SecurityMetrics PIIscan helps you find unencrypted data and comply with security mandates.
SecurityMetrics PIIscan helps you find unencrypted data and comply with security mandates
Personally Identifiable Information (PII) is data kept by an organization which can be used to “distinguish or trace an individual’s identity,” according to NIST. For example, PII could include names, birth dates, birth places, mothers’ maiden names, or social security numbers. “Linked PII” is any information that is linkable to an individual, like educational, medical, employment, or financial information.
Storing these types of (unencrypted) information on your systems and devices can leave your organization open to fines and make you more vulnerable to data theft.
Organizations can manually search for PII on their systems and devices, but doing so is time-consuming, tedious, and expensive in terms of working hours.
See also: Incident Response Plan White Paper
PIIscan was created to help organizations quickly find and secure unencrypted PII on their systems. The data discovery tool is now widely available and helps organizations and businesses of all sizes comply with data security mandates and standards in the US and EU.
This scanner runs light, but performs a big job. According to Product Manager Kai Whitaker, “PIIscan is designed to be quick, small, and powerful. Organizations find value and increase their security through the effective scanning that PIIscan provides.”
See also: SecurityMetrics Releases PIIscan
Of all the organizations that conducted first-time data discovery scans with SecurityMetrics PIIscan, 61% found unencrypted PII in their networks. Many times, this sensitive data shows up in accounting, marketing, or other unexpected areas or departments.
Caches of unencrypted PII are highly valuable to data thieves. PIIscan searches systems, hard drives, and attached storage devices for unencrypted sensitive data. If it does find unencrypted sensitive data, it provides you a path to the file location where the unencrypted information is found.
If you are fulfilling the requirements of security standards and mandates like the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), or the Health Insurance Portability and Accountability Act (HIPAA), it’s important to know where PII is on your systems and whether it’s encrypted or not.
PIIscan searches not only for PII, but also for payment card data like primary account numbers and magnetic stripe track data. PIIscan finds the following information:
See also: GDPR 101 Part 1: Should I Be Worried?
To help find PII flows you might not immediately know about, create and regularly update a PII flow diagram that tracks the processes you go through as you receive, use, store, or transmit sensitive data.
This will help you see where PII enters and exits your organization. Here are some areas unprotected PII may be hiding:
When possible, avoid using and storing PII. You can also avoid storing sensitive data by using tokenization or outsourcing sensitive data handling to a third party.
But if you do need to keep data, make sure to find and encrypt PII. All electronic PII that is received, stored, handled, or transmitted in your systems and work devices must be encrypted. Industry best practice would be to use AES-128, AES-256, or better.
While not all mandates require network segmentation, it’s considered security best practice to keep your networks that handle sensitive data like PII separate from your other networks.
Whether done physically or through firewall implementation, make sure systems that receive, store, handle, and transmit sensitive data are kept separate from each other. This can be done by regularly doing "segmentation checks.”
Learn more about sensitive data discovery tools or call us about a PCI audit or HIPAA audit.
.svg)
