Sensitive Data Best PracticesWhat is Sensitive Data?Students, faculty, and staff interact with data on a daily basis. It is important to understand that all data cannot be treated equally in terms of how we store, share, and dispose of it. LSU categorizes data in three ways: Show
How can I protect Sensitive Data?Encryption is the most effective way to protect your data from unauthorized access. Encryption can be defined as transforming the data into an alternative format that can only be read by a person with access to a decryption key. There are various resources available to encrypt data that you store on your machine. Some readily available options include Bitlocker on the Microsoft Windows platform and FileVault for Mac OS X. More information can be found in the following article: https://grok.lsu.edu/Article.aspx?articleid=6983. If you are transmitting sensitive data, you must use an encrypted communication channel. For web based transmission, always ensure that the web site is protected by SSL. For FTP transmissions, make sure you are using a secured variety of the protocol (i.e. SFTP or FTPS). Another convenient option at LSU is FilestoGeaux, which is a web based service that allows LSU users to upload files they want to share to a secure LSU web server. How should I dispose sensitive data?Eventually it may become necessary to dispose data or devices containing LSU data. When doing so, remember the following:
Additional GuidelinesHere are some additional things to consider when dealing with LSU data:
If you have any doubts or questions about confidential information, please reach out to ITSP at . Matthew Metheny, in
Federal Cloud Computing (Second Edition), 2017 PII refers to information that can be used to distinguish29 or trace30 an individual’s
identity, such as their name, Social Security number, biometric records, and so on, alone, or when combined with other personal or identifying information that is linked31 or linkable32 to a specific individual, such as date and place of birth, mother’s maiden name, and so on [9]. PII can include the following types of information: Name. Social Security number. Date and place of birth. Mother’s maiden name. Biometric records. Education. Financial transactions. Medical history. Criminal or employment history and information, which can be used to distinguish or trace an individual’s identity. OMB has established a number of governing policies for federal agencies relating to PII over the years. Table 4.4 provides a
list of applicable privacy-related policies that must be adhered to by federal agencies. Table 4.4. Federal Privacy-Related Policies
Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128097106000044 Teamwork Prep for Data ManagementAnn D. Zeigler, Ernesto F. Rojas, in Preserving Electronic Evidence for Trial, 2016 Personally Identifiable Information (PII) Restrictions“Personally identifiable information” (PII) includes, for example, birth dates, names of under-age individuals, addresses, passport numbers, health care information, social security/medicare numbers, driver’s license numbers, bank account numbers, and similar personal information. As a quick rule of thumb, if you think it probably has value to identity thieves, it should be treated as PII. If information relevant to the case contains PII as defined by federal law and regulations, or other personal information, these particular elements of the information must be protected from disclosure. Unless required by a specific court order, all PII must be taken out of the ESI before it is produced to opposing parties. All federal trial courts have standing orders that require PII to be blocked in all documents filed with the court, because the information in those documents becomes a public record. The courts also restrict use of documents as evidence offered in court unless all PII has been redacted (covered up) or otherwise blocked. We note in passing that some software programs that purport to redact or otherwise conceal PII in electronic documents are ineffective, for the simple reason that the person viewing the document can use many common word-processing programs to cancel the blocking instruction. Be warned. Even worse, in this author’s experience in forensic examination of digital evidence, I have from time to time received ESI containing medical records, social security numbers, drivers’ licenses, and other personal information from the opposing party’s business records, when that content was not requested nor required to resolve the case. It was clear to me that the personal information was produced due to improper processing techniques by less than competent forensic consultants and/or IT personnel ignorant about that requirement. It is important that the work of forensic consultants be reviewed by the attorneys before producing it to the opposing party, on a sampling basis at a minimum, to be sure that industry and regulatory guidelines and federal law are not violated in the production of ESI. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128093351000075 Application Data in the CloudAaron Wheeler, Michael Winburn, in Cloud Storage Security, 2015 2.1.3.3 Personally Identifiable Information (PII)
Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128029305000022 Security and Privacy in LTE-based Public Safety NetworkHamidreza Ghafghazi, ... Carlisle Adams, in Wireless Public Safety Networks 2, 2016 11.3.2.2.1 Personally identifiable informationMany countries have defined PII and have set rules and regulations to determine how PII should be treated. In the Privacy Act (PRIact), for instance, personal information is defined as “information about an identifiable individual that is recorded in any form”. Similarly, in the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information is defined as “information about an identifiable individual”. This definition is a little bit more general since the information does not need to be recorded to be considered PII. Finally, in the technology environment, PII is defined as “any piece of information which can potentially be used to uniquely identify, contact or locate a single person”. