Re: PII SSN question

["Jax Lion" <jv4l1n4 () gmail com>]

Working with a two non-governent companies that has requirements on
SSN handling between each.  Was hoping to find a pre-defined sets of
IT standards to follow but at best all I found is a set of best
practices for SSN protection see below.

http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf

Problem is that the rules are not pre-defined, the SSN protection
practice on company A does not match those of company B. Disagreement
over methods and process.



On 15 Aug 2007 22:00:57 -0000, levinson_k () securityadmin info
<levinson_k () securityadmin info> wrote:
> Requirements for whom?  I assume you're talking federal government.  If you're anyone else, I'm not sure there are 
> any requirements at all, because who would levy the requirements?  OMB sent out a memo about PII protection but I 
> believe that applies primarily to federal government uses only.
>
>
> RE: federal government handling of PII, the only thing I know of is here:
>
>
> www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
>
> www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf
>
> http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
>
> www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf
>
>
> I don't believe there are any government-wide requirements yet for storage of PII.  PII protection is a fairly new 
> topic for OMB / Congress / NIST, and requirements have yet to be drafted, vetted and published.  The only 
> requirements I've seen are requirements for PII that is transported externally or accessed remotely, e.g. via web 
> site, VPN, RAS, etc.  For PII that is entirely housed on one agency's internal network, policies do not exist as far 
> as I know.
>
>
> Other than that, all you have are the regular NIST / FISMA requirements for storage of all sensitive but unclassified 
> federal government systems.
>
>
> Yes, you are permitted to store PII.  You wouldn't be able to do your job without PII.  What you are not allowed to 
> do is intentionally or negligently allow improper disclosure of PII.  Since there are no requirements beyond the 
> normal requirements already levied for all of your data, I would recommend following normal best practices, e.g. 
> securely encrypting your data at rest and in transmission, physical security, authentication, patch management, etc. 
> etc. and you should be OK.
>
>
> Penalties and governance for storage of privacy information is codified in the USC Privacy Act, but I seriously doubt 
> that gives you any specifics.  In the US, I think you're generally safe from legal action and penalties from that or 
> any other infosec-related criminal or civil prosecution, as long as you are able to show that you exercised "due 
> diligence" / "due care," e.g. that your security posture was not seriously negligent/culpable and was generally 
> comparable to what other similar organizations to yours normally perform.
>
>
> www.google.com/search?q=privacy-act
>
> http://en.wikipedia.org/wiki/Privacy_Act_of_1974
>
>
>
> kind regards,
>
> Karl Levinson, CISSP
>
> http://securityadmin.info