search

Which of the following is a security best practice for protecting personally identifiable information?

1 years ago
Comments: 0
Views: 123

Personally Identifiable Information (PII) is a legal term pertaining to information security environments. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Show

Non-sensitive PII can be transmitted in unsecure form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, because it could cause harm to an individual, if disclosed.

Organizations use the concept of PII to understand which data they store, process and manage that identifies people and may carry additional responsibility, security requirements, and in some cases legal or compliance requirements.

Blog: Top Challenges to Implementing Data Privacy: Nailing Down Discovery and Classification First is Key.

Personally Identifiable Information (PII) in Privacy Law

PII and similar terms exist in the legislation of many countries and territories:

  • In the United States, the National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, social security number, and biometric records, which can be used to distinguish or trace an individual’s identity.
  • In the European Union, directive 95/46/EC defines “personal data” as information which can identify a person via an ID number, or factors specific to physical, physiological, mental, economic, cultural or social identity.
  • In Australia, the Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained—a much broader definition than in most other countries.
  • In New Zealand, the Privacy Act defines “personal information” as any piece of information that relates to a living, identifiable human being, including names, contact details, financial health, and purchase records.
  • In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act defines “personal information” as data that on its own, or combined with other pieces of data, can identify an individual.

What Qualifies as PII?

According to the NIST PII Guide, the following items definitely qualify as PII, because they can unequivocally identify a human being: full name (if not common), face, home address, email, ID number, passport number, vehicle plate number, driver’s license, fingerprints or handwriting, credit card number, digital identity, date of birth, birthplace, genetic information, phone number, login name or screen name.

Which of the following is a security best practice for protecting personally identifiable information?

What Is Considered PII?

Beyond these clear identifiers, there are “quasi identifiers” or “pseudo identifiers” which, together with other information, can be used to identify a person. For example, according to a US governmental study, 87% of the US population can be uniquely identified by a combination of gender, ZIP code and date of birth. Pseudo identifiers may not be considered PII under United States legislation, but are likely to be considered as PII in Europe.

Who is Responsible for Safeguarding PII?

From a legal perspective, the responsibility for protecting PII is not solely attributed to organizations; responsibility may be shared with the individual owners of the data. Companies may or may not be legally liable for the PII they hold.

However, according to a study by Experian, 42% of consumers believe it is a company’s responsibility to protect their personal data, and 64% of consumers said they would be discouraged from using a company’s services following a data breach. In light of the public perception that organizations are responsible for PII, it is a widely accepted best practice to secure PII. A common and effective way to do this is using a Data Privacy Framework.

Creating a Data Privacy Framework

A Data Privacy Framework is a documented conceptual structure that can help businesses protect sensitive data like payments, personal information, and intellectual property. The framework specifies how to define sensitive data, how to analyze risks affecting the data, and how to implement controls to secure it.

While there are established data privacy frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the ISO 27000 family of standards, and the EU General Data Protection Regulation (GDPR), there are benefits to creating a custom framework for your organization.

A custom Data Protection Framework will help you put an emphasis on the most sensitive and valuable data within your organization, and design controls that are suitable for your organizational structure, culture, regulatory requirements, and security budget.

Follow the steps below to create a custom Data Privacy Framework.

Classification

Define, assess and classify PII your organization receives, stores, manages, or transfers. For each type of PII, identify:

  • The required level of confidentiality
  • How sensitive the data is to integrity—what happens if it is lost or corrupted
  • How important it is to have the data available at all times
  • What level of consent has the organization received in relation to the data

Assessment

Conduct a Privacy Impact Assessment (PIA) to determine, for each type or classification or PII, how it is collected, where it is stored, and how it is disposed of, as well as the potential security risks for each type of PII.

Compliance Environment

  • Define your legislative obligations for PII compliance in the territories your organization operates in
  • Identify voluntary standards you need to comply with, such as PCI DSS
  • Determine your organization’s security and liability policy with regard to third party products and services—for example, cloud storage services

PII Security Controls

The Data Privacy Framework should define which security controls the organization needs to have in place to prevent data loss or data leak:

