One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1373551 |
| Date de publication | 2019-10-01 13:00:00 (vue: 2019-10-01 16:06:41) |
| Titre | What you need to know about PII security in 2019 |
| Texte |
As a society we have always relied on personal identifiers, commonly known as personally identifiable information (PII). Defining and protecting PII has recently become much more important as a component of personal privacy now that advances in computing and communications technology, including the internet, has made it easier to collect and process vast amounts of information.
The protection of PII and overall privacy of information are concerns both for individuals whose personal information is at stake and for organizations that may be liable or have their reputations damaged should such PII be inappropriately accessed, used, or disclosed. Without question, 2019 has been an eventful year for organizations across the different industries, with massive data breaches that have had major impacts to organizations as well as consumers. A number of these breaches have exposed PII and heightened the awareness around privacy regulations such as GDPR.
PII data security best practices
Here are some foundational steps to get started with an information protection framework that helps think of the key dimensions associated with protecting PII.
Understand the data: identify and classify it by source, type, sensitivity and criticality to the business.
Understand the threats they are exposed to: due to the constantly changing nature of the threat landscape, a review of the threat exposure should be performed on a regular basis.
Provide that the data’s protection is commensurate with the threat: this means that the controls that composed the Security Framework need to be adapted to each case so the risks are adequately mitigated.
Identify Your PII
Due to the wide range of definitions of what exactly comprises PII, each organization is responsible for determining what defines PII in its jurisdiction and which statutes, industry standards, etc., are in scope for compliance. One of the most important steps in protecting PII involves the identification of PII. The types of information that should be considered PII are well known.
Once the types of information considered PII are understood, there remains the challenge of determining where this information is located and stored. The information generally resides in either structured data sources such as databases, or in unstructured information such as electronic documents, emails and other file types.
Unstructured information poses the greater challenge as it can travel anywhere – from desktop computer to tablet to server to mobile phone. Organizations must determine how to identify which unstructured information contains PII, and how to make their employees, contractors, and partners aware that certain files contain PII.
PII is typically stored in a myriad of locations, both in electronic and hard copy form. Perform a review to identify PII and focus on:
Policies and procedures to protect PII and other private data in any of its forms and storage locations, including the deployment and effectiveness of an organization-wide data classification scheme
Policies and procedures relating to action needed after a breach of PII confidentiality
Training and awareness of employees in the handling and processing of PII and data privacy
Educate and Build Awareness of PII
Organizations should develop comprehensive policies and procedures for handling PII at the organization level, the program or component level, and where appropriate, at the system level.
Well-crafted PII handling policies and procedures are unlikely to succeed if the organization does not involve its information creators in the protection of PII as part of their standard way of doing business.
Awareness and training for end user |
| Envoyé | Oui |
| Condensat | prevent reduce 2019 about access accessed accountability across action adapted addressed adequately advances after also always amounts analysis any anywhere appropriate are around associated audit auditing authentication automated aware awareness basis become been best both breach breaches build business but can case certain challenge changes changing classification classify collect commensurate commonly communications compliance component composed comprehensive comprises computer computing concept concerns conclusion: confidentiality considered constantly consumers contain contains contractors control controls copy crafted create creating creators criticality damaged data data’s data: databases defines defining definitions deployed deployment desktop determine determining develop devices different dimensions disclosed documents does doing don’t due duties each easier educate educational effectiveness either electronic emails embrace employee employees encryption end enforcement etc eventful exactly exposed exposure file files focus forget form forms foster foundational framework from gdpr general generally get greater had handling hard has have heightened help helps here how however identifiable identification identifiers identify impacts important improper improved inappropriately incident including individuals industries industry information internet involve involves issues its jurisdiction key know known landscape leakage level liable located locations loss made major majority make makes massive may means mitigated mobile monitoring more most much must myriad nature necessary need needed not note notification now number occurred often on: once one only organization organizations other overall part partners perform performed personal personally phone pii policies policy policy: poses practices preemptive preemptively prevent preventable privacy private procedures process processing program programs properly protect protected protecting protection provide question range real recently regarding regular regulations regulatory relating relied remains remote reporting reputations resides responsible rest review risks scheme scope screening security see select sensitive sensitivity separation server should society solutions some source sources stake standalone standard standards started statutes steps storage stored strengthened structured succeed such system systems tablet technical technology theft these think thorough threat threat: threats through time to: tools training transmission travel type types typically unauthorized understand understood unlikely unstructured until used users vast very violations way well what when where whether which whose wide without year your you |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.