Securing Personally Identifiable Sensitive Information (PII)
Through several Office of Management and Budget (OMB) mandates, government agencies shall establish robust methods of securing sensitive information. Specific examples of “sensitive information” of concern information classified as “agency confidential” and Personally Identifiable Information or PII.
Tracked PII — such as a name or social security number correlated with an address, birth date, birth place, or other specific details — can expose a person's identity to theft and fraudulent use by criminals. PII is some of the most heavily traded content on the so-called “dark web,” and one of the most popular targets for theft by hackers and network intruders.
OMB Mandates for PII Data Security
The OMB has issued a number of mandates for securing sensitive information and how to handle data breaches, including: OMB M-07-16, OMB M-06-19, OMB M-06-16, and OMB M-06-15. These mandates cover a number of information security procedures, including:
Securing Personally Identifiable Information (PII) and other sensitive information.
Developing and following a breach response plan to mitigate the potential consequences of breach, such as identity theft.
Reporting all data breaches to US-CERT within one hour of discovering the incident.
Encrypting all sensitive information on desktops, laptops, and removable media like USB sticks and CDs / DVDs.
Getting to OMB Compliance
A few simple and cost-effective steps which help agencies protect against accidental or intentional disclosure of sensitive information outlined by the OMB include:
Reducing the volume of collected and retained information to the minimum necessary.
Limiting access to only those individuals who must have such access.
Using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals.