As you read the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Draft, it looks more like the same ole’ policy : categorize, classify, protect the most important and pray for the rest!
PII should be graded by “PII confidentiality impact level,” the degree of potential harm that could result from the PII if it is inappropriately revealed. For example, an organization might require appropriate training for all individuals who are granted access to PII, with special emphasis on moderate- and high-impact PII, and might restrict access to high-impact PII from mobile devices, such as laptops and cellphones, which are generally at greater risk of compromise than non-portable devices, such as desktop computers at the organization’s headquarters.
Would be interesting to know how much these standards will cost to implement.
From NIST announcement
This release from DHS Secretary Napolitano indicates an opportunity to evaluate current policies and policy directions:
“One of my top priorities is to unify this department and to create a common culture. These action directives are designed to begin a review, evaluation and dialogue between the various functions of this department and me,” said Secretary Napolitano.
- DHS intends to revitalize its relationship with state, local, and tribal governments effective immediately with the intent of creating a working partnership.
- Critical infrastructure protection. — This entails extensive dealings with other federal agencies, states, and the private sector, involving collaboration, data collection, risk analysis, and sharing of best practices.
- Risk analysis. — What is the status of risk analysis metrics and what is the plan and time frame for setting up a full-blown system to govern the establishment of critical infrastructure programs, the priorities among national planning scenarios, and the distribution of grants to state, local, and tribal entities? More broadly, how can DHS enhance risk management as the basis of decision making?
- State and local intelligence sharing. Provide an evaluation of which activities hold the most promise for achieving the smooth flow of information on a real time basis.
- The inventory and evaluation should take into account the voices of all stakeholders, especially state, local and tribal entities.
- The evaluation should also consider the private sector’s perspective and its relationship to these stakeholders.
From her confirmation hearing statement:
Cyber security and the protection of the technology critical infrastructure have been a top priority in Arizona. As Attorney General, I created the Computer Crimes Unit to train law enforcement in the identification and investigation of cybercrimes; the Unit successfully prosecuted some of the first cybercrime cases in Arizona. As Governor, I created the Statewide Information Security and Privacy Office to ensure adequate controls and safeguards are in place for all State of Arizona government technology systems and business practices.
And from WhiteHouse.gov, an outline of Obama Cyber Security Policy:
Barack Obama and Joe Biden — working with private industry, the research community and our citizens — will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America’s competitive advantage, and advances our national and homeland security. They will:
- Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
- Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
- Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
- Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
- Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
- Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.
SecurityFix is a great place to watch developments in this regard.
An update to the Heartland breach:
The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable. All this is happening after credit card companies and merchants spent over $2 billion on establishing the Payment Card Industry standards, Ms. Litan said. “And yet the breaches continue and they get more serious.”
Standards are promoted by both industry and DHS as the means to manage the issue. So, what do you do when standards are not enough?
More from the Post on how long it took to discover how the breach was made:
Robert H.B. Baldwin Jr., president and chief financial officer of Heartland Payment Systems, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports from MasterCard and Visa in October.
Heartland called the U.S. Secret Service, which investigates financial crimes, and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software on the company’s processing network was recording payment card data as it was being sent to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how the software got there, how long it was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
According to the WSJ:
More than 40 states have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were reported, according to the nonprofit Identity Theft Resource Center, up from 446 in 2007.