plan to handle breaches involving PII.

Breaches involving PII are hazardous to both individuals and 
organizations. Harm to individuals and organizations can be contained 
and minimized through the development of effective incident response 
plans for breaches involving PII. Organizations should develop plans 
that include elements such as determining when and how individuals 
should be notified, how a breach should be reported, and whether to 
provide remedial services, such as credit monitoring, to affected 
individuals.


Encourage close coordination among chief privacy officers, senior agency 
officials for privacy, chief information officers, chief information 
security officers, and legal counsel when addressing issues related to 
PII.

To protect the confidentiality of PII effectively, organizations need a 
comprehensive understanding of their information systems, information 
security, privacy, and legal requirements. Decisions regarding the 
applicability of a particular law, regulation, or other mandate should 
be made in consultation with the organization's legal counsel and 
privacy officer since the laws, regulations, and other mandates are 
often complex and may change over time. Also, new technical security 
controls may be needed to implement and enforce new security policies 
that are adopted. Close coordination of the organization.s technical and 
legal experts helps to prevent incidents that could result in the 
compromise and misuse of PII by ensuring proper interpretation and 
implementation of requirements.


More Information on Protecting Personally Identifiable Information

Information about the following NIST publications that help 
organizations protect personally identifiable information and about 
other publications that address information security issues is available 
from NIST's Computer Security Resource Center at http://csrc.nist.gov/

Federal Information Processing Standard (FIPS) 199, Standards for 
Security Categorization of Federal Information and Information Systems

FIPS 200, Minimum Security Requirements for Federal Information and 
Information Systems

NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the 
Risk Management Framework to Federal Information Systems: A Security 
Life Cycle Approach

NIST SP 800-50, Building an Information Technology Security Awareness 
and Training Program

NIST SP 800-53A, Guide for Assessing the Security Controls in Federal 
Information Systems

NIST SP 800-53, Revision 3, Recommended Security Controls for Federal 
Information Systems and Organizations

NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and 
Information Systems to Security Categories, (Volumes 1 and 2)

NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide

NIST SP 800-64, Revision 2, Security Considerations in the System 
Development Life Cycle

Information about OMB directives to federal agencies, including the 
following, is available from the OMB Web page 
http://www.whitehouse.gov/omb/memoranda/.

OMB Memorandum M-06-15, Protecting Personally Identifiable Information

OMB Memorandum M-06-19, Reporting Incidents Involving Personally 
Identifiable Information and Incorporating the Cost for Security in 
Agency Information Technology Investments

OMB Memorandum M-07-16, Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information

The General Accountability Office (GAO) has issued several reports 
concerning the threats to and protection of PII, including the following 
report available from the GAO Web page http://www.gao.gov/.

GAO Report 08-343, Protecting Personally Identifiable Information


Disclaimer

Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST nor does it imply that the products mentioned are 
necessarily the best available for the purpose.


_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/ 
Received on Wed Apr 28 2010 - 22:06:56 PDT

This archive was generated by hypermail 2.2.0 : Wed Apr 28 2010 - 22:19:15 PDT