Your browser has JavaScript turned off.
You must turn it on to proceed.










NORS -- CSRIC Best Practices Result

CSRIC Best Practices Result

Detailed Information for the Best Practice: 9-8-8769

Number 9-8-8769
Priority Highly Important
Description Protection of Personally Identifiable Information (PII): Service Providers should protect Personally Identifiable Information by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Policies for PII protection should be clearly identified and enforced. Specifically,
(a) Organizations should identify all PII residing in their environment.
(b) Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to reduce the likelihood of harm caused by a breach involving PII. Also, an organization should regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organization‘s business purpose and mission. For example, organizations could have an annual PII purging awareness day.
(c) Organizations should categorize their PII based on confidentiality impact levels. For example, PII confidentiality impact level—low, moderate, or high should be used to indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
(d) Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level. Specifically, operational safeguards, privacy-specific safeguards, and security controls should be used.
(e) Organizations should develop an incident response plan to handle breaches involving PII. The plan should include elements such as determining when and how individuals should be notified, how a breach should be reported.
(f) Organizations should establish processes for coordination and addressing issues related to PII when multiple parties are involved (e.g., users, relying parties and identity providers or members of a federation).
Network Type(s) Cable; Internet/Data; Satellite; Wireless; Wireline
Industry Role(s) Service Provider
Keyword(s) Cyber Security;Encryption;Information Protection;Intrusion Detection;
Reference/Comments NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).