Step 11. Develop Reasonable Physical Safeguards to Protect your PII.
Information protection starts with securing access to the physical facilities where PII is stored. The following recommendations are mandated for PII processed within the healthcare sector but may be applied to any business with facilities storing PII:
- Limit physical access to facilities.
- Establish contingency operations and plans for restoration of lost data.
- Develop procedures and policies to physically safeguard equipment and prevent physical access and limitations to access of the facilities.
- Document repairs and modification to doors, locks and other physical access components that lead to the physical location where data is stored.
- Develop physical safeguards to restrict access to authorized users.
- Develop procedures to restrict physical removal and transit of devices that store PII. (45 C.F.R Section 164.310)
Step 12. Periodic Evaluations.
Government regulations change, software companies issue security updates, lessons are learned from PII security incidents, and new and more effective information security standards are developed and made available by the information security industry. Therefore, regular evaluations of policies are necessary to identify new vulnerabilities that pose threats to PII assets. The risk of an incident may not be completely avoided. However, being up to date may significantly minimize exposure to such risk.
To read more see the Intro to 12 Steps blog: