Protecting personally identifiable information (PII)
By Kimberly Nelson, Microsoft executive director for e-government, and William Billings, chief security advisor for the Microsoft U.S. Public Sector division
The widely publicized data breaches that spawned concern about privacy and identity theft could have a chilling effect on public confidence in e-government initiatives if federal agencies fail to effectively implement the security tools and processes needed to protect sensitive information.
In December 2006, Federal Computer Week reported that the Privacy Rights Clearinghouse tallied more than 97.3 million records containing sensitive personal information that were compromised in computer-related breaches in the last 20 months. Among the incidents were:
| • | A stolen U.S. Department of Veterans Affairs laptop containing personal information about 26.5 million veterans. |
| • | The Naval Safety Center's (NSC) mishandling of Social Security numbers and other personal data on more than 100,000 Naval and Marine Corps aviators that ended up displayed on the NSC's Web site and mailed on computer disks. |
| • | Two stolen laptops from a Department of Education contractor containing personal data on grant reviewers. |
| • | The theft of a desktop computer at Unisys containing personal data on 38,000 veterans registered at VA medical facilities. |
The U.S. federal government is taking important steps to help better protect personally identifiable information (PII). Microsoft technologies are a significant part of the solution.
On This Page
Federal government intensifies focus on data protection with help from Microsoft
Government organizations are required to publicly report data breaches, and many have pushed data security to a top priority, as well as stepped up regulatory guidance to help protect individual privacy and personal information. The Executive Office of the President, Office of Management and Budget (OMB) recommends that agencies encrypt all data on mobile devices; allow remote access only with two-factor authentication; implement a time-out function requiring user re-authentication after 30 minutes of inactivity; report all losses within one hour; and log all data extracts from databases holding sensitive information.
Each of these recommendations underscores the need for greater policy and the technological controls to protect critical government data and communications. Microsoft supplies the expertise and technologies to support the OMB's data security guidance. Microsoft rights management policy controls layered with other volume data protection methods and management techniques can provide a holistic approach to reducing data security threats.
As federal organizations strive to better protect PII, it's clear they face challenges in protecting privacy while managing growing volumes of sensitive data, increasing the availability of online services, sharing information across jurisdictional borders, and authenticating user identities.
While sufficient policies may now be in place to ensure the security of PII, often lacking are the procedures and management tools to ensure these policies are properly implemented. Until the OMB's guidance last summer, many federal executives didn't realize the effort involved in securing PII. To assist VA managers in meeting their increasing responsibilities, Microsoft's consulting team created a management system to ensure the proper reporting of incidents involving data loss or security breaches, which enables management to also track and report on such incidents in compliance with federal mandates.
New development process creates secure software by design
In 2003, Microsoft established strong internal security design and development processes known as the Security Development Lifecycle (SDL). By implementing this rigorous process for secure design, coding, testing of Microsoft products, the SDL helps reduce vulnerabilities and minimize risks in malicious attacks.
The SDL starts with the belief that software should be secure by design, which means designers must assess and understand all potential security vulnerabilities before they write a single line of code—and then take steps to eliminate those threats through careful design and review throughout the development process. Software should also be secure by default so that it automatically runs in a way that promotes security and protects users by, for example, disabling features that are not widely used or that can increase vulnerability. And users and administrators should always be provided with the information they need to ensure they can deploy software safely and maintain the optimum level of security that is appropriate for each class of user.
Windows Vista is the first client operating system to be developed from the start using the SDL. The 2007 Microsoft Office system and Microsoft Exchange Server 2007 were also built using the SDL and they, too, provide a wide range of new security features that protect against threats such as phishing scams, viruses, and other kinds of malware. Learn more.
Microsoft Windows Rights Management Services safeguards digital information
Microsoft also offers a number of technology solutions to help government customers protect privacy. For example, Microsoft Windows Rights Management Services (RMS) is an information protection technology that safeguards digital information from unauthorized use—online or offline, both inside and outside a firewall. Learn more.
Windows Vista enhances data protection
Windows Vista provides enhancements to further protect PII, including protection for data at rest, rights management, data protection for privacy, and an encrypted filing system (EFS) for file security. BitLocker Drive Encryption is another feature designed to protect data on computers that are lost, stolen or insecurely decommissioned. Learn more.
Conclusion
Improving data protection reduces risks associated with breaches and will enhance confidence in the government's ability to protect citizens' privacy and personal information, while simultaneously enabling greater efficiency in the delivery of e government services. Through a depth of experience and breadth of technologies spanning from servers to desktops and laptop PCs to mobile devices, Microsoft offers the most comprehensive technological solution to address this ongoing need.
For more information
To schedule a briefing on how Microsoft and our partners can help you comply with privacy regulations, contact askfed@microsoft.com.
