Blog Article

Not all Information is Created Equal

Ensuring the privacy and information security of learner records is one of the requirements of the ANSI/IACET 2018-1 Standard for Continuing Education and Training. This is the second in a series of articles designed to help educational providers follow best practices in securing data. The first article outlined the need for organizations to know what personally identifiable information (PII) data is collected, to pinpoint its exact location and where it is stored, as well as to list who uses the data and why.

After cataloging PII data, the second step in securing learner records is to classify PII data in terms of sensitivity. A common mistake made by many organizations is to take an “all or none” approach.  Either they lock down all data or they do not lock down any data.  While the risks of not securing data are obvious, as counterintuitive as it seems, the risks of over-securing data can lead to a less secure environment.  Frustrated employees who view the controls as obstacles, tend to develop “off-the-book” procedures to work around the limitations, introducing vulnerabilities.  The reality is that employees in organizations where everything is tightly controlled start to become less aware of information security as they become desensitized to concept of confidentiality.

A more balanced approach recognizes that not all data is created equal, nor should all data be treated the same.  This promotes a culture where data handlers increase their awareness of data security.  By creating an organizational data classification scheme, companies create an environment where data users are constantly analyzing the data so they can classify it.  The classification system gives the users a framework on which to make decisions, promoting increased awareness.

When analyzing PII data, organizations should consider the following factors: 

1. Distinctiveness:  How unique is the PII data? If a single piece of data (e.g., social security number) can identify an individual by itself, it is an indication that the data is highly sensitive. 

2. Combined data: Sometimes a single piece of data by itself is not unique enough to identify a distinct individual (e.g., first name).  However, when combined with two or more pieces of data, the combined data would be able to identify a unique individual (e.g., first name, middle name, and last name).   

3. Compliance: There could be a variety of regulations or standards for PII in which an organization must adhere based on organization type, industry and/or jurisdiction.  Being familiar with these factors could help in ascertaining the data’s sensitivity.  For example: 
   • Education providers who accept credit card payments should be familiar with the Payment Card Industry Data Security Standard (PCI DSS). 
   • If an organization operates in or serves citizens of the European Union, compliance with the General Data Protection Regulation (GDPR) is required. 
   • Education providers serving the health care industry in the United States are required to follow HIPAA and HITECH. 

Using the above factors will allow organizations to begin classifying the data based on sensitivity.  At a minimum, organizations should create three levels of data classification: 

• Confidential: PII data that has been determined to be extremely sensitive because it could cause significant damage to the individual or organization if it were accessed by malicious actors would be applied to data that should be strictly controlled and only accessed on a need-to-know basis. 
• Privileged: This classification would be used for data that may not be as sensitive as confidential data but could still cause a moderate level of damage if it were compromised. Access to this data is only provided to users who interact with it as part of their roles. 
• Public: Data that has been determined to be non-sensitive would fall under this classification.  This data would have little or no access restrictions in place. 

Education providers who take the time to classify their learners’ PII data will discover many advantages to the exercise.  Besides maintaining regulatory compliance and being able to provide evidence of meeting the requirements of the ANSI/IACET 2018-1 Standard for Continuing Education and Training, data classification assists in organizing data in ways that help employees find the information they need to do their jobs. Finally, if the organization does unfortunately encounter a security breach, data classification will provide valuable information to the incident response team in accurately determining the damage and steps needed to rectify the situation.   

About the Author

Randy Bowman is the Vice President of Technology at IACET. Randy has over twenty years professional experience in project management, software design and development as well as IT operations and IT security for government agencies and non-profit associations.