Restricted Data Security Standards

What is Restricted Data?

  • Social Security Number (SSN)
  • Driver’s License Number or State Identification Number
  • Financial Account Number (including credit/debit card) or any security code, access code of password that would permit access to an individual’s financial account
  • Deoxyribonucleic Acid (DNA) Profile as defined in S. 939.74 (2d) (a)
  • Unique Biometric Data, including fingerprint, voice print, retina or iris image or any other unique physical representation
  • Protected health information (PHI) including any information about health status, provision of health care, or payment of health care

If a system processes, stores or otherwise propagates any of these six restricted data elements, it is recommended (and often times required) that enhanced security controls are implemented to protect its confidentiality from unauthorized disclosure and avoid the financial and political burden of breach notifications. Organizations are required by law be in compliance with a specific set of data security standards and controls for some restricted data elements; while standards for the remaining data elements are dictated by the governing bodies of those organizations.

PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) was established by the VISA, MasterCard and other card associations to ensure the protection of credit card data. This data security standard is particularly concise, practical and complete in describing a proper control environment for restricted data. The University of Wisconsin – Madison is required to comply with these sets of standards for credit card information only.

HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting protected health information (PHI) for organizations who create, receive, maintain or transmit PHI. In March 2006, Wisconsin’s Personal Information Disclosure Act (statute Section 134.98), was passed. This Act requires an entity to notify the subject of personal information if an unauthorized acquisition of their personal information has occurred. The University of Wisconsin – Madison is required to comply with HIPAA laws for any system which contain PHI.

HIPAA at the University of Wisconsin – Madison
http://hipaa.wisc.edu

Standards for the remaining restricted data elements, such as those set by the National Institute of Standards and Technology (NIST), are ones which organizations may adopt. The University of Wisconsin – Madison does not currently require that systems which process, store or propagate any restricted data comply with the PCI DSS standards unless it is credit card data, but it does provide a comprehensive and useful framework for the types of controls and processes that should be implemented for any system that contains sensitive and/or restricted information.

Below outlines the PCI DSS control objects and requirements for protecting restricted data. These controls are required for systems with credit card information, but can apply for any of the six restricted data elements.

 

restricted

  1. Build and Maintain Network a Secure Network
    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  1. Protect Restricted Data
    Requirement 3: Protect stored restricted data
    Requirement 4: Encrypt transmission of restricted data across open, public networks
  1. Maintain a Vulnerability Management Program
    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications
  1. Implement Strong Access Control Measures
    Requirement 7: Restrict access to restricted data by business need-to-know
    Requirement 8: Assign a unique ID to each person with computer access
    Requirement 9: Restrict physical access to restricted data
  1. Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and restricted data
    Requirement 11: Regularly test security systems and processes
  1. Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security

Payment Card Industry Data Security Standard (PCI DSS)

Version 3.0

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Support Documents

https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml

Self-Assessment Questionnaire
https://www.pcisecuritystandards.org/saq/index.shtml

Security Audit Procedures Version 2

https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf