White Paper

91 0x450a0ad2
0x8c1a3291 0x56de57
0x5f8a153d
axd8c447ae 8820572
5228 0xf32 4856
0x19df c2fe97 0xd61b
2 0x30e571cf
0x3fe63453 0xa3bdff8
6a 0x100daa87
0x36e0045b 0xad22db
255ba12 bdff8
0x48df 0x5ef8189b 0x
0xf08cde96

What Data Needs To Be Encrypted

In Drupal?
A Checklist for Meeting Compliance

THIS DOCUMENT IS DESIGNED FOR DRUPAL ADMINISTRATORS AS A

GUIDE TO ENCRYPTION AND KEY MANAGEMENT REQUIREMENTS AND
RECOMMENDATIONS PUT FORTH BY THE VARIOUS DATA PRIVACY
COMPLIANCE REGULATIONS. The document is organized by the specific
regulations and explains how encryption and key management satisfies
their requirements.

www.townsendsecurity.com

724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 800.357.1019 fax 360.357.9047 www.townsendsecurity.com

What Data Needs To Be Encrypted In Drupal? by Townsend Security

What Information Do I Need to
Protect with Strong Encryption?
Organizations starting an encryption project always have
this question on their minds. It is a simple question, but can
be hard to answer. Generally speaking, you should encrypt
any information that alone, or when combined with other
information, can identify a unique, individual person. This is
called Personally Identifying Information, or PII. This should
be your starting point, but you may need to address other
information depending on the compliance regulations you
must meet.

Federal/State Laws and Personally

Identifiable Information (PII)
Federal and State laws vary in terms of what they consider
Personally Identifiable Information (PII), but there is a lot of
commonality between them. PII is any information which
either alone or when combined with other information,
which can identify an individual person. Start with this list of
data items:

Social security number

Credit card number
Bank account number
First name
Last name
Address
Zip code
Email address
Birth date
Password or passphrase
Military ID
Passport
Drivers license number
Vehicle license number
Phone and Fax numbers

Educational Information Covered by

FERPA
Educational institutions who fall under the FERPA
regulations must protect Personally Identifiable Information
(see above) as well as the following information:

Student name
Student ID number
Family member names

2014 Townsend Security

Place of birth
Mothers maiden name
Student educational records
Immunization records
Health records
Individuals with Disabilities (IDEA) records
Attendance

Federal Agencies and FISMA

Federal agencies must evaluate their systems for the
presence of sensitive data and provide mechanisms to
insure the confidentiality, integrity and availability of the
information. Sensitive information is broadly defined, and
includes Personally Identifiable Information (see above),
as well as other information classified as sensitive by the
Federal agency. Sensitive information might be defined in
the following categories:

Medical
Financial
Proprietary
Contractor sensitive
Security management
And other information identified by executive order,
specific law, directive, policy or regulation

Medical Information for Covered

Entities and HIPAA / HITECH
The HIPAA / HITECH Act defines Protected Health
Information to include Personally Identifying Information
(see above) in addition to the following Protected Health
Information (PHI):

Patient diagnostic information (past, present, future

physical or mental health)
Patient treatment information
Patient payment information
Medical record numbers
Name
Street address
City
Zip code
County
Health plan beneficiary numbers
Fingerprints and other biometric identifiers
Full facial photographs and images
Device identifiers and serial numbers
IP address numbers and web URLs
Any other individual identifiable information

Page 1

What Data Needs To Be Encrypted In Drupal? by Townsend Security

Payment Card Data Security
Standard (PCI DSS)

Additional Resources

The Payment Card Industry Data Security Standards (PCI

DSS) require that merchants protect sensitive cardholder
information from loss and use good security practices to
detect and protect against security breaches.

Podcast: Securing Sensitive Data in Drupal

If you accept or process credit card or other payment cards,

you must encrypt the following data:
Primary Account Number (PAN)
You must also NOT store, even in encrypted format:
Track 1 and Track 2 data
Security codes (CVV, CVV2, etc.)

Financial Data for FFIEC

Compliance
Banks, credit unions, and other financial institutions must
protect Non-public Personal Information (NPI) which
includes personally identifying financial information (see
above). In addition to Personally Identifying Information
above, you should protect:

Income
Credit score
Collection history
Family member PII and NPI

Encrypting Data in Drupal

Townsend Security is helping the Drupal community encrypt
sensitive data and properly manage encryption keys.
Developers who need to protect sensitive data know
that storing their encryption keys within the content
management system (CMS) puts their data at risk for a
breach. With Key Connection for Drupal and Alliance
Key Manager, administrators are now able to keep their
encryption keys secure by storing them remotely and only
accessing them when the encryption/decryption happens.
The Key Connection for Drupal module is a plugin for the
Encrypt project that allows you to easily encrypt sensitive
data with NIST-validated AES encryption and securely
retrieve and manage encryption keys from Townsend
Securitys FIPS 140-2 compliant Alliance Key Manager.
With an easy to use interface and certifications to meet
compliance requirements, you can rest assured knowing
your data is secure.

2014 Townsend Security

More Info: Key Connection for Drupal

Solution Brief: Data Privacy Compliance Within Drupal

Developer Program: Drupal Developer Program

Townsend Security
Townsend Security creates data privacy
solutions that help organizations meet
evolving compliance requirements and
mitigate the risk of data breaches and
cyber-attacks. Over 3,000 companies
worldwide trust Townsend Securitys
NIST-validated and FIPS 140-2 compliant solutions to meet
the encryption and key management requirements in PCI
DSS, HIPAA/HITECH, FISMA, GLBA/FFIEC, SOX, and other
regulatory compliance requirements. Learn more at
www.townsendsecurity.com.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY:

THE PUBLISHER, THE AUTHOR, AND ANYONE ELSE
INVOLVED IN PREPARING THIS WORK MAKE NO
REPRESENTATIONS OR WARRANTIES WITH RESPECT
TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM
ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY
SALES OR PROMOTIONAL MATERIALS. THE ADVICE
AND STRATEGIES CONTAINED HEREIN MAY NOT BE
SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD
WITH THE UNDERSTANDING THAT THE PUBLISHER IS
NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,
OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL
ASSISTANCE IS REQUIRED, THE SERVICES OF A
COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR
SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM.
THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A
POTENTIAL SOURCE OF FURTHER INFORMATION DOES
NOT MEAN THAT THE AUTHOR OR THE PUBLISHER
ENDORSES THE INFORMATION THE ORGANIZATION OR
WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY
MAKE. FURTHER, READERS SHOULD BE AWARE THAT
INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE
CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK
WAS WRITTEN AND WHEN IT IS READ.

Page 2