CSRSI Engagement for Evaluation and Establishment of Personally Identifiable Information (PII) Procedures and Controls
 

Breaches of personally identifiable information (PII) have increased dramatically over the past few years and have resulted in the loss of millions of records. Breaches of PII are hazardous to both individuals and organizations including identity theft, embarrassment, or blackmail. Organizations may also suffer loss of public trust, legal liability, or high costs to handle a breach of PII.

CSRSI has broad experience in effectively controlling PII. Each CSRSI engagement for evaluation and establishment of PII controls is based upon identifying the lifecycle of critical PII data elements. The PII lifecycle represents each data point from the time of PII acquisition to retention to destruction.

Based on experience, CSRSI has learned that this process is best accomplished by beginning with a detailed flow diagram of the data elements as they move through an organization. Many times an organization does not understand where data resides during the lifecycle, and the vulnerabilities and compliance violations that this may cause. CSRSI brings to the table the experience necessary to locate PII, what is acceptable practice, what needs to be fixed and how to achieve results.

The CSRSI PII engagement includes:

1) Identification of all PII residing in your environment.

An organization cannot properly protect PII it does not know about. CSRSI uses a broad definition of PII to identify as many potential sources of PII as possible (e.g., databases, shared network drives, backup tapes, contractor sites).

CSRSI defines PII as any information about an individual including:

1. any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records, and
2. any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Examples of PII include, but are not limited to:

• Name, such as full name, maiden name, mother‘s maiden name, or alias
• Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number
• Address information, such as street address or email address
• Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data.
• Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

2)  Guidance to minimize the use, collection, and retention of PII to that which is strictly necessary to accomplish the business purpose and mission.

The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores. For example, an organization should only request PII in a new form if the PII is absolutely necessary. Also, an organization should regularly review its holdings of previously collected PII to determine whether it is relevant and necessary for meeting the organization‘s business purpose and mission.  

CSRSI will assist you in the following:

• Review current holdings of PII and ensure they are accurate, relevant, timely, and complete
• Reduce PII holdings to the minimum necessary for proper performance of agency functions
• Develop a schedule for periodic review of PII holdings
• Establish a plan to eliminate the unnecessary collection and use of SSNs and other PII.

3)  Categorizing PII by the PII confidentiality impact level.

PII will be evaluated to determine its PII confidentiality impact level. The PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed. We provide a list of factors an organization should consider when determining confidentiality impact level. We make recommendations to clients who then decide which factors to use for determining impact levels and then the appropriate policy, procedures and controls are created and implemented. The following are examples of factors:

• Identifiability. Evaluate how easily PII can be used to identify specific individuals. For example, a SSN uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
• Quantity of PII. Consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level should only be raised and not lowered based on this factor.
• Data Field Sensitivity. Evaluate the sensitivity of each individual PII data field. For example, an individual‘s SSN or financial account number is generally more sensitive than an individual‘s phone number or ZIP code. Organizations should also evaluate the sensitivity of the PII data fields when combined.
• Context of Use. Evaluate the context of use—the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use.  For example, suppose that an organization has two lists that contain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general-interest newsletter produced by the organization, and the second list contains a preferred customer database. If the confidentiality of the lists is breached, the potential impacts to the affected individuals and to the organization are significantly different for each list.
• Obligations to Protect Confidentiality. An organization that is subject to any obligations to protect PII should consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates (e.g., Privacy Act). 
• Access to and Location of PII. Organizations may choose to take into consideration the nature of authorized access to and the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII.

4)  Applying the appropriate safeguards for PII based on the PII confidentiality impact level.

Not all PII should be protected in the same way. Organizations should apply appropriate safeguards to protect the confidentiality of PII based on the PII confidentiality impact level. Some PII does not need to have its confidentiality protected, such as information that the organization has permission or authority to release publicly (e.g., an organization‘s public phone directory). CSRSI assists with the creation of operational safeguards, privacy-specific safeguards, and security controls, such as:

• Creating Policies and Procedures. Development of comprehensive policies and procedures for protecting the confidentiality of PII.
• Developing Training.  Reducing the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII.
• De-Identifying PII.   De-identifying records by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De-identified records can be used when full records are not necessary, such as for examinations of correlations and trends.
• Using Access Enforcement.  Controlling access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).
• Implementing Access Control for Mobile Devices.  Prohibiting or strictly limiting access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDA), which are generally higher-risk than non-portable devices (e.g., desktop computers at the organization‘s facilities).
• Providing Transmission Confidentiality.  Protecting the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the information before it is transmitted.
• Auditing Events.  Monitoring events that affect the confidentiality of PII, such as inappropriate access to PII.

5)  Developing an Incident Response Plan to handle breaches involving PII.

Breaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII. CSRSI assists organizations in developing plans that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals.