Managing the Protection of Personally Identifiable Information

In the digital world we live in, it often feels like every major corporation or government entity has been subject to a cyber attack compromising the personal data of customers and/or employees. When people provide their information to an organization, the expectation and assumption is that reasonable steps will be taken to protect private information and prevent its abuse.

Even with the best intentions to keep information secure, hackers inevitably find a way to break through the established barriers of some of the largest organizations in the world. As a result, many feel it is not a matter of if their data will be compromised, but when.

Concerns over data security, particularly for personally identifiable information (PII), require organizations focus on the procedures and controls designed to manage the underlying information. Establishing anti-hacker security measures is one component of a comprehensive data protection strategy. In the event an electronic database is compromised, an effective PII management structure is there to assist in minimizing the impact and severity of the breach.

The procedures of PII data management, in both electronic and physical forms, draw upon the guidance of organizations like the Information Systems Audit and Control Association (ISACA) and the National Institute of Standards and Technology (NIST). The goal of this type of review is to gain a comprehensive understanding of the nature and format of PII held by an organization, the flow of information in and out, and internal procedures to manage and maintain the information.

This identification uses a risk-based approach in reviewing both physical and logical security controls in place to protect various forms of PII and private information held electronically or in physical hard-storage. The review provides organizations with a customized overview of security concerns that could impact the reliability, accuracy, and security of PII data due to identified weaknesses in their control structure.

When seeking to effectively manage PII in order to reduce the impact of a breach consider:

  • Data-field Necessity: Documents containing PII should be reviewed for highly sensitive information (social security numbers, etc.). The organization should then determine whether the sensitive information should be maintained in full or redacted (e.g. retaining only the last four digits) form. Data collection may be ceased if the information is determined to be non-essential.
  • Document Retention: Organizations should create and maintain document retention policies for forms containing PII. Information must be properly secured and held for the shortest period of time possible, reducing exposure in the event information is compromised.
  • Appropriate User Access: Organizations should maintain current user access for employees, with duties properly segregated and access to data based on the business needs of individual users. These added levels of security through limited user access have the ability to reduce the reach of an intruder who compromises an individual account, preventing their access to additional accounts.

In an age where everyone’s personal information is constantly at risk, managing the PII of customers and clients is more important than ever. Losing public trust is a concern more and more organizations have to worry about. With pervasive headlines featuring the personal information exposures of Facebook and Orbitz, taking the right steps in securing customer information now can prevent serious repercussions in the future.

SC&H Group’s Technology Risk Services provide your organization with objective and practical advice to manage and improve your IT risk profile. We can help you implement IT best practices, processes, and controls, and make important security adjustments to safeguard your business from today’s IT threats. Contact us today to learn more.