Step 3. Segment Your Network.

Not all information collected from data subjects, namely your customers and clients, is personally identifiable information (“PII”) and requires identical security measures. Knowing your information inventory and classifying information according to the level of its sensitivity helps to prioritize the resources to safeguard it. Specific information security requirements imposed by the government typically depends on the type of the information that business processes. Data breach notification requirements often depend on the specific type of data that was accessed without authorization.  It is recommended to keep more sensitive PII separate from other information and to implement more stringent security measures to protect it.

Step 4. Designate an Information Security Officer.

Information processing comes with accountability. Business entities must have at least one individual within the organization’s management structure who is responsible for creating, implementing and keeping security policies up to date.  In some states, cybersecurity regulations impose a requirement to appoint a Chief Information Security Officer (CISO). New York State Department of Financial Services Regulations passed in 2017 mandate covered financial institutions to have a CISO who is responsible for “compliance with the cybersecurity regulations and who must submit a written report to the Board of Directors, at least annually, that documents the company’s cybersecurity program and risks.” (N.Y. Comp. Codes R. & Regs. Tit. 23, Section 500.04).

To read more see the Intro to 12 Steps blog:


“Step 5” coming soon…