NIST and DLP vendor opportunities
NIST has published a draft guide for protecting PII and it will affect best practices and technology choices in years to come when the draft becomes a full standard. The NIST guide provide guidance to organizations on how they should manage PII stored or processed in their systems based on the level of sensitivity.
If the draft become a released standard, organizations will be using it to prove or disprove the ability to comply with best practices. Therefore mapping technology and policies to the standard is important, and it is important to understand that not one product can solve all of the issues. However a set of complementary products can solve it. DLP products does help in many ways, and it would be good for DLP vendors to start defining best practices that spans beyond DLP such as including Identity Management, Storage, Policy, Policy management, Encryption and risk management. The statement from NIST that not all PII is to be treated the same, is very telling, as a classification and tagging of the data would here help to apply the right set of controls for the high value items, and not overdo the controls for lesser value data.
Some observed issues with the NIST publication is that it defines PII but does not provide an exhaustive list. For example, for the Census Bureau, there may be additional types of PII that they specify are stricter.
NIST recommends that each organization Create Policies and Procedures, Conduct Training, De-identify PII, Employ proper Access Enforcement, Esure Transmission Confidentiality, and Audit Events.
So similar to PCI, DLP might not be the full answer to the story but can provide insight that helps to enable compliance for some of these areas. For de-identifying PII, DLP help by discovering PII. It is then it's up to the organization to de-identify it. This is of course not a straight forward process, and will need some thought before being implemented. With DLP, the organization gains understanding of the business units or groups that are having the most issues and concentrate or focus training activities. Likewise for create policies and procedures - this falls into the realm of understanding the PII inventory and what the priority levels are.
The new collaboration between RSA and Microsoft for DLP solutions coupled with DRM is clearly a step in the right direction.
Thursday, January 29, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment