Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 48

Many information security professionals are too well aware of personally identifiable information (PII) and the needs in ethics and law to protect its privacy. If you've not worked in the financial services sector, you may not be aware of the much broader category of nonpublished personal information (NPI). The distinction between these two seems simple enough:

 PII is that information that is used to identify, locate, or contact a specific person.

 NPI is all information regarding that person that has not been made public and is not required to be made public.

However, as identity and credential attacks have grown in sophistication, many businesses and government services providers have been forced to expand their use of NPI as part of their additional authentication challenges, when a person tries to initiate a session with them. Your bank, for example, might ask you to confirm or describe some recent transactions against one of your accounts, before they will let a telephone banking consultation session continue. Businesses may issue similar authentication challenges to someone calling in, claiming to be an account representative from a supplier or customer organization.

Three important points about NPI and PII need to be kept in mind:

 Legal definitions are imprecise and subject to continuous change. Many different laws, in many jurisdictions, may directly specify what types of information are considered as PII or NPI. Other laws may make broad categorical statements about what is or is not PII or NPI. These laws are updated often and subject to review by the courts in many nations.

 Doing business in a jurisdiction does not require physical presence there. If your organization has one customer or supplier in a jurisdiction – possibly even a single prospective such relationship – that government may consider its laws and regulations now apply to you. Ignoring this is a frequent and costly mistake that many businesses make.

 Persons include companies and organizations as well as natural people. Businesses and organizations share significant quantities and types of information with each other, much of which they do not wish to have made public. Privacy considerations and the need for information security protections apply here, as well as they do to data about individual people.

It may be safest to treat all data you have about any person you deal with as if it is NPI, unless you can show where it has been made public. You may then need to identify subsets of that NPI, such as health care, education, or PII, as defined by specific laws and regulations, that may need additional protections or may be covered by audit requirements.