Security Basics mailing list archives
Re: PII SSN question
From: "Jax Lion" <jv4l1n4 () gmail com>
Date: Thu, 16 Aug 2007 11:48:17 -0400
Working with a two non-governent companies that has requirements on SSN handling between each. Was hoping to find a pre-defined sets of IT standards to follow but at best all I found is a set of best practices for SSN protection see below. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf Problem is that the rules are not pre-defined, the SSN protection practice on company A does not match those of company B. Disagreement over methods and process. On 15 Aug 2007 22:00:57 -0000, levinson_k () securityadmin info <levinson_k () securityadmin info> wrote:
Requirements for whom? I assume you're talking federal government. If you're anyone else, I'm not sure there are any requirements at all, because who would levy the requirements? OMB sent out a memo about PII protection but I believe that applies primarily to federal government uses only. RE: federal government handling of PII, the only thing I know of is here: www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf I don't believe there are any government-wide requirements yet for storage of PII. PII protection is a fairly new topic for OMB / Congress / NIST, and requirements have yet to be drafted, vetted and published. The only requirements I've seen are requirements for PII that is transported externally or accessed remotely, e.g. via web site, VPN, RAS, etc. For PII that is entirely housed on one agency's internal network, policies do not exist as far as I know. Other than that, all you have are the regular NIST / FISMA requirements for storage of all sensitive but unclassified federal government systems. Yes, you are permitted to store PII. You wouldn't be able to do your job without PII. What you are not allowed to do is intentionally or negligently allow improper disclosure of PII. Since there are no requirements beyond the normal requirements already levied for all of your data, I would recommend following normal best practices, e.g. securely encrypting your data at rest and in transmission, physical security, authentication, patch management, etc. etc. and you should be OK. Penalties and governance for storage of privacy information is codified in the USC Privacy Act, but I seriously doubt that gives you any specifics. In the US, I think you're generally safe from legal action and penalties from that or any other infosec-related criminal or civil prosecution, as long as you are able to show that you exercised "due diligence" / "due care," e.g. that your security posture was not seriously negligent/culpable and was generally comparable to what other similar organizations to yours normally perform. www.google.com/search?q=privacy-act http://en.wikipedia.org/wiki/Privacy_Act_of_1974 kind regards, Karl Levinson, CISSP http://securityadmin.info
Current thread:
- PII SSN question Jax Lion (Aug 15)
- <Possible follow-ups>
- Re: PII SSN question levinson_k (Aug 16)
- Re: PII SSN question Jax Lion (Aug 16)
- Re: PII SSN question levinson_k (Aug 16)
- RE: PII SSN question Jay (Aug 16)