by E McCallister · 2010 — and disclosure, including means for protecting personal privacy and proprietary csrc.nist/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.

51 KB – 59 Pages

PAGE – 2 ============
NIST Special Public a tion 800 – 122 Guide to Protecting the Confidentiality of Personally Identifi able Information ( PII) Recommendations of the National Institute of Standards and Tec h nology Erika McCallister Tim Grance Karen Scarfone C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Insti tute of Standards and Technology Gaithersburg, MD 20899 – 8930 April 2010 U.S. Department of Commerce Gary Locke , Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher , Director

PAGE – 3 ============
ii Reports on Computer Systems Technolog y The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing tec h nical e vel ops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the deve l development of technical, physical, a d ministrativ e, and management standards and guidelines for the cost – effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800 – efforts in comp uter security and its collaborative activities with industry, government, and ac a demic organizations. National I nstitute of Standards and Technology Spe cial Publication 800 – 122 Natl. Inst. Stand. Technol. Spec. Pub l. 800 – 122 , 5 9 pages ( Apr . 2010 ) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experi mental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Sta n dards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessaril y the best available for the pu r pose.

PAGE – 4 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) iii Acknowledg ments The authors, Erika McCallister, Tim Grance, and Karen Scarfone of the National Institute of Standards and Te chnology (NIST), wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. Of particular note are the efforts of Joseph Nusbaum of Innovative Analytics & Training, Deanna DiCarlantonio of CUNA Mutual Gro up, and Michael L. Shapiro and Daniel I. Steinberg of Booz Allen Hamilton, who contributed significant portions to previous versions of the document. The authors would also like to acknowledge Ron Ross, Kelley Dempsey, and Arnold Johnson of NIST; Michael Gerdes, Beth Mallory, and Victoria Thompson of Booz Allen Hamilton; Brendan Van Alsenoy of ICRI, K.U.Leuven; David Plocher and John de Ferrari of the Government Accountability Office; Toby Levin of the Department of Homeland Security; Idris Adjerid of Carn egie Mellon University; The Federal Committee on Statistical Methodology : Confidentiality and Data Access Committee ; T he Privacy Best Practices Subcommittee of the Chief Information Officers Council; and Julie McEwen and Aaron Powell of The MITRE Corporati on , for their keen and insightful assistance during the development of the document.

PAGE – 5 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) iv Table of Contents Executive Summary .. .. .. ES – 1 1. Introduction .. .. .. . 1 – 1 1.1 Authority .. .. .. .. 1 – 1 1.2 Purpose and Scope .. .. .. 1 – 1 1.3 Audience .. .. .. . 1 – 1 1.4 Document Structure .. .. . 1 – 1 2. Introduction to PII .. .. .. . 2 – 1 2.1 Identifying PII .. .. .. 2 – 1 2.2 Examples of PII Data .. .. 2 – 2 2.3 PII and Fair Information Practices .. .. .. 2 – 3 3. PII Confidentiality Impact Levels .. .. 3 – 1 3.1 Impact Level Definitions .. .. . 3 – 1 3.2 Factors for Determining PII Confidentiality Impact Levels .. . 3 – 2 3.2.1 Identifiability .. .. . 3 – 3 3.2.2 Quantity of PII .. .. . 3 – 3 3.2.3 Data Field Sensitivity .. .. 3 – 3 3.2.4 Context of Use .. .. 3 – 4 3.2.5 Obligation to Protect Con fidentiality .. . 3 – 4 3.2.6 Access to and Location of PII .. .. .. 3 – 5 3.3 PII Confidentiality Impact Level Examples .. 3 – 5 3.3.1 Example 1: Incident Response Roster .. . 3 – 5 3.3.2 Example 2: Intranet Activity Tracking .. 3 – 6 3.3.3 Example 3: Fraud, Waste, and Abuse Reporting Application 3 – 7 4. PII Confidentiality Safeguards .. .. . 4 – 1 4.1 Operati onal Safeguards .. .. .. 4 – 1 4.1.1 Policy and Procedure Creation .. .. 4 – 1 4.1.2 Awareness, Training, and Education .. .. 4 – 2 4.2 Privacy – Specific Safeguards .. .. . 4 – 3 4.2.1 Minimizing the Use, Collection, and Retention of PII .. .. 4 – 3 4.2.2 Conducting Privacy Impact Assessments .. . 4 – 4 4.2.3 De – Identifying Information .. .. . 4 – 4 4.2.4 Anonymizing Information .. .. 4 – 5 4.3 Security Controls .. .. .. . 4 – 6 5. Incident Response for Breaches Involving PII .. . 5 – 1 5.1 Preparation .. .. .. . 5 – 1 5.2 Detection and Analysis .. .. 5 – 3 5.3 Containment, Eradication, and Recovery .. .. 5 – 3 5.4 Post – Incident Activity .. .. 5 – 3

PAGE – 6 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) v Appendices Appendix A Scenarios for PII Identificati on and Handling .. . A – 1 A.1 General Questions .. .. .. A – 1 A.2 Scenarios .. .. .. .. A – 1 Appendix B Frequently Asked Questions (FAQ) .. .. B – 1 Appendix C Other Terms and Definitions for Personal Information C – 1 Appendix D Fair Information Practices .. .. D – 1 Appendix E Glossary .. .. .. .. E – 1 Appendix F Acronyms and Abbreviations .. .. . F – 1 Appendix G Resources .. .. .. .. G – 1

PAGE – 8 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) ES – 2 Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, we ight, activities, geographical indicators, employment information , medical information , education information , financial information) . Organizations should minimize the use, collection , and retention of PII to what is strictly necessary to accomplish their business purpose and mission. The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores. For example, an organization should only request PII in a new form if t he PII is absolutely necessary. Also, an organization should regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organizations could have an annual PII purging awareness day. 7 OMB M – 07 – 16 8 specifically requires agencies to: Review current holdings of PII and ensure they are accurate, relevant, timely, and complete Reduce PII holdings to the minimum necessary for proper performance of agency functions Develop a schedule for periodic review of PII holdings E stablish a plan to eliminate the unnecessary collection and use of SSNs. O rganization s should categorize their PII by the PII confidentiality impact level. All PII is not created equal. PII should be evaluated to determine its PII confidentiality impact level , which is different from the Federal Information Processing Standard (FIPS) Publication 199 9 confidentiality impact level, so that appropriate safeguards can be applied to the PII. The PII confidentiality impact level low, moderate, or high indicates the potential harm that could result to the subject individuals and /or the organization if PII were inappropriately accessed, used, or disclosed. This docum e nt provides a list of factors an organization should consider when determin ing the PII confidentiality impact level . Each organization should decide which factors it will use for determining impact levels and then create and implement the appropriate poli cy, procedures, and controls. The following are examples of factors: Identifiability . Organizations should evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people. Quantity of PII. Organizations should consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality im pact level should only be raised and not lowered based on this factor. Data Field Sensitivity. Organizations should evaluate the sensitivity of each individual PII data e sensitive than 7 Disposal of PII should be conduct ed in accordance with the retention schedules approved by the National Archives and Records Administration (NARA), as well as in accordance with agency litigation holds. 8 OMB Memorandum 07 – 16, Safeguarding Against and Responding to the Breach of Personal ly Identifiable Information , http://www.whitehouse.gov/omb/memoranda/fy2007/m07 – 16.pdf . 9 FIPS 199, Standards for Security Categorization of Federal Information and Information Sys tems , http://csrc.nist.gov/publications/fips/fips199/FIPS – PUB – 199 – final.pdf .

