The findings of a PIA and information security risk assessment should inform the development of your risk management and information security policies, plans and procedures.
Once the risks have been identified, you should then review your information security controls (virtual and physical) to determine if they are adequate in mitigating the risks. Given that processes, information, personnel, applications and infrastructure change regularly, and given the constantly evolving technology and security risk landscape, regular review and monitoring of personal information security controls is crucial.
The Guide to Securing Personal Information, January, 2015 is a great tool to perform an information security risk assessment. The Guide introduces the concept of ‘reasonable steps’ that need to be taken protect Personal Information. The reasonable steps will always depend on the circumstances, including the following:
- The nature of your entity
- The amount and sensitivity of the personal information held
- The possible adverse consequences for an individual in the case of a breach
- The practical implications of implementing the security measure, including the time and cost involved
- Whether a security measure is itself privacy invasive.
The steps and strategies which may be reasonable to take according to the Guide are noted below. In order to protect any Personal Information that you hold, you essentially have to implement the steps and strategies mentioned below in your organisation:
- Governance, culture and training
- Oversight, accountability and decision-making
- Personnel security and training
- Internal practices, procedures and systems
- ICT security
- Software security
- Network Security
- Whitelisting and blacklisting
- Backing Up
- Email security
- Access security
- Trusted insider risk
- Identity management and authentication
- Access to non-public content on web servers
- Passwords and passphrases
- Audit logs, audit trails and monitoring access
- Individuals accessing and correcting their own personal information
- Third party providers (including cloud computing)
- General issues
- Cloud computing
- Data breaches
- Physical security
- Destruction and de-identification
- Destroying personal information — irretrievable destruction
- Destroying personal information held in electronic form — putting beyond use
- De-identifying personal information
The list above can look at little overwhelming, but a methodical and detailed approach will get you there. Start with a health check to see how you stack up against the Guide. The key here is to recognise that this as a program of works and applying the relevant disciplines to it, as well as making available the necessary resources to complete the tasks is critical to success. This is not an activity that can be completed as a side project. Please also note that outsourcing the processing, transmission or storage (such as in the cloud) of Personal Information does not absolve the organisation collecting the data of its obligations to protect it.
If an organisation holds Personal Information of European citizens you may also have significant international obligations under the EU General Data Protection Regulation which holds even more serious ramifications. Refer http://www.eugdpr.org/
So please get on top of your Personal Information protection measures! The legislation will come into force on 22 February, 2018 and the time to act is NOW!
Ashwin Pal is the Unisys Director of Security Services responsible for Unisys’s security business in the Asia Pacific region.
Brian Hay is Lead CISO Advisor, APAC, cyber evangelist, public speaker and commentator.