A Checklist for Meeting Compliance
What Information Do I Need to Protect with Strong Encryption?
Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.
[For even more information on encrypting data in MongoDB, view our Definitive Guide to MongoDB Encryption & Key Management.]
Quicklinks:
Federal/State Laws and Personally Identifiable Information (PII)
EU General Data Protection Regulation (GDPR)
Educational Information Covered by FERPA
Medical Information for Covered Entities and HIPAA/HITECH
Payment Card Data Security Standard (PCI DSS)
Financial Data for FFIEC Compliance
Federal/State Laws and Personally Identifiable Information (PII)
Federal and State laws vary in terms of what they consider Personally Identifiable Information (PII), but there is a lot of commonality between them. PII is any information which either alone or when combined with other information, which can identify an individual person. Start with this list of data items:
- Social security number
- Credit card number
- Bank account number
- First name
- Last name
- Address
- Zip code
- Email address
- Birth date
- Password or passphrase
- Military ID
- Passport
- Drivers license number
- Vehicle license number
- Phone and Fax numbers
EU General Protection Regulation (GDPR)
- Social security number
- Credit card number
- Bank account number
- First name
- Last name
- Address
- Zip code
- Email address
- Medical information
- Birth date
- Password or passphrase
- Military ID
- Passport
- Drivers license number
- Vehicle license number
- Phone and Fax numbers
Educational Information Covered by FERPA
Educational institutions who fall under the FERPA regulations must protect Personally Identifiable Information (see above) as well as the following information:
- Student name
- Student ID number
- Family member names
- Place of birth
- Mother’s maiden name
- Student educational records
- Immunization records
- Health records
- Individuals with Disabilities (IDEA) records
- Attendance
Federal Agencies and FISMA
Federal agencies must evaluate their systems for the presence of sensitive data and provide mechanisms to insure the confidentiality, integrity and availability of the information. Sensitive information is broadly defined, and includes Personally Identifiable Information (see above), as well as other information classified as sensitive by the Federal agency. Sensitive information might be defined in the following categories:
- Medical
- Financial
- Proprietary
- Contractor sensitive
- Security management
- And other information identified by executive order, specific law, directive, policy or regulation
Medical Information for Covered Entities and HIPAA/HITECH
- Patient diagnostic information (past, present, future physical or mental health)
- Patient treatment information
- Patient payment information
- Medical record numbers
- Name
- Street Address
- City
- Zip code
- County
- Health plan beneficiary numbers
- Fingerprints and other biometric identifiers
- Full facial photographs and images
- Device identifiers and serial numbers
- IP address numbers and web URLs
- Any other individual identifiable information
Payment Card Data Security Standard (PCI DSS)
- Primary Account Number (PAN)
- Track 1 and Track 2 data
- Security codes (CVV, CVV2, etc.)
Financial Data for FFIEC Compliance
- Income
- Credit score
- Collection history
- Family member PII and NPI
Encrypting Data in MongoDB
Townsend Security is helping the MongoDB community encrypt sensitive data and properly manage encryption keys. Developers who need to protect sensitive data know that storing their encryption keys within MongoDB puts their data at risk for a breach. With Alliance Key Manager for MongoDB, administrators are now able to keep their encryption keys secure by storing them remotely and only accessing them when the encryption/decryption happens. Alliance Key Manager for MongoDB is an enterprise key management solution that allows you to easily encrypt sensitive data with NIST-validated AES encryption and securely retrieve and manage encryption keys from Townsend Security’s FIPS 140-2 compliant Alliance Key Manager. With an easy to use interface and certifications to meet compliance requirements, you can rest assured knowing your data is secure.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY:
THE PUBLISHER, THE AUTHOR, AND ANYONE ELSE INVOLVED IN PREPARING THIS WORK MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT
TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE
AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,
OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.