  • Change Management—tracking and auditing changes to configuration on IT systems which might have security implications, such as adding/removing user accounts.
  • Data Loss Prevention—implementing systems that can track sensitive data transferred within the organization or outside it, and identify unnatural patterns that might suggest a breach.
  • Data masking—ensuring that data is stored or transmitted with the minimal required details for the specific transaction, with other details masked or omitted.
  • Ethical walls—implementing screening mechanisms to prevent certain departments or individuals within an organization from viewing PII that is not relevant to their work, or that might create a conflict of interest.
  • Privileged user monitoring—monitoring all privileged access to files and databases, user creation and newly granted privileges, blocking and alerting when suspicious activity is detected.
  • Sensitive data access auditing—in parallel to monitoring activities by privileged users, monitoring and auditing all access to sensitive data, blocking and alerting on suspicious or anomalous activity.
  • Secure audit trail archiving—ensuring that any activity conducted on or in relation to PII is audited and retained for a period of 1-7 years, for legal or compliance purposes, and also to enable forensic investigation of security incidents.
  • User rights management—identifying excessive, inappropriate, or unused user privileges and taking corrective action, such as removing user accounts that have not been used for several months.
  • User tracking—implementing ways of tracking user activity, online and while using organizational systems, to identify negligent exposure of sensitive data, compromise of user accounts, or malicious insiders.

Solution Spotlight: Sensitive and Personal Data Security.

A wide range of privacy regulations govern how organizations collect, store and use personally identifiable information (PII). In general, companies need to ensure data confidentiality, avoid data breaches and leaks, and make sure data is not destroyed or altered in unauthorized ways.

The consequences of lost or leaked PII data are significant. Of course, the individuals involved can be harmed from resulting identity theft and associated costs. But organizations can lose in multiple ways as well: Not only can the costs of investigating the incident and repairing the damage be extensive, the company can be slapped with steep fines for non-compliance with a relevant privacy law, and customers can lose trust and leave forever.

This article explains what PII protection is and how to protect PII effectively with a data-centric security strategy.

What is PII?

PII is any type of information that can identify an individual. According to the National Institute of Standards and Technology (NIST), all of the following kinds of data could be considered PII:

  • Name: An individual’s full name, maiden name, alias, or mother’s maiden name
  • ID number: Social Security, passport, driver’s license, tax ID or credit card number
  • Address: Email or physical mailing address
  • Characteristics: Photographs, fingerprints, signature or handwriting, and other biometric data such as voice signature or facial geometry
  • Linkable data: Other indirect data that links a person to one of the above categories, like employment information, medical history, date of birth or financial information

Which of the following is a security best practice for protecting personally identifiable information?

Source: Braze

It’s also important to distinguish between sensitive and non-sensitive PII, so you can create different storage and sharing plans for each type:

  • Sensitive PII: Data that is not easily found from public sources, such as a person’s SSN, medical information and driver’s license number
  • Non-sensitive PII: Information that is easily accessible in open public outlets like phone books and internet resources, such as a person’s zip code or date of birth.

While there are currently no federal PII protection laws in the United States, U.S. organizations are required to follow a host of other privacy laws that govern specific types of PII, including:

  • Gramm-Leach-Bliley Act (GLBA): Covers customer information stored by financial institutions
  • Health Insurance Portability and Accountability Act (HIPAA): Specifies standards for protecting medical records and personal health information
  • Children’s Online Privacy Protection Act of 1998 (COPPA): Governs websites and online services geared toward children under 13 to protect their personal information
  • Family Educational Rights and Privacy Act (FERPA): Protects educational information and related records
  • Fair Credit Reporting Act (FCRA): Governs consumer information held by credit reporting agencies
  • Sarbanes-Oxley Act (SOX): Protects individuals from accounting errors and fraudulent business enterprises
  • California Consumer Privacy Act (CCPA): Governs the collection, sale and disclosure of the personal information of California residents
  • Massachusetts data privacy law: Protects Massachusetts residents against identity theft and fraud
  • The EU’s General Data Protection Regulation (GDPR): Protects the privacy of the personal data of EU citizens and impacts many companies around the globe
  • Other data privacy laws, which we covered in an article about the S. data privacy approach

These regulations can be complex, so some organizations engage legal professionals to help them navigate compliance. However, it is often the responsibility of IT staff to ensure that protection practices are in place within company systems and processes.

PII protection best practices

Now that you know what PII is, let’s look at best practices for protecting it. Consider these best practices for protecting PII:

1. Discover and classify your PII. Make sure you classify your personal data into sensitive and non-sensitive categories. Where does this sensitive information currently live? Is any sensitive PII currently being stored in an insecure manner? Make sure you know exactly what data you have and where it is stored so you can implement the right security strategies for different types of data.

