|Description||Protection of Personally Identifiable Information (PII): Service Providers should protect Personally Identifiable Information by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
Policies for PII protection should be clearly identified and enforced. Specifically,
(a) Organizations should identify all PII residing in their environment.
(b) Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to reduce the likelihood of harm caused by a breach involving PII. Also, an organization should regularly review its holdings of previously collected PII to determine whether the PII is still relevant and necessary for meeting the organizations business purpose and mission. For example, organizations could have an annual PII purging awareness day.
(c) Organizations should categorize their PII based on confidentiality impact levels. For example, PII confidentiality impact levellow, moderate, or high should be used to indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
(d) Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level. Specifically, operational safeguards, privacy-specific safeguards, and security controls should be used.
(e) Organizations should develop an incident response plan to handle breaches involving PII. The plan should include elements such as determining when and how individuals should be notified, how a breach should be reported.
(f) Organizations should establish processes for coordination and addressing issues related to PII when multiple parties are involved (e.g., users, relying parties and identity providers or members of a federation).
|Network Type(s)||Cable; Internet/Data; Satellite; Wireless; Wireline|
|Industry Role(s)||Service Provider|
|Keyword(s)||Cyber Security;Encryption;Information Protection;Intrusion Detection;|
|Reference/Comments||NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).|