Data at Rest
- Stored in database
- file servers
- secure environments (ex. CDE)
- Backup Data (HDD, USB Data, Tape Drives, CD/DVDs)
- Physical Data (paper forms, xerox copies)
Data in Transit
- Web Services
- HTTP, HTTPS, FTP, FTPS
- Sensitive Data Sharing (encryption)
- Hash comparison after downloading the files.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including
- any information that can be used to distinguish or trace an individual’s identity, such as name, AADHAR, social security number, date and place of birth, mother’s maiden name, or biometric records; and
- any other information that is linked or link-able to an individual, such as medical, educational, financial, and employment information.”
So, for example, a user’s IP address is not classed as PII on its own, but is classified as linked PII.