Conduct an impact assessment to acquire security funding

by Michael "Mullins CCNA, MCP" | Feb 08, 2007 11:00:00 PM

Tags: security, Michael Mullins CCNA, MCP, personally identifiable information, Security Solutions Newsletter

Takeaway: While you understand the importance of protecting personally identifiable information (PII) in your organization, that doesn't mean that the ones holding the purse strings do. How can you convince them? A good place to start is by performing an impact assessment.

Protecting personally identifiable information (PII) is a major responsibility. As its name implies, PII is any information about an individual that you can use to trace or identify that person. PII includes education records, financial transactions, medical history, employment history, and more.

PII is a huge deal these days. Not only is it a part of major legislation like HIPAA, but it's also been the cause of some really bad PR for some major companies. But make no mistake—PII affects your organization, regardless of its size.

Your company's clients and employees must trust your ability to protect their PII; any sort of mismanagement of this data will erode that trust. And sooner or later, no trust leads to no clients.

That's why you need to take steps to protect PII in your organization. The last thing you want to do is notify customers of a data loss or breach. Developing a comprehensive action plan for the protection of PII is where you need to begin.

Before you start looking for a security solution that will ultimately cost your organization in materials, man hours, and money, do your homework. Conduct an impact assessment to determine the financial and regulatory impact of losing or disclosing PII. You can then use this exercise to show the people who control security funding why you need to develop a plan for protecting PII.

To perform an impact assessment, follow these steps:

1. Identify all corporate data that contains PII—you can't begin to protect something if you don't know where it is. Develop procedures that specify the approved locations for the electronic storage of that data, and move the data to its approved storage location if necessary.
2. Evaluate and separate PII data based on the level of impact if you lose or disclose that data. Keep in mind that disclosing employee records will have a different impact than disclosing client records.
3. Develop and implement a plan to encrypt all PII for confidentiality. All hard drives, tapes, and removable media should automatically encrypt this data as the system writes it to the media. The encryption should meet or exceed any regulatory requirements.
4. Develop a policy and procedure that identifies who can access this data.
5. Develop a policy and procedure that identifies how someone can access this data. For example, can mobile devices access this data? Is it remotely available? Is the mobile/remote device a company or personal asset? Who approves local and remote access requests?
6. Establish the chain of events for a loss or suspected loss of data. If you do lose or disclose PII, you need to have a plan in place well before that happens.

After you know what data you're protecting and have an idea on how stringently you want to protect it, conduct a risk assessment. It should show the various ways this data is at risk as well as define how you intend to remediate the risk.

Final thoughts

PII data is a high-priority target for identity theft criminals and black hats that want to brag about breaching your company's security. Protecting PII is something you need to address before a loss occurs—not afterward. While you won't be reading about your security strategy in the news, you can bet you'll read about your lack of security safeguards if you fail to act.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.