Due to HIPAA, GLBA, banking regulations, federal and state privacy laws, privacy laws in other countries that organizations operate in, and the litany of civil suits, protecting personal data is much more of a priority for the security industry.
Most organizations find that determining what "sensitive data," is and where it resides in the enterprise is the most difficult part of this process. An organization's definition of sensitive data will typically depend on the regulations and laws that the company must comply with. The following are examples of the type of data that is called out for protection in the various regulations and laws:
|Policy Classes||Regulations||Types of Information|
|Personally Identifiable Information||California SB 1386
Other State Regulations (>20)
|Social Security Number
Date of Birth
Canadian Social Insurance Number
Canadian Drivers License Numbers
US Postal Address
Driver License Numbers for all 50 States
|Personal Credit Information||GLBA
Payment Card Industry (PCI)
|Credit Card Number
Bank Account Numbers
Other Financial Account Numbers
|Personal Health Information||HIPAA||Sexually Transmitted Disease Terms
Medical Checkup Terms
Mental Illness Terms
Cardiovascular Disease Terms
Drug Abuse Terms
Medical Procedure Terms
Sex and Pregnancy Terms
Medical Form Terms
CDT (Common Dental Terms)
CPT (Common Procedure Terms)
HCPCS (Healthcare Common Procedure Code Set)
National Provider ID
ICD-9 (International Classification of Diseases) Diseases
ICD-9 External Injuries
ICD-9 Drugs and Compounds
NDC (National Drug Codes)
|HR Violations||Internal Company Regulations||Sexual Harassment
Obscenities and Profanities
Racism SAP HR Codes
|Company Financial Information||Sarbanes Oxley
Various SEC Regulations
Web Postings to Financial Sites
|Company Intellectual Property||Transmissions to Competitors
Customer Specified IP
Web Postings to Corporate Rumor Sites
Transmissions with Attachments to Private Email Accounts
|National Security Information||ITAR
|Transmissions to Disallowed Countries
Weapons and Other Materials
FBI Most Wanted Names
FBI Most Wanted Terrorist Names
FBI Hijack Suspects
DTC Debarred Parties
**Data in spreadsheet was provided by Tablus Inc.
Of course, this is just one piece of the sensitive data equation. A company also has to identify and protect their other "sensitive data," i.e. intellectual property, trade secrets, pricing, blueprints, etc.
In an attempt to identify sensitive data at rest and in transit, many companies are turning to secure content managers like Tablus, Port Authority and Vontu. These tools search workstation and server hard drives to identify sensitive data. They can be helpful when conducting an initial search to determine what is where. Conducting an initial search allows you to properly classify the identified data and implement the correct level of access controls and encryption.
These tools also have the capability to continually search hard drives, identify new sensitive data and alert you via a central console if something violates the policy you configure. You can choose to delete, quarantine or move the data to a more appropriate place. This feature is important because new data is constantly created and old data moves around an environment, so it is important to keep track of it.
These tools also detect sensitive data in transit. It is important to know what protocols you need to monitor (SMTP, HTTP, FTP, etc.) and if you have homegrown applications that do not use common protocols, but create their own sockets and communicate directly to each other. Note, some of these products do not work with raw packets and cannot monitor this type of communication.
These tools can also send emails containing "sensitive data" to an email encryption product, as in PGP's Universal Server. Many companies use these products rather than relying on users to properly encrypt data before sending a message.
Since data travels over many different protocols, there isn't one perfect product that properly protects the data across all transmission modes. Most environments have to implement SFTP, SSL, IPsec, and either SMIME or PGP email encryption where necessary. The real work is to first identify where the data is and how it travels and then implement the right technology to protect it.
There are also data classification best practices. However, because the disciplinary levels needed after rolling out this initiative usually drops, these policies, standards and guidelines are difficult to implement and follow. This is because data owners need to be identified and educated on data classification processes and usually the necessary discipline drops off after the initial roll out of this initiative. This is why it's important to educate users and security personnel on data classification processes and procedures, and automate the protection of the data if possible. Whole disk and virtual disk products can be used on servers and workstations, and database encryption can be integrated into SQL, Oracle and other database types.
Remember, this is just one way to protect data. It is also important to implement access control, identity management, and user provisioning correctly.
As you can see, proper policies and standards are certainly important to personal data protection, but understanding and implementing the right technology at the right points of an environment is critical.
For More Information:
- Visit our Compliance All-in-One Guide to learn how to create and manage policies and meet regulatory requirements.
This was first published in June 2006