TIME FOR CYBERSECURITY: 12 STEPS TO IMPROVE YOUR INFORMATION SECURITY PRACTICES
Step 2. Access Controls.
The Federal Trade Commission recommends managing access to personally identifiable information (the “PII”) sensibly. Not all employees in an organization should have equal access rights to the information that a business collects. A manager in a human resources department may have a permissible purpose to access other employees’ PII, such as Social Security number or date of birth. However, granting such access to an intern in the public relations department would not appear to be necessary or justifiable. Business entities must conduct comprehensive assessments to determine individuals who have a permissible “need to know.” Based on such assessments, organizations should be prepared to:
- Develop clearance procedures to determine who must be granted access to what information.
- Implement access control policies efficiently. A Rule of Two for accessing sensitive PII.
- Set up internal procedures for sanctioning noncompliant employees.
Identifying and efficiently controlling who can justifiably access specific PII assets minimizes the risk that PII may end up in the wrong hands and be used for improper purposes.
Intro to 12 Steps blog:
“Step 3” coming soon…