Introduction

Personally Identifiable Information is defined by the National Institute of Standards and Technology (NIST) as:

Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

With the widespread and ever-increasing requirement for such data to be processed (and stored and transmitted) in an IT environment, it is vital that security measures are in place to maintain public confidence in organizations who work with PII.

In addition, PII has been subject for some time to a plethora of state, federal and international privacy laws, e.g., the Privacy Act, as well as sector-specific legislation, such as the HIPAA (Health Insurance Portability and Accountability Act).

The Privacy Act includes a requirement for appropriate procedural, technical, and physical security measures to be implemented to protect PII and with the increased use of IT systems and networks in the processing of PII by Federal agencies, the E-Government Act was introduced to provide the public with assurance as regards electronic government services specifically.

The E-Government Act also established the requirement for federal agencies to carry out privacy impact assessments (PIAs), to ensure that PII policies are in place and these are available on the agency websites.

Similar legislation is in place in most areas of the world: Canada, Australia and New Zealand all have their own Privacy Acts, the UK has its Data Protection Act, and Germany’s Federal Data Protection Law is perhaps the strictest of the national regulation sets. A European Union (EU) Data Protection Directive is also due to be implemented to unify data protection regulation across the European member states.

In the US, to help enable organizations who process PII to demonstrate compliance with the relevant legislation and provide assurance to the citizens whose personal information they hold, the NIST’s Information Technology Laboratory (ITL) – essentially the technical authority for US federal government – has developed standards and guidelines for the protection of PII.

Generally speaking, the standards and guidelines detail the need for a set of policies, procedures and technical measures to be identified using a risk assessment approach and put in place to secure PII information and the systems on which it is stored and processed.

An area described in the guidelines as critical to the success of information privacy and security management arrangements is security awareness.

PII Compliance and Security Awareness Training

For any information security management system (ISMS) to operate effectively, it is essential that all staff involved in the operation and management of the system (or systems) covered by the ISMS clearly understand their roles and responsibilities and that all users are aware of and comply with the policies and procedures that apply.

The specific policies, procedures, and technical and physical security measures identified as necessary to protect PII will vary depending on the organization and its technical environment and as mentioned are best established through a risk assessment.

However, typical measures that are likely to be required would include:

  • procedures for reporting and managing any security incidents impacting on PII – whether actual or suspected;
  • access controls for systems, applications or databases holding PII to be in place strictly based on need-to-know;
  • logging and monitoring of access to PII; and
  • deployment of encryption where PII is to be transmitted over non-secure or untrusted networks (e.g., the Internet).

For such measures to operate effectively, users will need to know, for example, to whom they must report any incidents; system administrators will need to know what rights and privileges need to be applied for particular user groups and how any extension to these access rights should be managed , what level of approval is required, etc.

So it’s necessary that appropriate policies and procedures are in place and these are used as the basis for a security awareness program.

The awareness program needs to incorporate training for all staff in relation to PII and their responsibilities and, in addition, specific training for all those with specialist roles in relation to the PII security management arrangements.

PII Security Awareness for All Staff

The general security awareness training for all staff would include the following:

  • What is PII? How is it defined? (examples of PII relevant to the particular organization should be included and it should be stressed to staff that they themselves are of course subjects of PII and should thus have a vested interest in ensuring that PII is adequately protected).
  • A summary of the relevant regulations and how they apply to the organization.
  • What would be the potential impact of a breach for the organization? (Not just in terms of financial loss – damage to reputation should also be considered, for example).
  • What sanctions would apply to an individual found to have caused a breach through misuse.
  • Roles and responsibilities in relation to PII.
  • Details of the organization’s PII policies and procedures (for how long can the PII be retained, how must it be securely disposed of).
  • How IT systems processing PII should be used (how printed output with PII should be handled, when should encryption be used? How should USBs or other removable media be used, if permitted, etc.).
  • Incident reporting arrangements (what would represent an incident? To whom should it be reported?).

PII security awareness training should also refer to current threats and risks and how social engineering can be used as part of a spear phishing attack, for example, to steal or gain unlawful access to PII.

News stories of such data breaches that can be used to highlight the risks are usually readily available, unfortunately.

PII Security Awareness for Specialist Roles

In addition to the general PII security awareness training for all staff, tailored security awareness for particular key roles involved in ensuring compliance also needs to be considered.

For example: Those staff who would be responsible for or involved in conducting PIAs (privacy impact assessments) may need awareness training to cover this if they do not have the necessary experience.

IT staff involved in the design, development and maintenance of IT systems that process PII need to be aware of the relevant security standards, guidelines, and technical controls that must be applied to specifications and code to ensure that PII safeguards are built into systems by adhering to appropriate methodologies, e.g., SSLDC (secure system development life cycle).

It’s important also that staff responsible for tendering and contract management are aware of the need to include requirements for PII security provision in contracts with vendors, contractors and sub-contractors where appropriate. Such requirements should include the need for IT Service provider staff, where IT facilities are outsourced; for example, to have the necessary PII security awareness training.

Summary

Organizations that process PII are bound by a wide range of legislation and regulations. Having a risk-based information security management system in place incorporating policy, procedural and technical measures will help ensure that PII is adequately protected but—as confirmed by bodies such as the National Institute of Standards and Technology—security awareness is critical to the successful operation of such measures and achieving compliance.

Security awareness—in terms of general PII training for all staff and additional training for specialist roles—should ensure that all staff understand what PII is, the related issues and risks, and why therefore particular security arrangements need to be in place.

It should help all staff understand their role in ensuring the success of the measures in place to protect PII and thus ultimately result in staff becoming an important (really the most important) line of defense in protecting PII rather than a potential area of risk.