Ensuring the privacy and information security of learner records is one of the requirements of the ANSI/IACET 2018-1 Standard for Continuing Education and Training. This is the second in a series of articles designed to help educational providers follow best practices in securing data. The first article outlined the need for organizations to know what personally identifiable information (PII) data is collected, to pinpoint its exact location and where it is stored, as well as to list who uses the data and why.
After cataloging PII data, the second step in securing learner records is to classify PII data in terms of sensitivity. A common mistake made by many organizations is to take an “all or none” approach. Either they lock down all data or they do not lock down any data. While the risks of not securing data are obvious, as counterintuitive as it seems, the risks of over-securing data can lead to a less secure environment. Frustrated employees who view the controls as obstacles, tend to develop “off-the-book” procedures to work around the limitations, introducing vulnerabilities. The reality is that employees in organizations where everything is tightly controlled start to become less aware of information security as they become desensitized to concept of confidentiality.
A more balanced approach recognizes that not all data is created equal, nor should all data be treated the same. This promotes a culture where data handlers increase their awareness of data security. By creating an organizational data classification scheme, companies create an environment where data users are constantly analyzing the data so they can classify it. The classification system gives the users a framework on which to make decisions, promoting increased awareness.
When analyzing PII data, organizations should consider the following factors:
Using the above factors will allow organizations to begin classifying the data based on sensitivity. At a minimum, organizations should create three levels of data classification:
Education providers who take the time to classify their learners’ PII data will discover many advantages to the exercise. Besides maintaining regulatory compliance and being able to provide evidence of meeting the requirements of the ANSI/IACET 2018-1 Standard for Continuing Education and Training, data classification assists in organizing data in ways that help employees find the information they need to do their jobs. Finally, if the organization does unfortunately encounter a security breach, data classification will provide valuable information to the incident response team in accurately determining the damage and steps needed to rectify the situation.
Randy Bowman is the Vice President of Technology at IACET. Randy has over twenty years professional experience in project management, software design and development as well as IT operations and IT security for government agencies and non-profit associations.