PAGE – 9 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) ES – 3 Organizations should also evaluate the sensitivity of the PII data fields when combined . Context of Use. Organizations should evaluate the c ontext of use the purpose for which the PII is collecte d, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use. For example, suppose that an organization has two lists that co ntain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general – interest newsletter produced by the organization, and the second list is people who work undercover in law enforcement. If the confide ntiality of the lists is breached, t he potential impacts to the affected individuals and to the organization are significantly different for each list. Obligations to Protect Confidentiality. An organization that is subject to any obligations to protec t PII should consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates (e.g., Privacy Act, OMB guidance). For example, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to specific legal obligations to protect certain types of PII. 10 Access to and Location of PII. Organizations may choose to take into consideration the nature of authorized access to and the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII. Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level . Not all PII should be protected in the same way. Organizations should apply appropriate safeguards to protect the confidentiality of PII based on the PII confidentiality im pact level. Some PII does not need to have its confidentiality protected, such as information that the organization has permission or authority to operational safegu ards, privacy – specific safeguards, and security controls , 11 such as: Creating Policies and Procedu res . Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII. Conducting Training. Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII . De – Identif ying PII. Organizations can de – identify r ecords by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De – identified records can be used when full records a re not necessary, such as for examinations of correlations and trends. Using Access Enforcement. Organizations can control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists). Implementing Acces s Control for Mobile Devices. Organizations can prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital 10 The Census Bureau has a special obligation to protect based on provisions of Title 13 of the U.S. Code, and IRS has a special obligation to protect based on Title 26 of the U.S. Code. There are more agency – specific obligations to protect PII, 11 This document provid es some selected security control examples from NIST SP 800 – 53.

PAGE – 10 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) ES – 4 assistants (PDA), which are generally higher – risk than non – portable devices (e.g. , desktop computers Providing Transmission Confidentiality. Organizations can protect the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the inf ormation before it is transmitted. Audit ing Events . Organizations can monitor events that affect the confidentiality of PII, such as inappropriate access to PII. Organizations should d evelop an incident response plan to handle breaches involving PII . Br eaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII. O rganizations should d evelop plans 12 that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals. Organizations should encou rage close coordinat ion among their chief privacy officers, senior agency officials for privacy, chief information officers, chief information security officers, and legal counsel 13 when address ing issues related to PII. Protecting the confidentiality of PI I requires knowledge of information systems, information security, privacy, and legal requirements. D ecisions regarding the applicability of a particular law, regulation, or other mandate should be made in consultation with an and privacy officer because relevant laws, regulations, and other mandates are often complex and change over time. Additionally, new policies often require the implementation of technical security controls to enforce the policies. Close coordination of the relevant experts helps to prevent incidents that could result in the compromise and misuse of PII by ensuring proper interpretation and implementation of requirements. 12 OMB requires agencies to develop and implement breach notification policies. OMB Memorandum 07 – 16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information , http://www.whitehouse.gov/omb/memoranda/fy2007/m07 – 16.pdf . 13 Some organizations are structured differently and have different names for roles. These roles are examples, used for illustrative purposes.

PAGE – 11 ============
G UIDE TO P ROTECTING THE C ONFIDENTIALITY OF P ERSONALLY I DENTIFIABLE I NFORMATION (PII) 1 – 1 1. Introduction 1.1 Authority The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107 – 347. NIST is responsible for developing standards and guidelines, including minimum requirements , for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget ( OMB) Circular A – – 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A – 130, Appendix III. This guideline has been prepared for use by Federal agenci es, also referred to as organizations in the guide. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired. Nothing in this document should be taken to contradict standards and g uidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OM B, or any other Federal official. 1.2 Purpose and Scope The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of p rotecting the confidentiality of PII in the context of information security and explains its relationship to privacy using the Fair Information Practices, which are the principles underlying most privacy laws and privacy best practices. PII should be prot ected from inappropriate access, use, and disclosure. This document provides practical, context – based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards tha t may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements. 1.3 Audience The prima ry audience for this document is t he individuals who apply policies and procedures for protecting the confidentiality of PII on Federal information systems , as well as technical and non – technical personnel involved with implementing system – level changes co ncerning PII protection methods. Individuals in many roles should find this document useful, including chief privacy officers and other privacy officers, privacy advocates, privacy support staff, public affairs staff, compliance officers, human resources staff, system administrators , chief information security officers , information system security officers, information security support staff, computer security incident response teams, and chief information officers. 1.4 Document Structure The remainder of this document is organized into the following sections:

51 KB – 59 Pages