Embed Size (px)
Citation preview
Personally Identifiable Information (PII)
MIS 5206
• In The News
• Confidentiality Risk of Personally Identifiable Information
• Team exercise
• No Quiz to today
http://thehackernews.com/2017/09/play-store-malware.html
http://www.theregister.co.uk/2017/09/15/malware_outbreak_googles_play_store/
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#e890740316a8
https://www.infosecurity-magazine.com/news/fitbit-vulnerabilities-expose/
http://europa.eu/rapid/press-release_IP-17-3193_en.htm
https://www.infosecurity-magazine.com/news/hackers-inserted-malware-popular/
https://www.infosecurity-magazine.com/news/phishing-awareness-improves-in-2017/
http://www.techrepublic.com/article/why-wont-enterprises-take-iot-security-seriously/
http://money.cnn.com/2017/09/19/technology/business/equifax-breach-social-security/index.html
http://flatheadbeacon.com/2017/09/19/cyber-expert-sheds-light-hackers-motives-strategy/
http://searchhrsoftware.techtarget.com/feature/Why-your-HR-department-needs-PII-security-now
http://thehackernews.com/2017/09/pirate-bay-cryptocurrency-mining.html
https://www.computerworld.com/article/3227168/web-browsers/apple-upgrades-safari-for-older-versions-of-macos.html
http://allafrica.com/stories/201708310035.html
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
https://securityintelligence.com/news/new-banking-malware-poses-fresh-risk-to-android-users/
http://www.seattletimes.com/sponsored/current-events-highlight-need-for-cybersecurity-professionals/
https://threatpost.com/malware-steals-data-from-air-gapped-network-via-security-cameras/128038/
http://www.securityweek.com/ios-11-patches-8-security-vulnerabilities?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29&utm_content=FeedBurner
https://www.sciencedaily.com/releases/2017/09/170919144821.htm
https://www.nytimes.com/2017/07/21/business/dealbook/wells-fargo-confidential-data-release.html?mcubz=0
http://www.healthcareitnews.com/news/black-hat-white-hat-hackers-agree-phishing-best-way-steal-data
https://www.forbes.com/sites/jenniferhicks/2017/09/20/using-virtual-and-augmented-reality-in-medical-diagnosis-treatment-and-therapy/#6b99910dc4bc
http://www.traveltripper.com/blog/hotel-data-security-understand-the-difference-between-pci-and-pii-compliance/https://www.infosecurity-magazine.com/news/breaches-galore-as-19-billion/
http://www.bbc.com/news/technology-41347467 http://thehackernews.com/2017/09/viacom-amazon-server.html
FIPS 199 Standards for Security Categorization
• Focuses on confidentiality, integrity and availability impacts of a security breach involving a particular information system
• The impact of confidentiality breach • Not limited to PII
• Focuses on overall impact to • The organization
• Organizational assets
• Financial loss
• Individuals
NIST SP 800-122 – Guide to Protecting Confidentiality of PII
• Specifically focused on:• Identifying PII
• Determining PII confidentiality impact level needed to supplement the FIPS 199 confidentiality impact level of an information system
• Specific organizational responsibilities for safeguarding PII confidentiality• Including incident response for breaches involving PII
Personally Identifiable Information (PII)
1. Any information that can be used to distinguish (i.e. identify) or tracean individual‘s identity, such as:• Name
• Identifying number
• Address
• Asset identifier
• Telephone number
• Personal characteristics
• Personally owned property identifiers
Any information about an individual maintained by an agency, including:
2. Any other information that is linkedor linkable to the identifiers listed in #1: • Date of birth• Place of birth• Race• Religion• Weight• Geographic indicators• Medical information• Educational information• Financial information• Employment information
Not all PII needs to have its confidentiality protected• Including information the organization has permission or authority to
release publicly • (e.g., a published phone directory of employees‘ names and work phone
numbers so that members of the public can contact them directly
• In this case, the PII confidentiality impact level would be not applicable and would not be used to supplement a system‘s provisional confidentiality impact level
PII confidentiality breach impacts include harm to
1. An individual whose PII was the subject of a loss of confidentiality, including any negative or unwanted effects that may be damaging• Socially• Financially• Physically
Examples of types of harm to individuals include, but are not limited to, the potential for blackmail, identity theft, physical harm, discrimination, or emotional distress
2. An organization that maintains the PII, including but not limited to • Administrative burden• Financial losses• Loss of public reputation and public confidence• Legal liability
