NIST and DLP vendor opportunities
NIST has published a draft guide for protecting PII and it will affect best practices and technology choices in years to come when the draft becomes a full standard. The NIST guide provide guidance to organizations on how they should manage PII stored or processed in their systems based on the level of sensitivity.
If the draft become a released standard, organizations will be using it to prove or disprove the ability to comply with best practices. Therefore mapping technology and policies to the standard is important, and it is important to understand that not one product can solve all of the issues. However a set of complementary products can solve it. DLP products does help in many ways, and it would be good for DLP vendors to start defining best practices that spans beyond DLP such as including Identity Management, Storage, Policy, Policy management, Encryption and risk management. The statement from NIST that not all PII is to be treated the same, is very telling, as a classification and tagging of the data would here help to apply the right set of controls for the high value items, and not overdo the controls for lesser value data.
Some observed issues with the NIST publication is that it defines PII but does not provide an exhaustive list. For example, for the Census Bureau, there may be additional types of PII that they specify are stricter.
NIST recommends that each organization Create Policies and Procedures, Conduct Training, De-identify PII, Employ proper Access Enforcement, Esure Transmission Confidentiality, and Audit Events.
So similar to PCI, DLP might not be the full answer to the story but can provide insight that helps to enable compliance for some of these areas. For de-identifying PII, DLP help by discovering PII. It is then it's up to the organization to de-identify it. This is of course not a straight forward process, and will need some thought before being implemented. With DLP, the organization gains understanding of the business units or groups that are having the most issues and concentrate or focus training activities. Likewise for create policies and procedures - this falls into the realm of understanding the PII inventory and what the priority levels are.
The new collaboration between RSA and Microsoft for DLP solutions coupled with DRM is clearly a step in the right direction.
How to secure sensitive information, data loss prevention, for sensitive data in corporations and other organizations, (ILP,CLP,DLP). It covers personal identifiable information, personal health information, credit card information, PII, PCI, PHI etc, and how to protect it. All opinions are mine, and not of my employer or any other organization. For terms of use, see first posting.
About Me
Blog Archive
-
▼
2009
(49)
-
▼
January
(21)
- NIST and DLP vendor opportunitiesNIST has publishe...
- Regular search does not consider the fact that sen...
- Content protection should be tied into access cert...
- Not long after the public notification of the brea...
- President Obama embarks on wide reaching changes i...
- Researchers have found a relationship between word...
- According to Network World, Forrester research pre...
- Interesting link to coverage of data breaches in 2...
- According to an article in Washington Post, Heartl...
- Two areas for concern for 09 will be sensitive inf...
- Using models from nature to identify sensitive inf...
- Social Networking, DLP, and Identity Management op...
- New emphasis on SEC's role in policing the financi...
- Information protection, DLP, Identity Management, ...
- NIST has published a draft guide for protecting PI...
- While looking at new players in the DLP space, I ...
- Using the information already provided by the user...
- Banks falling behind in protecting customer financ...
- California Senator Dianne Feinstein (D-Calif.) is ...
- Plenty newsworthy items this week in the DLP space...
- Considerations when building queries for DLP produ...
-
▼
January
(21)
No comments:
Post a Comment