KanSecurity Resources

PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (...

Compliance is not security, or is it? There is a view (anecdotal)   that compliance is not security. To be more precise, information and cyber security. For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements. On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance. Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013). Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder d...