Given the high profile nature of identity theft and security breaches, there are many laws, policies, and guidelines that companies are using to classify and manage the information technology systems in a secure manner. What exactly is secure data and how should it be handled?
Classification of data is the most important step in my opinion, followed by policies on how to handle these types of data. NIST 800-53 is a very comprehensive guide to information systems.
- Common Security Legislation Themes
- Data Classification
Common Security Legislation Themes
While there are many regulations and guidelines they all have many similar themes:
- Classify and secure data.
- Secure information systems.
- Establish security controls (limit, document, implement, assess, refine)
- Audit access to data and other information systems activity
- Dispose of data appropriately for it’s classification
One of the most common mistakes I have seen in company policies is categorizing data that is sensitive personal and confidential the same as secure handling required data. Similar to the military designation of top secret, secret, and confidential data, I believe there are different types of data and should have separate guidelines for handling, storage and transmission.
Secure Handling Required (SHR) Data
Like Top Secret data, any data which could be used to conduct financial or legal transactions (or identity theft) should be regarded with the highest level of security. The most commonly and appropriate used term I’ve seen is Secure Handling Require (SHR). SHR data is typically very small and low in volume. SHR data should be secured both while in transit, and at rest (stored in a database or file system).
SHR Data includes the following:
- Credit and debit card numbers
- Personal banking information (account #, routing #)
- Drivers License Number
- State identification numbers
- Social Security Number (full or four digit form)
- Military Identification Number
- Passport Number
- Account Passwords, security codes, or access codes
Handling criteria for SHR data:
- SHR data should not be stored at rest unless required for conducting business.
- SHR data must not be transmitted in clear text format (either on the network, email)
- SHR data must not be stored in clear text format.
- SHR data must be kept in a physically secure environment (locked, physically secure storage)
- SHR must either be encrypted, removed, or replaced with another token identifier when transmitted or stored in clear text.
- SHR data must be destroyed using secure data destruction (physical destruction of media, shredding, or overwritten using DOD 5220.22-M techniques.
Sensitive Personal and Confidential Information (PCI)
Many policies use the term Sensitive Personal Information instead of Secure Handling Required. I believe these warrant separate classification and handling guidelines. For example, HIPPA outlines limitations on the disclosure and physical security, but doesn’t dictate encryption of this type of data. Sensitive Personal information while typically private, can’t typically be used to conduct financial or legal transactions or be used for identity theft.
Any sensitive information which can be associated with a specific individual and their financial or health transactions should be considered confidential. Typically, the financial or health transactions themselves if aggregated or don’t contain any personally identifiable information aren’t at risk, it’s when they can be associated with a specific individual that they become sensitive and confidential.
Sensitive Personal and Confidential data includes the following:
- Protected Financial information that can be used to identify an individual.
- Protected Health information (PHI), including physical or mental health conditions, or services in the past, present, or future that can be used to identify an individual.
- Racial or ethnic origins.
- Political or religious beliefs.
Handling for PCI data:
- PCI data should never be left unattended
- PCI data should be secured via power on passwords and auto logoff screen savers
- PCI data should have policies in place for customer notification if the media containing PCI data is lost or stolen
- PCI data should be kept in a physically secure environment
- PCI data should be destroyed in an appropriate manner (shredded, format, overwrite, or full DOD 5220.22-M)
It may be considered a breech of privacy to disclose personal information, but this type of information is typically shared in in the normal conduct of business.
In some cases, information that is gathered and can be associated to a specific individual can also be personal information (a list of searches entered, or products purchased)
Personal information should be defined by a company policy, but includes:
- Information which personally identifies an individual
- Customer User names
- Customer names, email address, billing addresses, and phone numbers
Company confidential data is defined by a company policy, but typically includes:
- Personnel information
- Proprietary information
- Company key financial information
- Company security policies
Internal information is defined by a company policy, but typically includes:
- Unrestricted use within the company
- Personnel directories
- Internal policies and procedures
- Most internal electronic mail messages
- Any information not classified as secure handling data required, personal and confidential, or company confidential
Public information is defined by a company policy, but should include information specifically approved for public release by a designated authority within the company.
Key US Regulations and Standards
- Payment Card Industry Data Security Standard (PCI DSS) – covers the standards for credit and debit card processing and outlines guidelines for secure information systems for secure data at rest and in transit.
- Health Insurance Portability and Accountability Act (HIPAA) – outlines that consumer medical data must be kept secure and private.
- Sarbanes-Oxley – outlines that an audit record of changes made to financial data must be kept to prevent or detect fraud in overriding of controls.
- Fair Credit Reporting Act – regulates the collection, dissemination, and use of consumer credit information.
- Gramm-Leach-Bliley Act (GLBA) – outlines mandatory compliance of financial institutions to protect consumer financial information from privacy, and from foreseeable threats in security and data integrity.
Other Related Regulations or Guidelines
- Federal information Security Management Act (FISMA) – requires federal government agencies to conduct annual security reviews.
- ISO/IEC 27002:2005 – security techniques
- JSOX – a Japanese version of Sarbanes-Oxley
- SB 1386 – a California law regulating personal information and disclosure of personal information by a security breach.
- NIST 800-53 / ISO 17799:2005 – outlines information security and management on computer systems.
- Department of Defense 5220.22-M – outlines the standards for deleting / overwriting data for secure deletion or disposal.
- FTC Red Flags Rule – is used to detect warning signs of identity theft.
- Statement on Auditing Standards No 70 (SAS 70) – audits are used to comply with GLBA requirements. SAS-70 is similar in nature to the Banking (BITS) security criteria.
- BITS – outlines a review of content of company policies for security, information systems, physical facilities, human resources, business continuity, and security incident responses.
- Payment Card Industry Data Security Standard
- Health Insurance Portability and Accountability Act
- Secure POS Vendor Alliance
- FTC Red Flags Rule
- Department of Defense 5220.22-M
- Statement on Auditing Standards No 70
- NIST 800-53
- ISO 17799:2005
- Californian Office of Information Security and Privacy Protection – Consumer Privacy
- Protecting Personal Information - A Guide for Business
- Information Sensitivity