Happy U.S. presidential inauguration day! 🙂 Did you take off a few minutes of work to watch the inauguration? I wasn’t going to, was planning to just catch videos on the news sites or YouTube later, but then I did, and I’m glad; it was so historical and memorable!
To celebrate, how about I tell you that NIST just made a great new document available…
The National Institute of Standards and Technology (NIST) Special Publication 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information,” (January 14, 2009)
This was created to help government agencies best protect the information they retain. However, the advice is sound for ALL types of organizations.
The Guide makes several recommendations, including how to identify and categorize personally identifiable information (PII) within organizations, limiting PII retention to only what is necessary, applying a risk-based approach to data protection, and creating and implementing an incident and breach response plan for PII.
NIST is accepting public comment on the draft document through March 13, 2009.
Note that the Guide indicates that government agencies must report incidents to US CERT within an hour of finding out about them.
I’m a long-time advocate of the OECD privacy principles. They were published in 1980, and most of the data protection (read “privacy”) laws and regulations are based upon their sound guidance. This NIST guide tips a hat to the OECD privacy principles.
Tags: awareness and training, Information Security, IT compliance, IT training, NIST, OECD privacy principles, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training, SP 800-122