Chapter 5: Protecting Security of Assets




                1.  Personally identifiable information (PII) is any information that

                    can identify an individual. It includes information that can be used
                    to distinguish or trace an individual’s identity, such as name, social
                    security number or national ID number, date and place of birth,
                    mother’s maiden name, and biometric records. Protected health
                    information (PHI) is any health-related information that can be
                    related to a specific person. PHI doesn’t apply only to healthcare
                    providers. Any employer that provides, or supplements, healthcare
                    policies collects and handles PHI.


                2.  Solid state drives (SSDs) should be destroyed (such as with a
                    disintegrator) to sanitize them. Traditional methods used for hard
                    drives are not reliable. While it doesn’t sanitize the drives,
                    encrypting all data stored on the drive does provide an extra layer
                    of protection.

                3.  Pseudonymization is the process of replacing data with

                    pseudonyms. In this context, pseudonyms are artificial identifiers,
                    which the General Data Protection Regulation (GDPR) refers to as
                    pseudonyms. The GDPR recommends the use of pseudonyms to
                    reduce the possibility of data identifying an individual.

                4.  Scoping refers to reviewing a list of baseline security controls and
                    selecting only those controls that apply to the IT system you’re
                    trying to protect. Tailoring refers to modifying the list of selected

                    baseline controls for some systems that have different
                    requirements.