Happened upon this notice on the NIST site:

NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII’s confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling. NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with “Comments SP 800-122″ in the subject line.

Interestingly, for such an important and potentially far-reaching document, it does not seem to be getting much press/notice; possibly being released on Patch Tuesday has something to do with that?

Anyhow, this being an official document, it’s somewhat lengthy; at first blush, however, it does seem to be well thought-out and comprehensive. Most of the recommendations are based on common sense, at least for folks involved in the modern, IT-based data protection world. [But then again, wasn’t it Voltaire who said: Common sense is not so common.] Much of it revolves around understanding the *value* of the data one is trying to protect; this is along the lines of IBM’s data-centric security model (DCSM) discussed in late-2006 which suggests one uses the business value of data to determine and implement the appropriate level of overall IT security. (*1)

The current draft version of SP 800-122 includes several areas of concern:

• Organizations should identify all PII residing in their environment. This includes all the normal types of PII such as date / place of birth, (mother’s) maiden name, SSN, credit card nos. and so forth; it also includes “personal characteristics” such as photographic image (especially of face or other distinguishing characteristic), fingerprints, handwriting, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry) which may not apply to everyone out there but sure is important to us as citizens in this post-9/11 world.
• Organizations should categorize their PII by the PII confidentiality impact level. As the authors state, not all PII is created equal; they go on to suggest that several factors, including distinguishability, sensitivity, context, obligation to protect, and location / access, should be considered.
• Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level. In suggesting a risk-based approach to protecting PII confidentiality, the authors recall this from McGeorge Bundy: “If we guard our toothbrushes and diamonds with equal seal, we will lose fewer toothbrushes and more diamonds.” And here they mention something near and dear to my heart: Implementing Access Control for Mobile Devices. Amen to that!
• Organizations should minimize the collection and retention of PII to what is strictly necessary to accomplish their business purpose and mission. Another common-sensical suggestion: one should not have to protect (and pay for said protection) information which is not germane to on-going basis. The authors remind us that OMB M-07-16 specifically requires that (US Federal) agencies review what PII they hold, reduce what they hold, schedule periodic follow-on reviews, and eliminate unnecessary PII collection and use of SSNs. This would seem to make sense for folks outside the government too, methinks.
• Organizations should develop an incident response plan to handle breaches of PII. In a world where it’s really just a matter of when, not if, and how bad, it makes sense to develop a plan to deal with some eventuality; as they say, hope for the best, plan for the worst. [Of course, this is helped greatly if one’s other plans minimize the possible impact by, say, encrypting all PII while at rest, while in motion, and when being taken off the network for whatever reason.]
• Organizations should encourage close coordination among their privacy officers, chief information officers, information security officers, and legal counsel when addressing issues related to PII. As the authors point out, [c]lose coordination of the relevant experts helps to prevent PII breaches by ensuring proper interpretation and implementation of requirements.

Although most of this seems to fall under the common sense rubric, I did learn something (on page 5-2 it is noted that: In M-07-16, OMB required Federal agencies to report all known or suspected PII breaches to US-CERT within one hour.) … so it’s been a good day.

But I do have admit being a little concerned about the data identification prescription; as Andrew Jaquith at Forrester notes in a recent article, (*2) the classification of information “on-the-fly” is not rooted in most work processes, and in fact very few folks think in terms of taxonomies, classifications, information labels or clearance levels. Add to this the fact that so-called Discretionary Access Control (DAC) models are pervasive in the most commonly used operating systems today (Microsoft’s Windows and Apple’s OS X) and that most of us would seriously contemplate implementing a Mandatory Access Control (MAC) model, and I have to agree that this is probably just a Utopian ideal not readily attainable by most organizations. But more on that some other time.

Overall, I think this SP is well thought-out and presented, and suggest that it is applicable to anyone concerned about data protection, be they in the public or private sector. Even folks in SMBs could do with a quick review of this standard to see what quick and easy steps they could take to better prepare for the worst.

What do you think?

Chris Merritt
Lumension