Monday, January 19, 2009

Guide to Protecting the Confidentiality of Personally Identifiable Information

On Jan 13, 2009, NIST announced that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), <http://csrc.nist.gov/publications/PubsDrafts.html> is available for public comment. The guideline has been prepared for use by Federal agencies, also referred to as organizations in the guide. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired.

SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.

NIST requests comments on draft SP 800-122 by March 13, 2009

The following recommendations are discussed within the document:

Organizations should identify all PII residing in their environment.

Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level.

Organizations should minimize the collection and retention of PII to what is strictly necessary to accomplish their business purpose and mission.

Organizations should develop an incident response plan to handle breaches of PII.

Organizations should encourage close coordination among their privacy officers, chief information officers, information security officers, and legal counsel when addressing issues related to PII.

The document is organized into the following sections:

Section 2 provides an introduction to PII and lists some basic requirements involving the collection and handling of PII.

Section 3 describes factors for determining the potential impact of inappropriate access, use, and disclosure of PII.

Section 4 presents several methods for protecting the confidentiality of PII that can be implemented to reduce PII exposure and risk.

Section 5 provides recommendations for developing an incident response plan for breaches involving PII and integrating the plan into an organization’s existing incident response plan.

The following appendices are also included for additional information:

Appendix A provides samples of PII-related scenarios and questions that can be adapted for an organization’s exercises.

Appendix B presents frequently asked questions (FAQ) related to protecting the confidentiality of PII.

Appendix C contains definitions of common general terms related to private information.

Appendix D provides additional information about the Fair Information Practices that may be helpful in understanding the framework underlying most privacy laws.

Appendix E contains a FAQ pertaining to logging and verifying sensitive database extracts.

Appendix F provides a glossary of selected terms from the publication.

Appendix G contains a list of acronyms and abbreviations used within the publication.

Appendix H presents a list of resources that may be helpful to individuals in gaining a better understanding of PII, PII protection, and other related topics.