NIST Draft Publication Offers Guidelines for Safeguarding Personal Data
SANS NewsBites Vol. 11 Num. 4; 1/16/2009 (January 14, 2009)
The National Institute of Standards and Technology (NIST) has released a draft of Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information," to help government agencies decide how to best protect the information they retain. NIST makes several recommendations, including identifying and categorizing all personally identifiable information (PII) that the organization retains; limiting data retention to only what is necessary; applying a risk-based approach to data protection; and creating and implementing an incident response plan for breaches of PII. NIST is accepting public comment on the draft document through March 13, 2009.
http://gcn.com/Articles/2009/01/14/NIST-on-securing-personal-data.aspx?Page=2
http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf
[Editor's Note (Northcutt): I am a big fan of NIST and if you can take a few minutes to read the draft and comment, broad input helps make the final work better. I think the title is wrong, however, there is less "protection" explained than "identification." They have a nice section on incident response for privacy incidents (section 5). There is a line in that section that government folks need to be aware of: PII incidents should be reported to US CERT within an hour. They also mention the OECD guidelines in Appendix D. To this day, the OECD guidelines seem to be the clearest, most well thought out guidance on privacy I have seen.]
No comments:
Post a Comment