5 Steps to Protect PII

A Practical Guide For Protecting Our Most Important Information

It seems that week after week there is a new story in the news about yet another company suffering a data breach. It has become so commonplace now that only the truly large breaches make the headlines. But despite truly staggering numbers of data breaches, many people in the education field still don’t believe it could happen to their district. However, from the 2020 State of K-12 Cybersecurity Report from k12cybersecure.com, we have seen an 18 percent increase in incidents year over year that was publicly disclosed. With this rather dramatic increase happening year over year, how can we continue to protect the sensitive information and PII that our districts hold, and steer clear of data breaches? In this article, we will go over what exactly PII is and the 5 steps you and your district can take to protect and secure the data in your district.

What is PII?

PII is an acronym for Personally Identifiable Information and is the name for some of the most important data that our systems may hold. NIST, National Institute of Standards and Technology, classifies the following as PII; Name: An individual’s full name, maiden name, alias, or mother’s maiden name, ID number: Social Security, passport, driver’s license, tax ID, or credit card number, Address: Email or physical mailing address, Characteristics: Photographs, fingerprints, signature or handwriting, and other biometric data such as voice signature or facial geometry, and Linkable data: Other indirect data that links a person to one of the above categories, like employment information, medical history, date of birth or financial information. This information can be classified into two separate groups, sensitive PII and non-sensitive PII. These groups will help determine how the data should be stored, who can have access to it, and what can be shared with others. 

Identify

The first step is for the district to identify what PII it is collecting as well as where that information is being stored. This step seems pretty simple but the reality is that if you don’t know where the data is, how do you know if it is being protected? When identifying what PII is being collected be sure to document and sort through the data and see if there is any unneeded data that is being collected that is not being used. Data storage should also be documented which includes not only where the data is stored at rest but also when the data is in transit and when it is in use. Ideally, you should be able to map out where the data is located at any given time.

Classification

Once you know where the data is the next step is to classify the data. Generally speaking, there are two kinds of PII data, Sensitive Data, and Non-Sensitive Data. Sensitive PII data is data that is not easily found or available from public sources. Some examples of sensitive PII data would be SSNs, driver’s license numbers, or medical data. Non-sensitive PII data is data that can be found easily from public sources such as someone’s date of birth or address. These classifications will help the district determine how much protection the data it collects needs and even how many resources it may need to allocate to protect it properly. For example, sensitive PII must be encrypted to ensure that the data is adequately protected while non-sensitive PII can remain unencrypted as the information is generally available from public sources. Keep reading to learn more about how to encrypt sensitive data.

Access Control

The third step in protecting PII is all about controlling the access to the data and establishing guidelines for those using or interacting with the data. To best protect the PII data that the district is collecting the principle of least privilege must be applied. The principle of least privilege is an information security principle that refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions. For example, the school counselor may have more access to a student’s protected PII information than the school custodian. This is not to say that one of them is more important than the other but rather to emphasize that certain roles in the district may have more access to PII information and that should be taken into account when assigning and maintaining permissions to the data. 

A great way to assign and maintain permissions to stored PII data is through the use of groups or roles. Instead of manually assigning permissions on a person by person, which could lead to potential errors, we should create a group or role such as school counselor, teacher, or school administration and then assign the correct person to the correct role. This will greatly reduce the risk of someone having access to data that they are not supposed to have access to and will allow for easy movement of people to different roles as people move up or around the district. Each group or role should have the appropriate level of access and should be held accountable for how they interact with the data. This will also allow for easy auditing and maintaining of permissions without having to manually add or remove permissions when needed.

Encryption

Once the data is identified, classified, and people have been given the appropriate level of access the next step is to encrypt the data. Encrypting data allows for more secure storage in the district, allowing someone without the correct access from seeing the plain text data and preventing the PII data from getting into the wrong hands. One of the best encryptions to use for PII is AES (Advanced Encryption Standard) encryption. AES encryption is a symmetric block cipher that NIST, the National Institute of Standards and Technology, and the U.S. government have declared an encryption standard to encrypt sensitive information. It uses a block size of 128 bits and has three different key lengths, 128, 192, and 256 bits. By encrypting sensitive PII the district can maintain secure access to the data and prevent any wandering eyes that might be looking with the wrong intentions.

Policy

Finally, the last step in protecting PII is to document the procedures and policies when using or interacting with PII. Your district’s policy should include the types of data you store, which PII is sensitive versus non-sensitive, and how different types of data must be stored and protected. Once the policies and procedures have been documented be sure to educate your users about those policies and procedures. User training will go a long way in making sure that staff and employees are handling the data correctly and preventing accidental leaks of sensitive data. Another great way to make sure people are handling data correctly is by the use of an AUP, acceptable usage policy. This document will lay out guidelines for how PII data is to be handled as well as clear state any disciplinary actions that can be taken if the data is not handled correctly. The staff or employee will sign the AUP and then be held accountable to those standards outlined in the document.

By utilizing these 5 steps, Identifying and Locating PII, Classifying PII, Controlling Access to PII, Encrypting PII, and Creating policy and procedures for PII handling we will be able to prevent data breaches and continue to protect the information that is stored in our district. Student and employee data that we are entrusted with is important and valuable and we must take the necessary steps to fully protect that data.

We advise reviewing and implementing these best practices to better protect your domain and your personally identifiable information. If you are a customer, please reach out to us if you need assistance or guidance in implementing these methods. For more information, please contact info@forward-edge.net!