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781785480522500116 ComplianceAaron Wheeler, Michael Winburn, in Cloud Storage Security, 2015 4.1 Legal Responsibility When Handling Other People’s DataThere are a number of state and federal laws and regulations that must be considered when moving data to the cloud. What laws apply depends on the type of business and the type of data that the business collects, stores, and maintains. The majority of these laws focus on the protection of personally identifiable information (PII). The National Institute of Science and Technology (NIST) defines PII as, “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information” (NIST, 2015). Note that this definition uses the word “agency” and is intended primarily for US federal government agencies, but other organizations may find the definition useful. Examples of PII include, but are not limited to: •Name, such as full name, maiden name, mother‘s maiden name, or alias •Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number •Address information, such as street address or email address •Personal characteristics, including a photographic image (especially of the face or other identifying characteristics), fingerprints, handwriting, or biometric data (e.g., retina scan, voice signature, facial geometry) Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information). The US federal government has enacted a number of laws that regulate the collection, transmittal, storage, and maintenance of PII. Many states have also enacted state laws that impact storage and use of PII. While these laws focus mainly on specific business sectors, such as the healthcare and financial industries, services provided by cloud storage providers must adhere to the same laws and regulations as the businesses that use them for storage of PII. This section will focus on four US federal laws that govern or impact data storage in the cloud. These include: HIPAA – The Health Insurance Portability and Accountability Act of 1996 establishes federal standards for protecting patients’ health information. Entities that have access to medical data are required to protect the privacy of patient information by adhering to prescribed guidelines. Dodd-Frank – The purpose of the Dodd-Frank Wall Street Reform and Consumer Protection Act is to “promote the financial stability of the United States by improving accountability and transparency in the financial system, to end ‘too big to fail’, to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes” (Dodd-Frank, 2010). To achieve these goals, organizations must collect, store, maintain, and provide search capabilities for all communication records relating to transactions. GLBA – The Gramm–Leach–Bliley Act, also known as the Financial Services Modernization Act of 1999, requires financial institutions to establish standards for protecting the security and confidentiality of customer non-public personal information. SOX – The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act, was established to regulate the financial practices of US public companies to protect against fraud. Part of the SOX Act directly affects data storage that includes the preservation and accuracy of electronic records, the recommended retention period for record storage, and the types of business records that SOX rules apply to, which includes all communications. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128029305000046 The Government Gets InvolvedKelly C. Bourne, in Application Administrators Handbook, 2014 22.5 Protecting Personally Identifiable InformationPersonally Identifiable Information (PII) is information that can be used to uniquely identify an individual. If a criminal obtains the personally identifiable information of someone it makes stealing their identity a very real possibility. For this reason, there are laws regulating the types of protection that organizations must provide for it. The laws on protecting PII vary from country to country. If your organization does business in multiple countries, you should know the rules for each of them. Examples of information that constitute PII include: •An individual’s full name, if that name isn’t common •A national identity number in countries where such numbers are issued •In the United States a Social Security Number •Passport number •A driver’s license number •Credit card numbers •Date of birth •Birthplace •Biometric information such as fingerprints, iris scans, and facial geometry •Home and personal cell telephone numbers •Mother’s middle and maiden names •Military records Some common industry recommendations for how PII should be secured include: •If PII is stored on workstations or mobile devices it must be encrypted using FIPS 140-2 certified encryption module •PII stored electronically should only be accessible with access controls like User IDs and passwords •PPI stored on network drives or databases should be available on a need to know basis •When extracts are created from PII databases, the activity should be logged including the creator, date, and the type of information extracted •PII transmitted over the Internet must be encrypted •PII that is transmitted by e-mail needs to be encrypted Questions regarding PII that an Application Administrator should be able to answer include: •Does the application you’re supporting include PII? •Are you adhering to industry best practices to protect personally identifiable information? •What do you have to do to prove that you’re following industry best practices? •Have the application and/or your processes been audited? •Is your data encrypted? •If so where is it encrypted? On the disk, in-flight or both? •What type of encryption is being used, for example, DES, 3DES, AES, RSA? •How many bits are used in the encryption algorithm? •How are the encryption keys managed? •Are your backup tapes encrypted? •Do you audit the security of your contractors? •Do you audit the security of firms that work is outsourced to? •Do you audit the security of your offsite storage vendor? Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123985453000224 Domain 9Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Second Edition), 2012 Privacy Act of 1974All governments have a wealth of personally identifiable information on their citizens. The Privacy Act of 1974 was created to codify protection of U.S. citizens’ data that is being used by the federal government. The Privacy Act defined guidelines regarding how U.S. citizens’ personally identifiable information would be used, collected, and distributed. An additional protection was that the Privacy Act provides individuals with access to the data being maintained that is relative to them, with some national security-oriented exceptions. Note The recent developments of breach notification laws are associated with personal data privacy concerns. The push for mandatory notification of persons whose personal data has been, or is likely to have been, compromised started with state laws. There are currently close to 40 states that have passed breach notification laws, though they can differ markedly. At the time of the writing of this book, there was no federal breach notification legislation, but there have been several bills proposed over time in both the U.S. House and Senate. Additional details about breach notification laws will be discussed later in the chapter in the U.S. Breach Notification section of important laws and regulations. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597499613000108 Domain 10Eric Conrad, in Eleventh Hour CISSP, 2011 PrivacyOne of the unfortunate side effects of the explosion of information systems over the past few decades is the loss of privacy. As more and more data about individuals is used and stored by information systems, the likelihood of it being inadvertently disclosed, sold to a third party, or intentionally compromised by a malicious insider or third party increases. Privacy act of 1974All governments have a wealth of personally identifiable information about their citizens. The Privacy Act of 1974 was created to codify protections of U.S. citizens' data that is used by the federal government. It defines guidelines regarding how citizens' personally identifiable information can be used, collected, and distributed. An additional protection allows individuals to have access to the data related to them, limited only by some national security−oriented exceptions. European union privacyThe European Union has taken an aggressive pro-privacy stance while balancing the needs of business. Commerce would be impacted if member nations had different regulations regarding the collection and use of personally identifiable information. Therefore, the EU Data Protection Directive allows the free flow of information tempered by consistent protections of the data belonging to the citizens of each member nation. Fast Facts The principles of the EU Data Protection Directive are ▪Notifying individuals regarding how their personal data is collected and used ▪Allowing individuals to opt out of sharing their personal data with third parties ▪Requiring individuals to opt in to sharing their most sensitive personal data ▪Providing reasonable protections for personal data OECD privacy guidelinesThe Organization for Economic Cooperation and Development (OECD), although often considered exclusively European, consists of 30 member nations from throughout the world. In addition to prominent European countries, those members include such countries as the United States, Mexico, Australia, Japan, and the Czech Republic. The OECD is a forum for discussion of issues that impact the global economy. It routinely issues consensus recommendations that can serve as an impetus to changes in current policy and legislation in the OECD member countries and beyond. EU-U.S. safe harborAn interesting aspect of the EU Data Protection Directive is that the personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries beyond the EU unless the receiving country is perceived by the EU to have adequate data protection laws. This presents a challenge regarding the sharing of data with the United States, which is perceived to have less stringent privacy protections. To resolve this issue, the United States and the European Union created the safe harbor framework to give U.S. organizations the benefit of authorized data sharing. To be part of the Safe Harbor, U.S. organizations must voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597495660000102 Operational ActivitiesKelly C. Bourne, in Application Administrators Handbook, 2014 14.1.1.5 EncryptionIf your data contains PII (Personally Identifiable Information), then the backup media should be encrypted. This is especially true if it is being stored off-site. There are regular stories in the trade press about backup tapes that get misplaced. If they aren’t encrypted, then any data on them is readily available to whoever found, or stole, the media. What form of encryption is being used? Is it strong enough to keep the bad guys at bay? The field of security and encryption is changing on a daily basis. Any guidelines that I could write today will be outdated before this book hits the shelf. Your best course of action is to consult with experts regarding what encryption algorithm and key size should be chosen and deployed. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123985453000145 PrivacyStephen D. Gantz, Daniel R. Philpott, in FISMA and the Risk Management Framework, 2013 Information ManagementThe Privacy Act requires agencies to safeguard personally identifiable information contained in systems of record against threats to confidentiality and integrity. The law refers generally to “appropriate administrative, technical, and physical safeguards” [40], all of which can be addressed using the reference set of security controls contained in Special Publication 800-53 [23]. With respect to the integrity of PII contained in agency systems of records, the language in the Privacy Act focuses on the correctness or validity of the information, which should be accurate, complete, current, and relevant to the purposes for which the information was collected and will be used [51]. It is important for system owners and information system security officers to identify and incorporate privacy protection requirements and objectives during the process of selecting appropriate security controls for the system, as agencies can be held accountable for failing to comply with the provisions of the Privacy Act due to insufficient or ineffective security controls to protect privacy [52]. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597496414000163 What is information transmitted with encryption?Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext.
Is press release data sensitive information?A: A press release is not considered sensitive or classified data.
What includes any data that could potentially identify a specific individual?Personally identifiable information (PII) refers to any information that could potentially identify a specific individual (or enable someone to contact that individual). It includes 'linked' information such as an individual's name, home address, email address, government-issued ID number, etc.
What is the process of extracting large amounts of data from a website and saving it to a spreadsheet or computer multiple choice question?Web scraping is an automatic method to obtain large amounts of data from websites. Most of this data is unstructured data in an HTML format which is then converted into structured data in a spreadsheet or a database so that it can be used in various applications.
|