PII is “any information about an individual maintained by an
organization, including
1. Any
information to be used to distinguish or trace an individual’s identity, such
as name, social security number, date and place of birth, biometrics records;
and
2. Any
other information that is linked for linkable to an individual, such as medical
records, educational, financial, and employment information.” [GAO Report
08-536/NIST-800-122]
Organizations are required to identify all PII residing
within their organization or under the control of their organization. They
should use a variety of techniques to identify PII. Some of the techniques to
identify PII include reviewing system documentation, using Data Loss Prevention
(DLP) technologies such as automatic PII network monitoring tools, or checking
with system and data owners. Organization should also ensure that retired
hardware no longer contains PII and that proper sanitization techniques are
applied. [NIST-800-122]
Determine PII Confidentiality Impact Levels
There are several important factors that, an organization
should consider to determine the impact from a loss of confidentiality of
PII. All of the relevant factors should
be considered together as the impact levels may be affected. [NIST-800-122]
1. Identifiability: Evaluate how easily
PII can be used to identify specific individuals
2. Quantity of PII: Consider how many
individuals are identified in the information (such as number of records).
3. Data Field Sensitivity: Evaluate the
sensitivity of each individual PII data field. An individual’s Social Security
Number, medical or financial account information is generally considered more
sensitive
4. Context of Use: Context of Use is
defined as the purpose, for which PII is collected, stored, used, processed,
disclose, or disseminated.
5. Obligation to Protect Confidentiality:
Many organizations are subject to laws, regulations, or other mandates
governing the obligation to protect PII, such as the Privacy Act 1974, HIPAA of
1996, and GDPR etc.
6. Access to and Location of PII: Consider
the nature of authorization access to PII, whether PII is being stored on or
access from outside the direct control of the organization.
Table 1: summarizes the potential impacts of security breach
[FIPS-199/NIST-800-122]
Security Breach: Confidentiality, Integrity, OR Availability
(CIA)
|
||
POTENTIAL IMPACTS
|
LOW
|
If the loss of confidentiality, integrity, or availability
could be expected to have a limited
adverse effect on organization operations, organization assets, or
individuals. For example, the loss of CIA might
i.
Cause degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced
ii.
Result in minor damage to organizational
assets
iii.
Result in minor financial loss
iv.
Result in minor harm to individuals
|
MODERATE
|
If the loss of confidentiality, integrity, or availability
could be expected to have a serious
adverse effect on organization operations, organization assets, or
individuals. For example, the loss of CIA might
i.
Cause a significant degradation in mission
capability to an extent and duration that the organization is able to perform
its primary functions, but the effectiveness of the functions is noticeably
reduced
ii.
Result in a significant damage to
organizational assets
iii.
Result in a significant financial loss
iv.
Result in a significant harm to individuals
that does not involve loss of life or serious life threatening injuries.
|
|
HIGH
|
If the loss of confidentiality, integrity, or availability
could be expected to have a severe or
catastrophic adverse effect on organization operations, organization
assets, or individuals. For example, the loss of CIA might
i.
Cause severe degradation in mission capability
to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably
reduced
ii.
Result in major damage to organizational
assets
iii.
Result in major financial loss
iv.
Result in severe and catastrophic harm to
individuals involving loss of life or serious life threating injuries.
|
|
Safeguards for Confidentiality
PII should be protected through a combination of measures,
including Operational Safeguards, privacy-specific safeguards, and Security
Controls. Organization should use a risk-based approach for protecting the
confidentiality of PII. [NIST-800-122]
1.
Operational
Safeguards
a. Create
Policy and Procedure
i. Access
rules for PII within a system
ii. PII
retention schedules and procedures
iii. Privacy
in the system development life cycle process
iv. Limitation
of collection, disclosure, sharing and use of PII
v. PII
incident response and data breach notification
vi. Consequences
for failure to follow privacy rules of behavior
b. Awareness,
Training, and Education
i. The
definition of PII
ii. Applicable
privacy laws, regulation, and policies
iii. Roles
and responsibilities for using and protecting PII
iv. Appropriate
disposal of PII
v. Sanctions
for misuse of PII
vi. Recognition
of a security or privacy incident involving PII
vii. Roles
and responsibilities in responding to PII-related incidents and reporting
2.
Privacy-Specific
Safeguards
a. Minimize
the Use, Collection, and Retention of PII
The basic principle of privacy is the fair practice of minimizing the
use, collection, and retention of PII. Organization should consider the total
amount of PII used, collected, and maintained, as well as the types ad
categories of PII as long as it is required for the current business purpose.
b. Conduct
Privacy Impact Assessments
PIAs are structured processes for identifying and mitigating privacy
risks, PIA should address confidentiality risks at every stage of the system
development life cycle (SDLC).
c. De-Identifying
Information
The term de-identified information is used to describe records that have
had enough PII removed or obscured, or masked or obfuscated so that remaining
PII does not identify an individual. De-identified information can be re-identified
by using code, algorithms, or pseudonym that is assign to individual records.
d. Anonymizing
Information
Anonymization of information usually involves the techniques to ensure
the data cannot be re-identified.
3.
Security
Controls
Security Controls are often already
implemented on a system to protect other type of data processed, stored, or
transmitted by the system.
a.
Access
Control Enforcement
Organization can control access to PII through access control policies
and access enforcement mechanism.
i. Separation of Duties
Organization can enforce separation of duties for responsibilities
involving access to PII
ii. Least Privilege
Organizations can enforce most restricted set of rights or privileges or
access needed by users to perform the specified task
iii. Remote Access
Organizations can choose to prohibit or strictly limit remote access to
PII. If remote access is permitted, the organization should ensure that the
communications are encrypted
iv. User-Based Collaboration and Information
Sharing
Organizations can provide automated mechanism to assist users in
determining whether access authorizations match access restrictions for PII
v. Access Control for Mobile Devices
Organizations can choose to prohibit or strictly limit access to PII from
portable and mobile devices, which are generally at higher risk.
b.
Auditable
Events
Organizations can monitor events that affect the confidentiality of PII,
such as unauthorized access to PII
i. Audit, Review, Analysis and Reporting
Organizations can regularly review and analyze the information system’s
audit records for indications of inappropriate or unusual activity affecting
PII, investigate suspicious activity or suspected violations
c.
Identification
and Authentication
Users can be uniquely identified, and authenticated before accessing PII.
The strength requirement for the authentication mechanism depends on the impact
level of the PII and the system as a whole.
d.
Media Access
Protection
i. Organizations
can restrict access to information system media containing PII, including
digital media and non-digital media
ii. Organizations
can be label information system media and output containing PII to indicate how
it should be distributed and handled
iii. Organizations
can securely store PII, both in paper and digital forms, until the media is
destroyed or sanitized using approved equipment, techniques, and procedures
iv. Organizations
can protect digital and non-digital media and mobile devices containing PII
that is transported outside the organization’s controlled areas
v. Organizations
can sanitize digital and non-digital media containing PII before it is disposed
or released for reuse
e.
Transmission
Confidentiality
Organizations can protect the confidentiality of transmitted PII by
encrypting the communication or by encrypting the information before it is
transmitted
f.
Protection
of Information at Rest
Organization can protect the confidentiality of PII at rest such as hard
drives or backup tape
g.
Information
System Monitoring
Organization
can deploy automated tools to monitor PII internally or at network boundaries
for unusual or suspicious transfer or events
Appendix
Reference and Additional information are available at https://csrc.nist.gov/publications
NIST-SP800-122 (PDF)
FIPS-199 (PDF)
NIST-SP800-53