NIST proposes risk-based approach to guarding personal data
Federal agencies are required under various laws, regulations and mandates to protect the privacy of citizens and secure the personally identifiable information (PII) that they hold, but this has not stopped breaches in IT systems that have potentially exposed millions of personal records.
The National Institute of Standards and Technology has outlined for agencies a risk-based approach to securing PII in the recently released draft of Special Publication 800-122, titled "Guide to Protecting the Confidentiality of Personally Identifiable Information." The guidelines lay out appropriate security controls that can be used depending on the nature of the information being protected and the likelihood of its being exposed.
NIST explains the risk-based approach to security with a quote former national security adviser McGeorge Bundy, who once told Congress, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.”
Personally identifiable information generally is information that can be used to specifically identify an individual. Some types of information can pose a risk to the individual if it falls into the wrong hands by enabling identity theft or financial fraud. Its loss also can cause substantial embarrassment or worse to the organization that loses it.
To effectively protect this type of information, NIST recommends that organizations:
- Identify all PII residing in their environments. “An organization cannot properly protect PII it does not know about,” NIST says. Examples of PII include full names; identification numbers such as Social Security numbers, driver’s license numbers or account numbers; addresses; and personal characteristics such as photographs or biometric data.
- Categorize PII by its impact level. “All PII is not created equal,” NIST points out, and agencies should distinguish the “diamonds” from the “toothbrushes.” The guidelines divide information in to low, moderate or high impact levels based on the potential harm to the individual or agency. Factors to consider include how distinguishable personal information is, how it is organized and used and how accessible it is.
- Apply the appropriate safeguards based on the impact level. Some PII does not need to be protected if it is not considered confidential and can be released, such as public directories. Agencies should create policies and procedures for protecting PII, conduct training, remove data from PII where possible to make is less identifiable, use access controls and encryption and audit events.
- Limit the collection and retention of PII to what is necessary for the mission. You can’t lose what you don’t have. The Office of Management and Budget already required agencies to review and reduce their holdings on a regular basis and to create a plan to eliminate the unnecessary collection of Social Security numbers.
- Develop an incident response plan for PII breaches, including how and when individuals are to be notified, when a breach should be reportedly publicly and what remedial services such as credit monitoring should be offered.
- Encourage close coordination between privacy officers, chief information officers, information security officers and legal counsel in addressing PII issues.
NIST is soliciting public comment on the draft of SP 800-122 until March 13. Comments should be e-mailed, with “Comments SP 800-122” in the subject line.
William Jackson is a Maryland-based freelance writer.