sign in sign up
<<
Home , OurMine

Personally Identifiable Information (PII) MIS 5206 • In The News • Confidentiality Risk of Personally Identifiable Information • Team exercise • No Quiz to today https://www.theverge.com/2017/9/15/16315870/vevo-hack-celebrity-files-ourmine-posted http://thehackernews.com/2017/09/windows10-app-permissions.html https://www.schneier.com/blog/archives/2017/09/shadowbrokers_r.html http://www.independent.co.uk/life-style/gadgets-and-tech/news/-cyber-attack-world-global-destruction-money--ukraine-chernobyl-wpp-merck- wannacry-a7816036.html https://www.infosecurity-magazine.com/news/fitbit-vulnerabilities-expose/ https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security http://www.technewsworld.com/story/84818.html https://www.csoonline.com/article/3202071/security/pii-of-1-million-compromised-in-washington-state-university-safe-heist.html http://www.computerweekly.com/opinion/Security-Think-Tank-Cyber-resilience-cheaper-than-attack-recovery https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin http://money.cnn.com/2017/09/15/technology/china-bitcoin-exchanges-prices-crash/index.html http://www.technewsworld.com/story/83998.html http://www.businessinsider.com/cctv-camera-infrared-bypass-air-gap-exfiltrate-data-2017-9 https://www.darkreading.com/endpoint/how-apples-new-facial-recognition-technology-will-change-enterprise-security/a/d-id/1329908? http://www.politico.com/story/2017/09/20/sec-cybersecurity-breach-242956 https://www.washingtonpost.com/news/business/wp/2017/09/20/sec-reveals-it-was-hacked-information-may-have-been-used-for-illegal-stock- trades/?utm_term=.9e5b8baac0a5 http://www.techadvisor.co.uk/how-to/internet/what-is-dark-web-what-is-deep-web-how-can-you-access-it-3593569/ http://thehackernews.com/2017/08/hacking-secure-messenger-encryption.html http://www.securityweek.com/google-spotify-release-open-source-cloud-security-tools FIPS 199 Standards for Security Categorization

• Focuses on confidentiality, integrity and availability impacts of a security breach involving a particular information system • The impact of confidentiality breach • Not limited to PII • Focuses on overall impact to • The organization • Organizational assets • Financial loss • Individuals NIST SP 800-122 – Guide to Protecting Confidentiality of PII • Specifically focused on: • Identifying PII • Determining PII confidentiality impact level needed to supplement the FIPS 199 confidentiality impact level of an information system • Specific organizational responsibilities for safeguarding PII confidentiality • Including incident response for breaches involving PII Personally Identifiable Information (PII) Any information about an individual maintained by an agency, including:

1. Any information that can be used 2. Any other information that is linked to distinguish (i.e. identify) or trace or linkable to the identifiers listed an individual‘s identity, such as: in #1: • Date of birth • Name • Place of birth • Identifying number • Race • Address • Religion • Asset identifier • Weight • Telephone number • Geographic indicators • Personal characteristics • Medical information • Personally owned property identifiers • Educational information • Financial information • Employment information Not all PII needs to have its confidentiality protected • Including information the organization has permission or authority to release publicly • (e.g., a published phone directory of employees‘ names and work phone numbers so that members of the public can contact them directly • In this case, the PII confidentiality impact level would be not applicable and would not be used to supplement a system‘s provisional confidentiality impact level PII confidentiality breach impacts include harm to

1. An individual whose PII was the subject of a loss of confidentiality, including any negative or unwanted effects that may be damaging • Socially • Financially • Physically

Examples of types of harm to individuals include, but are not limited to, the potential for blackmail, identity theft, physical harm, discrimination, or emotional distress

2. An organization that maintains the PII, including but not limited to • Administrative burden • Financial losses • Loss of public reputation and public confidence • Legal liability Factors Determining PII Confidentiality Impact Level 1. Identifiability: How easily PII can be used to identify specific individual ? 2. Quantity: How many individuals are identified in the information (e.g., number of records) ? 3. Data Field Sensitivity: Organizations should evaluate the sensitivity of each individual PII data field, as well as the sensitivity of the PII data fields together • A MIT study demonstrated that 97% of the names and addresses on a voting list were identifiable using only ZIP code and date of birth 4. Context of Use: Purpose that provides a special meaning to particular sets of PII 5. Obligation to Protect Confidentiality: Laws, regulations, or other mandates may govern the organization’s obligations to protect personal information 6. Access to and Location of PII: Higher impacts can result to increased vulnerabilities resulting from the nature of access provided to the PII and its location during storage and transfer PII Operational Safeguards 1. PII policy and procedure creation • Access rules within a system • Retention schedules and procedures • Incident response and data breach notification • Privacy in the system development life-cycle process (SDLC) • Limiting collection, disclosure, sharing and use • Consequences for failing to follow privacy rules of behavior 2. PII education, training and awareness • PII definition • Applicable laws, regulations and policies • Restrictions on data collection, storage and use • Roles and responsibilities for using and protecting • Appropriate disposal • Sanctions for misuse • Recognizing a PII security or privacy incident • Retention schedules • Roles and responsibilities in responding and reporting PII incidents PII Privacy-specific safeguards

1. Minimizing the Use, Collection and Retention of PII 2. Conducting Privacy Impact Assessment (PIA) 3. De-Identifying Information 4. Anonymizing Information PII Security Controls

table from SP 800-18 R2Guide for Developing Security Plans for Federal Information Systems Control Family: Access Control for PII PII – Confidentiality impact rating examples…

Incident Response Roster Example • An organization maintains an electronic roster with contact information of its computer incident response team members • It makes the roster with its contact information available to all its employees on its main public web site • In the event that an IT staff member detects any kind of security breach, standard practice requires that the staff member contact the appropriate people listed on the roster • Because this team may need to coordinate closely in the event of an incident, the contact information includes names, professional titles, office and work cell phone numbers, and work email addresses PII – Confidentiality Impact Rating Example Incident Response Roster

Identifiability: The information directly identifies a small number of individuals using names, phone numbers, and email addresses Quantity of PII: The information directly identifies fewer than twenty individuals Data field sensitivity: Although the roster is intended to be made available only to the team members, the individuals‘ information included in the roster is already available to the public on the agency‘s web site Context of use: The release of the individuals‘ names and contact information would not likely cause harm to the individuals, and disclosure of the fact that the agency has collected or used this information is also unlikely to cause harm. Access to and location of PII: The information is accessed by IT staff members who detect security breaches, as well as the team members themselves. The PII needs to be readily available to teleworkers and to on-call IT staff members so that incident responses can be initiated quickly. Impact Rating: LOW The agency determines that unauthorized access to the roster would likely cause little or no harm, and it chooses to assign the PII confidentiality impact level of LOW Team exercise

BYE – see you next week! Thank you! Sorry for the technical difficulties this week.

Refer to SP 800-122 Appendix A - Scenarios for PII Identification and Handling

Focus on A.2 Scenarios (pages A-1 through A-3), and… develop a systematic solution for: 1. Answering questions 1 and 2 of each scenario 2. Viewing the PII inventory of each scenario 3. Determining the commonalities and differences among the PII of the scenarios Team exercise

1. Teams analyze problem + draft solutions: ~20 min 2. Class discussion of draft solutions: ~15 min 3. Teams implement solutions: 4. Teams present solutions: