Customer Proprietary Network Information (CPNI)
Sensitive data collected by telecommunication companies based on a consumer’s phone activities such as destination, duration of the call and date and time. The Federal Communications Commission (FCC) regulates how CPNI can be used to ensure data privacy.
Any data within your organization that is not being used. Gartner defines it as “the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes.” Examples include: log files, account information, previous employee data, raw survey data, and email correspondence. Since dark data will likely contain sensitive, proprietary information, not managing or protecting it effectively can lead to serious security risks and costly data breaches.
Involves assigning different levels of sensitivity to different types of organizational data to ensure that the most-sensitive data is the most secure. It also makes data easier to locate and retrieve. As the potential impact of having the data stolen moves from low to high, the classification level becomes higher and more restrictive. Assigning a level to files and data elements helps you make critical decisions regarding where data is stored, how it’s used, and how you can best protect your most valuable data assets. For example, data might be classified as internal, confidential, regulatory, top secret or public.
Data Classification Tools
Tools that help organizations protect their data by assigning a level of sensitivity to each piece of information and categorizing it based on corporate security policies. Traditional data classification tools were regarded as manual, cumbersome and tedious, but new technologies provide automated, persistent data classification, increasing ease of use and employee adoption.
Data Lifecycle Management (DLM)
The process of managing the flow of data throughout the useful “life” of that data. The data lifecycle consists of several phases, including creation, storage, use, sharing, archive and deletion. The lifecycle crosses different applications, databases and storage media. From a data security perspective, managing your data throughout its lifecycle is the foundation of a sensitive data protection strategy and helps you determine where to apply security controls.
Data Loss Prevention (DLP)
Solutions designed to prevent data breaches by identifying, classifying and protecting sensitive data while in motion, in use and at rest. Data-in-motion DLP applications are typically installed at network egress points near the perimeter while data-at-rest DLP solutions run on end-user workstations or servers and identify, classify and protect data across its lifecycle—from creation, to use, storage and deletion.
The process of limiting the collection of sensitive data such as personally identifiable information (PII) and protected health information (PHI) to what is directly relevant and necessary to accomplish a specific purpose, and retain it only as long as necessary to fulfill that purpose.
Data Privacy or Information Privacy
The privacy and protection of personal data such as credit card data, Social Security numbers and medical records. Data privacy laws help reduce sensitive information exposure, unauthorized access to personal data and potential breaches.
Data Residency or Data Sovereignty
States that sensitive data is regulated by the laws of the country in which it is stored. As organizations move to cloud computing, they are subject to compliance requirements of the geographic location where the data is stored, increasing data privacy and protection complexities.
The practice of ensuring that data such as Social Security and credit card numbers is protected from unauthorized access and breaches.
Digital Rights Management (DRM)
The process of controlling access, usage and redistribution of copyrighted digital data.
Family Education Rights and Privacy Act (FERPA)
A federal law that protects the privacy of educational records, including name, address, Social Security numbers and any other information that makes it easy to trace the identity of a student. It applies to all schools that receive U.S. Department of Education funding.
Federal Information Security Management Act (FISMA)
U.S. legislation that requires federal agencies to improve security and protect government sensitive data and assets against breaches.
Gramm-Leach-Bliley Act (GLBA), aka the Financial Services Modernization Act of 1999
A U.S. law that requires financial institutions—defined as businesses providing financial products or services—to protect sensitive information. The law regulates the collection and disclosure of private financial data and the implementation of security programs to protect that data. The law also requires businesses to share their information-sharing practices with their clients.
An integrated approach to achieving high standards in three overlapping strategic corporate categories: governance, risk management and compliance.
Health Insurance Portability and Accountability Act (HIPAA)
A law passed by Congress in 1996 that requires healthcare providers to develop and follow policies that ensure the security of protected health information (PHI). It also gives patients rights over their medical data, including rights to obtain a copy of their records.
Information Lifecycle Management (ILM)
An approach to managing a storage infrastructure and the data it maintains throughout the data lifecycle—from creation to use to archive and deletion—according to corporate security policies.
National Provider Identifier
A unique, HIPAA-mandated 10-digit identifier for health care providers and health plans.
Payment Card Industry Data Security Standard (PCI DSS)
A proprietary information-security standard designed to ensure that businesses handling credit card information maintain a secure environment.
Complying with the provisions of the Payment Card Industry Data Security Standards (PCI DSS). Any business involved with processing, transmitting or storing credit card information must comply.
Protected Health Information (PHI)
Sensitive data in a medical record that can be used to identify an individual and must be protected. HIPAA defines PHI with 18 identifiers. Depending on the combination of identifiers that are part of a person’s record, it could be classified as PHI or not.
Personally Identifiable Information (PII)
Any information that can be used to trace the identity of an individual such as Social Security number, date of birth, medical and financial data.
Any data that if lost, stolen or exposed could harm an individual or an organization and should be protected by unauthorized access.
Sensitive Data Discovery
Finding sensitive data including PII, PHI, PCI and unique data across an entire organization in order to protect that data from potential harm.
Sarbanes-Oxley Act of 2002 (SOX)
A federal law enacted in response to accounting scandals in the early 2000s, including Enron, Tyco and WorldCom. SOX helps protect shareholders and the general public through reform of financial disclosures and prevention of accounting fraud.