Going Beyond TechnologyPrivacy Impact Assessments                  from NIST                               Candy Alexander...
Topics   What is PII, PIAs and why should I care   Using NIST’s guide   How to define impact levels & safeguards   Whe...
What is PII   Personally Identifiable Information       Information which can be used to distinguish or        trace an ...
OR more specifically…..Personally Identifiable Information – refers to information that can beused to uniquely identify, c...
Privacy Impact AssessmentUsing the premise that all Personally Identifiable Information (PII) is not created equal or has ...
Why is this approach soimportant?   Enables you to focus efforts and resources    on protecting the data that has the mos...
PIA Approach1.   Identify all PII residing in their environment2.   Categorize their PII by confidentially impact3.   Appl...
NIST SP800-122* Process                                            Identify PII  Determine Confidentiality Impact Level   ...
Identify PII within Environment   What PII elements           Name, Address, Social Security Number, Email, etc.   Wher...
Determine Confidentiality Impact Level   Based on “harm”   Identified as       Low           limited adverse effect (m...
Determine Confidentiality Impact Level   Evaluation Factors       Holistic approach in evaluating data elements       C...
Determine Confidentiality Impact Level1 - Distinguishability     Unique id or not?         SSN vs. Phone number (departm...
Determine Confidentiality Impact Level3 - Context of Use     Purpose PII is collected , stored, used, processed,      dis...
Determine Confidentiality Impact Level4 - Obligation to Protect Confidentiality     Laws & regulations         Privacy A...
Determine Confidentiality Impact Level   5 - Access to & Location of PII       How many are accessing (staff & systems) ...
Determine Confidentiality Impact Level   How to get started?       Form a team consisting of InfoSec, Privacy, IT,      ...
Determine Confidentiality Impact LevelForm should include:   Process Name:   Process Description:   Process Owner:   P...
Determine Confidentiality Impact LevelGoing through the exercise – Example 1 Incident Response Roster    Data elements: ...
Determine Confidentiality Impact LevelExercise Example 2 Intranet Activity Tracking     Data Elements: user’s IP address...
Apply Appropriate Protection Measures                 (Beyond Technology)   Policy & Procedures        Use of PIAs, acce...
Minimize Collection & Retention   Minimize to least amount necessary       Reduce potential risk       Review PII colle...
Minimize Collection & Retention   Anonymzing Information       Making previously identifiable info de-identifiable      ...
Incident Response Plan for PII   Follow traditional IR planning   Include Privacy & Legal       Know you notification r...
Questions?                Candy Alexander, CISSP CISM                 calexander@ltcpartners.comFor a copy of this present...
Upcoming SlideShare
Loading in …5
×

Beyond Tech using PIAs 2011

552 views

Published on

How to use NIST\'s Privacy Impact Assessment approach to protect PII/PHI

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
552
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Beyond Tech using PIAs 2011

  1. 1. Going Beyond TechnologyPrivacy Impact Assessments from NIST Candy Alexander, CISSP CISM SecureWorld Expo Boston March 24, 2011 Room 103 Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  2. 2. Topics What is PII, PIAs and why should I care Using NIST’s guide How to define impact levels & safeguards Where should I begin Incident response Summary Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  3. 3. What is PII Personally Identifiable Information  Information which can be used to distinguish or trace an individuals identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked to linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”* OMB Memorandum 07-16 Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  4. 4. OR more specifically…..Personally Identifiable Information – refers to information that can beused to uniquely identify, contact, or locate a single person or can beused with other sources to uniquely identify a single individual.The following are often used for the express purpose of distinguishingindividual identity, and thus are clearly PII under the definition used bythe U.S. Office of Management and Budget (described in detail below): •Full name (if not common) •National identification number •IP address (in some cases) •Vehicle registration plate number •Drivers license number •Face, fingerprints, or handwriting •Credit card numbers •Digital identity •Birthday •Birthplace •Genetic information Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  5. 5. Privacy Impact AssessmentUsing the premise that all Personally Identifiable Information (PII) is not created equal or has the same value/risk  PII should be protected from inappropriate access, use and disclosure  Provides a practical, context-based guidance for identifying PII  Define the appropriate level of protection for each instance of PII  Encourage close coordination among privacy, IT, security and legal when addressing PII issues Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  6. 6. Why is this approach soimportant? Enables you to focus efforts and resources on protecting the data that has the most risk – rather than all  Expensive and complex to protect the whole environment  Similar to the gold in Fort Knox; concentrating it in one location & safeguarding it to the fullest Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  7. 7. PIA Approach1. Identify all PII residing in their environment2. Categorize their PII by confidentially impact3. Apply the appropriate safeguards for PII based on the PII confidentiality impact level (i.e. how sensitive it is)4. Minimize the collection/retention of PII to what is strictly necessary to accomplish their business5. Develop an incident response plan to handle breaches of PII Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  8. 8. NIST SP800-122* Process Identify PII Determine Confidentiality Impact Level Apply Appropriate Protection Measures Minimize Collection & Retention Incident Response Plan for PII *NIST SP800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  9. 9. Identify PII within Environment What PII elements  Name, Address, Social Security Number, Email, etc. Where are they  Stored, processed and transmitted How are they used  What is the business need  Linkable Who  Access  “Custodianship” Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  10. 10. Determine Confidentiality Impact Level Based on “harm” Identified as  Low  limited adverse effect (minor harm - minor financial loss or no more than an inconvenience )  Moderate  Serious adverse effect (significant harm that may result in significant financial loss, but does not include loss of life, such as denial of benefits, discrimination or potential blackmail)  High  Severe or Catastrophic adverse effect (major financial loss or server harm to individuals such as life threatening injuries or loss of life) Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  11. 11. Determine Confidentiality Impact Level Evaluation Factors  Holistic approach in evaluating data elements  Complete view of data elements determine the impact level  5 factors used  Distinguishability  Aggregation and sensitivity  Context of Use  Obligation to Protect  Access to and location of Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  12. 12. Determine Confidentiality Impact Level1 - Distinguishability  Unique id or not?  SSN vs. Phone number (department phone)  Listing of just SSNs?2 - Aggregation and sensitivity  Sensitivity of data when used together such as  Name, address, SSN  Name, address, SSN and data of birth  May have requirement if SSN is involved, it is a Moderate automatically Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  13. 13. Determine Confidentiality Impact Level3 - Context of Use  Purpose PII is collected , stored, used, processed, disclosed or disseminated  How could it be used or potentially be used (risk)  The same PII used in different context may cause for different impact levels  Each “process” could have a different impact level on the same PII data. For example: Name, address & SSN could be moderate, but used for analysis of: alcohol or drug use, illegal conduct, illegal immigration status, information damaging to financial standing, and employability could make it a “high” Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  14. 14. Determine Confidentiality Impact Level4 - Obligation to Protect Confidentiality  Laws & regulations  Privacy Act of 1974  OMB memoranda  HIPAA  State Data Regulations  Gramm-Leach-Bliley Act Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  15. 15. Determine Confidentiality Impact Level 5 - Access to & Location of PII  How many are accessing (staff & systems)  Where they are accessing it from (remote workers, onsite, vendors, etc.)  Where is it stored (local on desktop/laptop or on fileserver) Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  16. 16. Determine Confidentiality Impact Level How to get started?  Form a team consisting of InfoSec, Privacy, IT, “system owner” or info custodian and Legal  Develop a form to help guide you through the review and document the impact levels.  Review the impact levels on a regular basis  Similar to HIPAA Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  17. 17. Determine Confidentiality Impact LevelForm should include: Process Name: Process Description: Process Owner: PII data elements use: Distinguishability: Aggregation/Sensitivity: Context of Use: Obligation: Access to/Location of: Impact Level Declaration: Date of Declaration: Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  18. 18. Determine Confidentiality Impact LevelGoing through the exercise – Example 1 Incident Response Roster  Data elements: Name, titles, office & work cell numbers, work email addresses  Distinguishability: small number (under 20)  Aggregation/Sensitivity: internally available  Context of Use: release would not likely cause harm to individual or organization  Obligation: none  Access to/Location of: accessed by IT and response team; is available to remote workers  Impact level = Low Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  19. 19. Determine Confidentiality Impact LevelExercise Example 2 Intranet Activity Tracking  Data Elements: user’s IP address, URL if website user viewed, date/time user access website, amount of time user spent viewing, web pages or topics accessed  Distinguishability: by itself – no, but linked - admins can view this log and the AD log to identify individual)  Aggregation/Sensitivity: info accessed could cause embarrassment if related to HR subjects, however amount of potential info is limited  Context of Use: release of info would unlikely cause harm. Since logging is known and assumed to happen – would not cause harm.  Obligation: none  Access to/Location of: Log data is accessed by small number of sys admins and only accessible from Org’s own systems.  Impact level = Low Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  20. 20. Apply Appropriate Protection Measures (Beyond Technology) Policy & Procedures  Use of PIAs, access rules for PII, retention schedule, redress, individual consent, data sharing agreements, PII incident response, privacy in the SDLC, limitation of collection, disclosure, sharing and use of PII Education, Training & Awareness  What is PII, basic privacy laws/regs/policies, restrictions on data collections/storage/use, roles & responsibilities for using/protecting PII, appropriate disposal, sanctions for misuse, recognizing a security or privacy incident involving PII, retention schedules, roles & responsibilities in responding to PII incidents Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  21. 21. Minimize Collection & Retention Minimize to least amount necessary  Reduce potential risk  Review PII collection requirements regularly De-identifying Info (encryption/tokenization)  Info that has enough PII removed/obscured such that it does not identify an individual  Full data records aren’t always necessary  Can be accomplished by code, algorithm, or pseudonym  Changes impact level to a low as long as:  Re-identification is on a separate system with appropriate controls  Data elements are not linkable Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  22. 22. Minimize Collection & Retention Anonymzing Information  Making previously identifiable info de-identifiable for which a code or other link no longer exists.  Renders information so that it is no longer PII  Generalizing the data  Suppressing the data (redaction)  Scrambling or swapping the data  Useful in system development & testing Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  23. 23. Incident Response Plan for PII Follow traditional IR planning Include Privacy & Legal  Know you notification requirements (State/Federal) Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103
  24. 24. Questions? Candy Alexander, CISSP CISM calexander@ltcpartners.comFor a copy of this presentation, send an email request. Candy Alexander CISSP, CISM - SecureWorld Expo - Boston March 24, 2011 - Room 103

×