Ensuring the privacy and information security of learner records is one of the requirements of the ANSI/IACET 2018-1 Standard for Continuing Education and Training. This is the third and final article in a series of articles designed to help educational providers follow best practices in securing data. The first article outlined the need for organizations to know what personally identifiable information (PII) data is collected, to pinpoint its exact location and where it is stored, as well as to list who uses the data and why. The second article explained how to classify PII in terms of sensitivity.
Once an organization has identified and classified its PII, it can then act on that information to apply the four “E’s” of data security:
Organizations should delete any PII that is no longer necessary or has aged beyond any document retention policies. PII that does not exist cannot be accessed by unauthorized personnel, stolen, misused, or lost. When deleting the data, it is important to be mindful about ensuring the data is also removed from any data backups as well.
All training organization should have an Acceptable Use policy that focuses on who can access PII and the appropriate ways to use the PII. The SANS Institute, a leading organization in the computer security space, has developed a free Acceptable Use Policy template that can be used as a starting point for organizations that have not established a policy.
Its important that companies implement and enforce the principle of least privilege when granting access to sensitive data. The principle of least privilege is the idea that a user should have only the bare minimum access necessary to perform their job. For example, an educator may need results from learners’ previous tests or exams to identify past knowledge gaps that need to be filled for the trainer to effectively teach the class. But they do not need to know or have access to the learners’ billing information. Meanwhile, the accounting clerk does need access to the learner’s billing information but would not need access to transcripts and gradebooks.
Unfortunately, the largest sources of a data breach are not some unknown or forgotten technical issue, it is human error. Weak passwords, sending sensitive information to the wrong recipients, sharing password/account information, or falling for phishing scams accounts for over 50% of all the security incidents. These can all be prevented through proper and repeated training of employees.
Its no surprise to training providers that, in the end, it all comes back to training and education employees. An outstanding employee education program on PII protection will instill a sense of ownership into employees by reminding them that they have an important role to play in protecting and securing the data of the learners they serve.
Randy Bowman is the Vice President of Technology at IACET. Randy has over twenty years professional experience in project management, software design and development as well as IT operations and IT security for government agencies and non-profit associations.