How to protect PII & best practices
How to Protect PII
Here are some simple steps that can be taken to protect PII.
- Don’t capture or store more information that you do not need
- Shred paper work which is no longer needed and contains PII
- NEVER send PII unencrypted by email
PII protection best practices
Now that you know what PII is, let’s look at best practices for protecting it. Consider these best practices for protecting PII:
1. Discover and classify your PII. Make sure you classify your personal data into sensitive and non-sensitive categories. Where does this sensitive information currently live? Is any sensitive PII currently being stored in an insecure manner? Make sure you know exactly what data you have and where it is stored so you can implement the right security strategies for different types of data.
2. Perform risk assessments. A risk assessment helps you identify and prioritize your vulnerabilities, so you can correct the most important issues first. To perform a risk assessment, ask these key questions: Where are the gaps in your current security strategy? How do your current risks impact the sensitive data you have? What would the impact be if certain files were leaked or lost?
3. Create the right access and privilege model. Implement the least-privilege model, so that employees can access only the data they need to perform their work. A role-based access model enables you to assign certain access levels to sensitive data to protect against improper data loss or alteration.
4. Use encryption. Encrypting PII helps keep it safe even if it falls into the wrong hands.
5. Don’t store PII you don’t need. Create a policy for destroying records securely when they are no longer needed. This should be a controlled process to avoid the accidental deletion of important data or leaving traces of sensitive data in unsecured locations.
6. Document your policies and procedures for handling sensitive data. Your policy should include the types of data you store, which PII is sensitive versus non-sensitive, and how different types of data must be stored and protected. Be sure to educate your users about those policies and procedures.
