Will The Real PII Stand Up?
It is not new that organizations are starting to focus on protecting their focus instead of simply looking at packets going in and out through their perimeter firewalls. There are different regulations that mandate data security: PCI protected Credit Card Data, HIPAA protects patient related data and the Veterans Identity and Credit Security Act of 2006 protects US military veterans - just to name 3 of the few dozens US and international data protection policies.
The term "data" represents different types of information and records: PHI, PII, NPI, PCI, IP to name a few. As the number of data breaches continues to climb and as lawmakers, standard committees and the industry are maturing, guideline documents are created proving a comprehensive framework and rules for data protection. Personally Identifiable Information (PII) protection was somehow neglected but recently several documents focusing on PII protection were released.
NIST recently published a draft of a PII guide book (NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information PII) which contains recommendations which are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies. The Department of Homeland Security (DHS) released their own version of such a guide earlier.The DHS's handbook for safeguarding sensitive Personally Identifiable Information sets minimum standards for how all personnel should handle Sensitive PII at DHS
.
The term "data" represents different types of information and records: PHI, PII, NPI, PCI, IP to name a few. As the number of data breaches continues to climb and as lawmakers, standard committees and the industry are maturing, guideline documents are created proving a comprehensive framework and rules for data protection. Personally Identifiable Information (PII) protection was somehow neglected but recently several documents focusing on PII protection were released.
NIST recently published a draft of a PII guide book (NIST 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information PII) which contains recommendations which are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies. The Department of Homeland Security (DHS) released their own version of such a guide earlier.The DHS's handbook for safeguarding sensitive Personally Identifiable Information sets minimum standards for how all personnel should handle Sensitive PII at DHS
.
I am excited with every new data protection regulation, I need to make a living you know, and believe that good government regulatory control is blessed but I also find the different guidelines and regulations to be insufficient, somehow contradicting, and too vague.
For example - consider the definition of PII:
NIST
DHS
Some say that when you hear that the government going to help, that's when you should really worried. I know it's not a popular statement these days, but in my opinion, in the case of data protection, I think this saying will be proven false, and that these standards, regulations, baselines, industry groups, etc will help substantially.
Stay tuned.
For example - consider the definition of PII:
NIST
"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
DHS
"Any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department."The definitions are close, but not close enough. What should be protected? While it looks like the NIST document is more comprehensive and uses 800-53 for references, it is not clear HOW and WHEN to protect the data.
Some say that when you hear that the government going to help, that's when you should really worried. I know it's not a popular statement these days, but in my opinion, in the case of data protection, I think this saying will be proven false, and that these standards, regulations, baselines, industry groups, etc will help substantially.
Stay tuned.
