Securing PII is a critical component of many data privacy regulations as well as a valuable way to gain customer trust – here are 10 steps to help keep PII protected within your organization. Show
Personally identifiable information (PII) is data which can be used to identify, locate, or contact an individual and includes information like name, date of birth, place of residence, credit card information, phone number, race, gender, criminal record, age, and medical records. Every organization stores and uses PII, be it information on their employees or customers. Even schools and universities will store the PII of their students, while hospitals will store patient data. The PII your company stores is highly attractive to would-be attackers who can sell PII on the black market at a handsome price. PII can be used for any number of criminal activities including identity theft, fraud, and social engineering attacks. It goes without saying that it is absolutely vital that individuals and companies protect their PII. Failure to secure PII leaves your company open to highly targeted social engineering attacks, heavy regulatory fines, and loss of customer trust and loyalty. 10 steps to help your organization secure personally identifiable information against loss or compromise
1. Identify the PII your company storesStart by identifying all the PII your company stores or uses. If you are a software vendor, you might have customer bank details and login information you need to protect. Government agencies will store PII like social security numbers, addresses, passport details, and license numbers. Once you have identified all the PII data your company stores, you can start to implement a number of measures to secure this data. 2. Find all the places PII is storedThe PII your company stores may live in a range of different locations like file servers, cloud services, employee laptops, portals, and more. A useful first step here is to think about the three states of the data your company stores:
You need to consider all three data states as you develop your PII protection plan. Thinking about your company’s data in all of its different states will help you determine where the PII lives, how it is used, and the various systems you need to protect. 3. Classify PII in terms of sensitivityIf you haven’t done it already, you need to create a data classification policy to sort your PII data based on sensitivity. This is a vital part of PII protection. As you prioritize your PII, you should consider the following factors:
Having weighed up the above factors, you will be ready to classify PII based on sensitivity. At a minimum you should create three levels of data classification:
There are many benefits to classifying the PII your company stores, such as maintaining compliance, but data classification can also help an organization to organize their data and help employees find the information they need to do their jobs. Finally, in the event of a security breach, data classification can guide your incident response team by informing them about the level of information which was compromised.
4. Delete old PII you no longer needYou should delete any older, unnecessary PII to make it inaccessible to any potential attackers. Be sure to delete PII securely, and be diligent about deleting old files from your data backups in case any PII is stored there. 5. Establish an acceptable usage policy (AUP) for PIIIf you haven’t done so already, you need to get an AUP in place for accessing PII. Your AUP should focus on areas like who can access PII and lay out clearly what is an acceptable way to use PII. The SANS Institute has developed a free AUP template which is a useful starting point in creating your policy. For a robust data protection program, you can use this template for PII and all other types of sensitive company data. You AUP can also serve as a starting place to build technology-based controls that enforce proper PII access and usage. 6. Encrypt PIIEncrypting your PII at rest and in transit is a non-negotiable component of PII protection. Use strong encryption and key management and always make sure you that PII is encrypted before it is shared over an untrusted network or uploaded to the cloud. You will need the right set of technical controls in place to ensure that PII is encrypted; however there are many tools today that can automate the encryption process based on data classification. 7. Eliminate Permission ErrorsCompanies that lose track of their access control rights can leave the PII they store wide open to attackers. Events like mergers and acquisitions can create confusion and errors in access controls as well. As a result, it’s important that companies implement and enforce the principal of least privilege when granting access to sensitive data, which ensures that individuals only have access to the data they need to do their jobs. 8. Develop an employee education policy around the importance of protecting PIIEmployee education is a relatively straight-forward, yet vital, step in the protection of PII. Your company’s AUP can be an important part of your employee education program. Ensure that every employee at your company has a copy of your AUP and signs a statement acknowledging that they agree to follow all the policies laid out in the document. Employee training sessions based on the correct way to access and store PII are another way to ensure the protection of PII. A thorough employee education policy on PII protection has the added benefit of transferring a sense of ownership onto employees who will feel they have an important role to play in PII protection. 9. Create a standardized procedure for departing employeesThreats to your company’s PII can be both internal and external. One of the most common internal threats is that of the disgruntled departing employee. Even when a departure is amicable, employees may be tempted to take some valuable PII (or other sensitive data) out the door with them. Some best practices here include:
10. Establish an easy way for employees to report suspicious behaviorYou should make it easy for employees to report suspicious or risky behavior to management. For instance, an employee might start taking company devices or materials home with them even if it goes against the AUP and could potentially put PII in danger of being compromised. One of the best ways you can police this type of event is to establish an easy way for employees to report this potentially harmful behavior. Other triggers employees should watch out for include colleagues taking interest in data and activities outside the scope of their job description or accessing the network or sensitive resources at odd hours of the night. Tags: Data Protection, Compliance Which of the following would pose the greatest threat to a user's personal privacy?Which of the following would pose the greatest threat to a user's personal privacy if it were to be shared with the public? Internet of Things.
Which of the following best explains how a certificate authority is used in protecting data?Which of the following best explains how a certificate authority is used in protecting data? A certificate authority verifies the authenticity of encryption keys used in secured communications.
Which is the least effective way for an organization to protect against ransomware?Of the following, which is the LEAST effective way for an organization to protect against ransomware? Make frequent backups of its data and store the backups online on the same server as the original data. HTTP is an acronym for Hypertext Transfer Protocol.
Which of the following statements best describes an advantage of IPv6 over IPv4?Which of the following best describes a benefit of IPv6 over IPv4? IPv6 addresses are shorter than IPv4 addresses, which allows for faster routing of packets.
|