Factors Determining PII Confidentiality Impact Level
1. Identifiability: How easily PII can be used to identify specific individual ?
2. Quantity: How many individuals are identified in the information (e.g., number of records) ?
3. Data Field Sensitivity: Organizations should evaluate the sensitivity of each individual PII data field, as well as the sensitivity of the PII data fields together• A MIT study demonstrated that 97% of the names and addresses on a voting list were
identifiable using only ZIP code and date of birth
4. Context of Use: Purpose that provides a special meaning to particular sets of PII
5. Obligation to Protect Confidentiality: Laws, regulations, or other mandates may govern the organization’s obligations to protect personal information
6. Access to and Location of PII: Higher impacts can result to increased vulnerabilities resulting from the nature of access provided to the PII and its location during storage and transfer
PII Operational Safeguards1. PII policy and procedure creation
• Access rules within a system• Retention schedules and procedures• Incident response and data breach notification• Privacy in the system development life-cycle process (SDLC)• Limiting collection, disclosure, sharing and use• Consequences for failing to follow privacy rules of behavior
2. PII education, training and awareness• PII definition• Applicable laws, regulations and policies• Restrictions on data collection, storage and use• Roles and responsibilities for using and protecting• Appropriate disposal• Sanctions for misuse• Recognizing a PII security or privacy incident• Retention schedules• Roles and responsibilities in responding and reporting PII incidents
PII Privacy-specific safeguards
1. Minimizing the Use, Collection and Retention of PII
2. Conducting Privacy Impact Assessment (PIA)
3. De-Identifying Information
4. Anonymizing Information
PII Security Controls
table from SP 800-18 R2Guide for Developing Security Plans for Federal Information Systems
Control Family: Access Control for PII
PII – Confidentiality impact rating examples…
Incident Response Roster Example• An organization maintains an electronic roster with contact information
of its computer incident response team members
• It makes the roster with its contact information available to all its employees on its main public web site
• In the event that an IT staff member detects any kind of security breach, standard practice requires that the staff member contact the appropriate people listed on the roster
• Because this team may need to coordinate closely in the event of an incident, the contact information includes names, professional titles, office and work cell phone numbers, and work email addresses
PII – Confidentiality Impact Rating ExampleIncident Response Roster
Identifiability: The information directly identifies a small number of individuals using names, phone numbers, and email addresses
Quantity of PII: The information directly identifies fewer than twenty individuals
Data field sensitivity: Although the roster is intended to be made available only to the team members, the individuals‘ information included in the roster is already available to the public on the agency‘s web site
Context of use: The release of the individuals‘ names and contact information would not likely cause harm to the individuals, and disclosure of the fact that the agency has collected or used this information is also unlikely to cause harm.
Access to and location of PII: The information is accessed by IT staff members who detect security breaches, as well as the team members themselves. The PII needs to be readily available to teleworkers and to on-call IT staff members so that incident responses can be initiated quickly.
Impact Rating: LOW The agency determines that unauthorized access to the roster would likely cause little or no harm, and it chooses to assign the PII confidentiality impact level of LOW
Team exercise
BYE – see you next week! Thank you! Sorry for the technical difficulties this week.
Refer to SP 800-122 Appendix A - Scenarios for PII Identification and Handling
Focus on A.2 Scenarios (pages A-1 through A-3), and… develop a systematic solution for:
1. Answering questions 1 and 2 of each scenario
2. Viewing the PII inventory of each scenario
3. Determining the commonalities and differences among the PII of the scenarios
Team exercise• Teams analyze problem + draft solutions
Refer to SP 800-122 Appendix A - Scenarios for PII Identification and Handling
Focus on A.2 Scenarios (pages A-1 through A-3), and… develop a systematic solution for:1. Answering questions 1 and 2 of each scenario2. Viewing the PII inventory of each scenario3. Determining the commonalities and differences
among the PII of the scenarios
