Feedback on NIST 800-122
Protecting PII is an important task. We take this task very seriously and as the leaders we provided feedback on NIST 800-122 DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
According to NIST, "800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling" .
Below you can see our main comments:
- The document should recognize that some elements of PII are unique to the systems and regulatory landscape in the US due to different privacy regulations beyond what stated in FAQ answer 2. Specifically full names and mother maiden names which are not as important in other countries. Agencies that collect PII in foreign countries outside of the US and civilian organizations that will adopt NIST 800-122 should be aware of the differences.
- The document is missing a cross regulatory reference. There are many different regulations that require the protection of PII as it described by this document. I believe that it is important to list the affected and involved regulations in order to avoid unnecessary burden from agencies that are already fully compliant.
- Appendix E--Sensitive Database Extracts Technical Frequently Asked Questions:
- (6)What information should be logged for each extract? We recommend to verify that the document will clear that (iv) user/subject identity; is indeed the end user performing the operation and the application user that is acting on behalf of this user which is very common in a pooled connection database scenario.
- (11) What technical methods are available for restricting where sensitive extracts are stored? We recommend to use database firewall (DBFW) and database activity monitoring (DAM) systems in order to restrict access to sensitive data.
- (13) What is required for verifying a sensitive extract? We believe that NIST should recommend using a formal process that can locate, verify and monitor access to sensitive data, identify what was extracted and provide log of all data to be securely erased after 90 days. When automated, such process will be more effective in protecting PII.
- (14) What other types of technical solutions could be used for sensitive extract verification and erasure? As stated by the document, the 2nd recommendation in this section (Implement centralized processing for access to sensitive databases using dumb terminals) "This solution cannot be implemented on a large scale in the near term using current off-the-shelf components. However, there are off-the-shelf solutions that are available today that will provide this functionality. Using combinations of Database Access controls with Application access controls using WAF + DBFW would provide this necessary functionality. We urge NIST to look at database firewall solutions and how such solutions can integrate with web application firewalls and web identity management solutions.
More feedback? tell NIST and us.
