Restricted Data Security Standards
In March 2006, Wisconsin’s Personal Information Disclosure Act, 2005 Wisconsin Act 138, was passed. This Act requires an entity to notify the subject of personal information if an unauthorized acquisition of their personal information has occurred.
What is Restricted Data?
- social security number
- driver’s license number or state identification number
- financial account number (including credit/debit card) or any security code, access code of password that would permit access to an individual’s financial account
- deoxyribonucleic acid profile as defined in S. 939.74 (2d) (a)
- unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
- protected health information (any information about health status, provision of health care, or payment of health care)
Breach notification is costly financially and politically. Therefore, these six data elements are classified as restricted and require enhanced security controls to protect its confidentiality from unauthorized disclosure.
If a system processes, stores or otherwise propagates any of these elements, the system must implement the security controls specified in the Payment Card Industry Data Security Standard (PCI DSS). The PCI data security standard was established by the VISA, MasterCard and other card associations to ensure the protection of credit card data. This data security standard is particularly concise, practical and complete in describing a proper control environment for restricted data.
The standard describes six control objectives and twelve technology and process requirements needed to protect restricted data.
- Build and Maintain Network a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Restricted Data
Requirement 3: Protect stored restricted data
Requirement 4: Encrypt transmission of restricted data across open, public networks
- Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
Requirement 7: Restrict access to restricted data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to restricted data
- Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and restricted data
Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
More information about these controls can be found at Restricted Data Security Standards Worksheet.
Payment Card Industry (PCI) Data Security Standard
Version 1.1, September, 2006
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
Self-Assessment Questionnaire
https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
Security Audit Procedures
https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf