
What is PII?
PII, Personally Identifiable Information, is not a new term. Most IT professionals already know the term, and everyone knows the importance of keeping the network protected and the information secure. This article is intended to be a useful tool, providing the background and key information about PII all in one place, for reference and for training others. The article begins with the fundamentals and then follows up with some of the more technical aspects.
Who Has PII?

Network Storage and Data Security
Data exists everywhere on your network. From the login information your employees use to access various systems to the records stored on any number of computers, data is everywhere, including PII. Many companies (and non-profits) hire on-site or third-party consultants and professionals to help them with their information technology and security tasks. However, even that may not be enough to prevent a data breach. While all data can be defined by an umbrella description, not all data is created equal. There are states of data — and understanding the states of data you possess can help you understand what makes it vulnerable.Data in Use
One state of data is “in use”. Data in use is any data that exists at a specific point, such as a personal computer, that employees use to do their job. This data is used frequently from that single endpoint or location, but isn’t lying around unused and isn’t being sent across or out of the network.Data at Rest
SharePoint, exchange servers, web servers, information storage systems, and file servers are all examples of places where data is at rest. It exists at an endpoint in the system, like data in use, but it’s not used. Instead, this data is being stored. Think of it this way: A beautiful, canary yellow ’69 Boss Mustang sits in an automobile museum in Daytona. One day, you decide to drive your new Mustang GT to the museum and check out the cars of yesteryear. For that period of time, both cars are in Daytona, and maybe within 100 yards of each other, one safely locked away and one in the parking lot. They’re both at an endpoint, yet their functions are very different. Your new, sleek, modern machine is in daily use, and the historic muscle car is rarely even started. Data in use is used frequently, and data at rest is stored.Data In Motion
The final state that data can be in is “in motion”. Data in motion, as the name would imply, is any data that’s being transferred within or out of the network. Emails, file transfers, and many similar operations are all forms of data in motion. As you can imagine, data in motion is, at times, the most vulnerable type of data, especially if it leaves the network. However, all states of data are open to attack.States of Data and PII
You might be wondering why you should care about the states of data, and that’s a valid question. The answer is that every state of data is important when considering a plan to protect the PII in your network. It’s easy to forget about data at rest. And data in motion is, well, on the move, so you might not consider it as part of your network at all. However, any plan that seeks to protect your employee and company information has to consider every state of data in order to be complete and effective.Types of Data Loss
Data loss can happen at any moment, and it’s a great cause for concern if you’re not taking steps to continually monitor and protect the PII on your network. Just as there are types of data there are also types of data loss.Accidental Data Loss
Nobody is immune from the potential of losing data on accident. This kind of data loss occurs when someone is negligent or an oversight happens that results in data being lost or compromised. If a file containing employee or customer PII is left out and it gets into the wrong hands, that’s accidental data loss. There are almost endless ways you could accidentally lose data. That’s why it’s important to have a reliable system in place to prevent such loss.Malicious Data Loss
Malicious data loss occurs when someone intentionally steals, manipulates, inappropriately disperses, or otherwise tampers with PII or other data. This form of data loss could happen due to someone hacking your system and stealing PII, a more common scenario that one might think of when considering malicious data loss. However, accidental oversights could also lead to malicious data loss. For instance, if you accidentally leave a computer screen showing employee PII up when you have an office visitor, that visitor might use the information for malicious purposes. That being said, for the sake of simplicity, malicious data loss typically refers to purposeful action on the part of a person or group of people seeking to tamper with or steal PII.Creating Acceptable Use Policies (AUPs)
If you’re reading all of this with a growing sense of panic, that may be a sign that you need to put more time and/or resources into the handling of PII. But it’s not all bad news. While there are legitimate reasons for concern, there are also some best practices that can help you avoid accidental or malicious data loss and keep your company PII safe. The most common way to protect your company’s and employees’ PII is to create acceptable use policies that define and meticulously describe the forms of data within the company and the appropriate, approved ways that data can be handled, used, and transferred.
What is an AUP?

Why is an AUP Necessary?
You might think that it would be enough to tell your employees to be careful with the data they utilize and security issues would be solved. Unfortunately, that’s not how it works. An acceptable use policy ensures that everyone is using and managing data in the exact same way and that the protocol you’ve determined to have the best chance of success is understood and utilized by everyone in the company. Essentially, it’s a standard that holds everyone accountable and increases the chances of securing your data.How to Develop an AUP
It sounds like a daunting task to create a single policy that will cover all the security bases required to keep your company safe. However, if you follow five general steps you should be able to arrive at a policy that addresses pertinent issues and common areas of weakness and keeps your company secure.Step 1: Identify
The first step to creating an effective and thorough AUP is to identify all the personally identifiable information on your network. Don’t forget to cover the main types of data, including data not in use and data in motion. Make a list of all the locations where PII can be found throughout your network.Step 2: Prioritize
Once you have your list of PII, the next step is to prioritize it. While there are multiple ways to do this, it’s best if you prioritize it from most sensitive to least sensitive. In other words, the SSNs of your clients and employees would be extremely sensitive while the corporate email addresses of your employees might not be so critical. Keep in mind, however, that just because certain PII is lower on the list of concerns doesn’t mean you don’t have to protect it. For this step, it may help for you to consult whatever industry regulations you are subject to. For example, if you are in health care, I probably don’t have to tell you that the Health Insurance Portability and Accountability Act (HIPAA) would be applicable.Step 3: Locate
Now you know all the PII you have on your network and you’ve prioritized it from most sensitive to least sensitive. The next step is to actually locate all the PII you identified in step one. Document the location of all the PII on your network, then move to the next step. LinkTek is developing software that can help with this. Depending on when you are reading this article, it may be available.Step 4: Creation
While AUP creation can be an extensive process, the entirety of which can’t be covered in a single article, if you’ve followed steps one through three you’ve got a great foundation on which to build an AUP. Make sure you list out the types of PII on your network, how important each is, and the location where it can be found. Create best practices and rules of engagement and management for each location and type of data, including which data shouldn’t be transferred or sent out of network. This is where finding and using any and all applicable industry regulations is more than just a good idea, it is vital. I already mentioned HIPAA (for those in healthcare), but there are a host of others, any one or two of which may apply to your field. For example, your company, agency or non-profit may be subject to the GSA Privacy Act. (GSA, which stands for “General Services Administration”, is one of many U.S. Federal government agencies.) While not necessarily applicable to other types of organizations, this is an example of an AUP for Johns Hopkins University. This is one place where Information Technology and Information Management (IM) can and should work together. At the least, there should be some sort of Legal Officer in your organization that should be (or become) knowledgeable as to what regulatory bodies you come under and what they require in the area of storing, securing, handling and protecting PII.Step 5: Education
Once your AUP is in place it’s important to train and educate all your employees on how to handle this information. Make sure every section of your AUP is covered, and do some in-person examples so your employees truly know what’s appropriate and what’s not when it comes to handling, using, viewing, transferring, and managing the various types of PII on your network.Step 6: Execution
Now you have to carry out your AUP and keep it in place. When you first start, this may involve IT and/or IM actually making changes to where and how your data is stored and also transferred. This is another place that technology gets involved, and would be the subject of another article all by itself.Understanding Liability

The least you need to know is that PII is everywhere, it’s incredibly important, and securing it should be your top priority. Make sure you know the various types of PII you have on your network, and do your part to create acceptable use policies that clearly state your expectations for how employees use and manage this data. While no system of PII protection is ever perfect, with an AUP in place you’ll be able to demonstrate that you understand how important it is to protect the PII on your network and that you took steps to ensure its security. Putting in the work today can help you save time, money, and even your business. As an added bonus, you’ll help improve your reputation and secure the trust of your clients, as well.
Try Now!
I curious more interest in some of them hope you will give more information on this topics in your next articles. Apr 22, 05:28