Acquire security funding with an impact assessment
Michael Mullins CCNA, MCP
Published: 08 Mar 2007 16:42 GMT
Protecting personally identifiable information (PII) is a major responsibility. As its name implies, PII is any information about an individual that you can use to trace or identify that person. PII includes education records, financial transactions, medical history, employment history, and more.
PII is a huge deal these days. Not only is it a part of major legislation like HIPAA, but it has also been the cause of some really bad PR for some major companies. But make no mistake — PII affects your organisation, regardless of its size.
Your company's clients and employees must trust your ability to protect their PII; any sort of mismanagement of this data will erode that trust. And sooner or later, no trust leads to no clients.
That's why you need to take steps to protect PII in your organisation. The last thing you want to do is notify customers of a data loss or breach. Developing a comprehensive action plan for the protection of PII is where you need to begin.
Before you start looking for a security solution that will ultimately cost your organisation in terms of materials, man hours and money, do your homework. Conduct an impact assessment to determine the financial and regulatory impact of losing or disclosing PII. You can then use this exercise to show the people who control security funding why you need to develop a plan for protecting PII.
To perform an impact assessment, follow these steps:
- Identify all corporate data that contains PII — you can't begin to protect something if you don't know where it is. Develop procedures that specify the approved locations for the electronic storage of that data, and move the data to its approved storage location if necessary.
- Evaluate and separate PII data based on the level of the impact of losing or disclosing that data. Keep in mind that disclosing employee records will have a different impact from disclosing client records.
- Develop and implement a plan to encrypt all PII for confidentiality. All hard drives, tapes and removable media should automatically encrypt this data as the system writes it to the media. The encryption should meet or exceed any regulatory requirements.
- Develop a policy and procedure that identifies who can access this data.
- Develop a policy and procedure that identifies how someone can access this data. For example, can mobile devices access this data? Is it remotely available? Is the mobile/remote device a company or personal asset? Who approves local and remote access requests?
- Establish the chain of events for a loss or suspected loss of data. If you do lose or disclose PII, you need to have a plan in place well before that happens.
After you know what data you're protecting and have an idea of how stringently you want to protect it, conduct a risk assessment. It should show the various ways this data is at risk, as well as define how you intend to remediate the risk.
Act before a loss takes place
PII data is a high-priority target for identity-theft criminals and black hats that want to brag about breaching your company's security. Protecting PII is something you need to address before a loss occurs — not afterwards. While you won't be reading about your security strategy in the news, you can bet you'll read about your lack of security safeguards if you fail to act.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Did you find this article useful?
6 out of 6 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
