Today the U.S. Federal Trade Commission (FTC) released a 24-page guide, “Protecting Personal Information: A Guide for Business”
Within the guide the FTC advises businesses to protect personally identifiable information (PII) through the following actions:
“TAKE STOCK. Know what personal information you have in your files and on your computers.
SCALE DOWN. Keep only what you need for business.
LOCK IT. Protect the information you keep.
PITCH IT. Properly dispose of what you no longer need.
PLAN AHEAD. Create a plan to respond to security incidents.”
Indeed; all good directives.
The devil is in the details, though. Organizations can take this high-level framework and build upon it the policies, procedures, technologies and practices unique to their organization. This guide is providing the shell of the car body; organizations need to provide the nuts, bolts, engine, and all the other parts necessary to make it run well.
However, the guide does provide checklists, recommendations and tips for creating breach response plan. So it does provide a starting basis.
This guide will seem very rudimentary to organizations with well defined and long established information security programs. However, for those who have old, or non-existent programs, or are just dealing with information security in an ad-hoc way, this guide will be useful. It will also be useful for small and medium sized businesses (SMBs) that often do not have the dedicated or experienced resources to address the wide scope of information security issues.
Even well established security programs can use this as a baseline against which they can see how their own program is doing.
Basically this is a very good PII protection primer. In fact, this could be good to get and give to each of your business leaders to help them understand the issues around and importance of safeguarding PII.
The U.S. taxpayers paid for this, it is professionally done and well-written, so you take advantage of this free awareness-raising resource!
Tags: awareness and training, FTC, government, Information Security, IT compliance, PII, policies and procedures, privacy, privacy breach, regulatory compliance, risk management