Does the FISMA E-Government Act (P.L. 107-347) specifically require changing names/identifiers for personal data in databases and applications/screens?
For example, if "home phone" is considered personal data under this act, is changing its name/label in databases/systems to something like "other phone" to mask the personal nature of the phone number a good idea for compliance?
My customer's system security folks are thinking about changing names of personal data items to hide the personal/private nature of them. That does not make sense to me. I was wondering if changing a data name from SSN to something like GovAssignedIdNumber makes it more secure for compliance under this act.
I agree with your statement on this matter. Who cares if you change a table name if the actual privacy data is still available? FISMA does not explicitly state the requirement of changing names of personal data in applications, or that changing the label of data in a database is recommended or required. In fact, performing this type of action is like an extremely weak "security through obscurity" mechanism and really isn't obscure at all.
Even if you change the name from SSN to GovAssignedIdNumber, certain security controls still need to be applied in order to ensure the data is protected appropriately. The name assigned to the data is not relevant, instead, how the data is secured is the priority. When an assessment is being performed of the data, the assessor is not concerned with what the data is titled, but instead, on how the data is protected. Therefore, even if you title "home phone" as "other phone", the assessor will need to ensure the appropriate security controls are in place in order to show compliance against FISMA.