What is Restricted Data?
- Social Security Number (SSN)
- Driver’s License Number or State Identification Number
- Financial Account Number (including credit/debit card) or any security code, access code of password that would permit access to an individual’s financial account
- Deoxyribonucleic Acid (DNA) Profile as defined in S. 939.74 (2d) (a)
- Unique Biometric Data, including fingerprint, voice print, retina or iris image or any other unique physical representation
- Protected health information (PHI) including any information about health status, provision of health care, or payment of health care
If a system processes, stores or otherwise propagates any of these six restricted data elements, it is recommended (and often times required) that enhanced security controls are implemented to protect its confidentiality from unauthorized disclosure and avoid the financial and political burden of breach notifications. Organizations are required by law be in compliance with a specific set of data security standards and controls for some restricted data elements; while standards for the remaining data elements are dictated by the governing bodies of those organizations.
The Payment Card Industry Data Security Standard (PCI DSS) was established by the VISA, MasterCard and other card associations to ensure the protection of credit card data. This data security standard is particularly concise, practical and complete in describing a proper control environment for restricted data. The University of Wisconsin – Madison is required to comply with these sets of standards for credit card information only.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting protected health information (PHI) for organizations who create, receive, maintain or transmit PHI. In March 2006, Wisconsin’s Personal Information Disclosure Act (statute Section 134.98), was passed. This Act requires an entity to notify the subject of personal information if an unauthorized acquisition of their personal information has occurred. The University of Wisconsin – Madison is required to comply with HIPAA laws for any system which contain PHI.
HIPAA at the University of Wisconsin – Madison
Standards for the remaining restricted data elements, such as those set by the National Institute of Standards and Technology (NIST), are ones which organizations may adopt. The University of Wisconsin – Madison does not currently require that systems which process, store or propagate any restricted data comply with the PCI DSS standards unless it is credit card data, but it does provide a comprehensive and useful framework for the types of controls and processes that should be implemented for any system that contains sensitive and/or restricted information.
Below outlines the PCI DSS control objects and requirements for protecting restricted data. These controls are required for systems with credit card information, but can apply for any of the six restricted data elements.
- Build and Maintain Network a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Restricted Data
Requirement 3: Protect stored restricted data
Requirement 4: Encrypt transmission of restricted data across open, public networks
- Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
Requirement 7: Restrict access to restricted data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to restricted data
- Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and restricted data
Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Payment Card Industry Data Security Standard (PCI DSS)
Security Audit Procedures Version 2