2. Perform risk assessments. A risk assessment helps you identify and prioritize your vulnerabilities, so you can correct the most important issues first. To perform a risk assessment, ask these key questions: Where are the gaps in your current security strategy? How do your current risks impact the sensitive data you have? What would the impact be if certain files were leaked or lost?

3. Create the right access and privilege model. Implement the least-privilege model, so that employees can access only the data they need to perform their work. A role-based access model enables you to assign certain access levels to sensitive data to protect against improper data loss or alteration.

Which of the following is a security best practice for protecting personally identifiable information?

Source: Citrix

4. Use encryption. Encrypting PII helps keep it safe even if it falls into the wrong hands.

5. Don’t store PII you don’t need. Create a policy for destroying records securely when they are no longer needed. This should be a controlled process to avoid the accidental deletion of important data or leaving traces of sensitive data in unsecured locations.

6. Document your policies and procedures for handling sensitive data. Your policy should include the types of data you store, which PII is sensitive versus non-sensitive, and how different types of data must be stored and protected. Be sure to educate your users about those policies and procedures.

Conclusion

Organizations everywhere need to know what PII is and how its loss or leakage could impact their business. The data protection techniques listed above will help you identify and protect your PII. Consider investing in data security software that will help you efficiently and effectively protect your PII and monitor for security threats.

Which of the following is a security best practice for protecting personally identifiable information?

Reviews Best

Related Posts

Which of the following best predicts how phylogenetic relationships might be revised if transposon 1 was not found in Chimpanzees?
Which of the following best predicts how phylogenetic relationships might be revised if transposon 1 was not found in Chimpanzees?

What is said to be the best technique method available that can to help manage dental anxiety?
What is said to be the best technique method available that can to help manage dental anxiety?

Which statement best describes the use of sound devices in the lines?
Which statement best describes the use of sound devices in the lines?

Which of the following is empowered by the u.s. federal government to review and approve research
Which of the following is empowered by the u.s. federal government to review and approve research

A rational decision will never fail to provide the best and most successful solution to a problem.
A rational decision will never fail to provide the best and most successful solution to a problem.

What is the best position for a patient in anaphylactic shock?
What is the best position for a patient in anaphylactic shock?

Which of the following individuals is best known for his investigations into classical conditioning?
Which of the following individuals is best known for his investigations into classical conditioning?

Which would be the best choice to package and store small or trace evidence
Which would be the best choice to package and store small or trace evidence

Which of the following is best known as a lender of last resort to nations in financial trouble?
Which of the following is best known as a lender of last resort to nations in financial trouble?

Smart goals for performance review examples
Smart goals for performance review examples

How long can koi fish live in a bucket
How long can koi fish live in a bucket

¿Qué hacer cuando la computadora no encuentra la impresora?
¿Qué hacer cuando la computadora no encuentra la impresora?

Your Lie in April characters age
Your Lie in April characters age

What part of Vermont is closest to New York?
What part of Vermont is closest to New York?

Why are my Mods not working Vortex?
Why are my Mods not working Vortex?

Galaxy note 8 qualcomm vs exynos
Galaxy note 8 qualcomm vs exynos

Average cost of living in California per year
Average cost of living in California per year

Who is the real king of country music?
Who is the real king of country music?

How do you say chief in spanish
How do you say chief in spanish

What triggers the final mission in me3?
What triggers the final mission in me3?

LATEST NEWS

There are three phases of gastric secretion. the cephalic phase occurs
1 years ago . by OperativeApologise
How was the Battle of Saratoga won?
1 years ago . by SubtleSolicitation
How does a Taurus man text when he likes you
1 years ago . by UrinaryLigament
What is the distance covered by the athlete?
1 years ago . by GeopoliticalSchooner
At which value will the graph of have a zero
1 years ago . by InsatiableAnomaly
How long does it take to go from Texas to Mexico border?
1 years ago . by UndecidedMouthful
Why are t statistics more variable than z scores
1 years ago . by SubstantialResurgence
How much water at 32°c is needed to just melt 1.5 kg of ice at -10°c?
1 years ago . by ErsatzNursery
What was created to prevent similar banking disasters?
1 years ago . by Ground-floorCorpus
A client has answered some questions in a query, so you’re able to edit the _________ ones.
1 years ago . by MaroonRodeo

Populer

About

Legal

Help

Social

Copyright © 2024 ShotOnMac Inc.