PRIV- 31 – PII Data Classification

What is this control about?

Implementing the control ‘PII Data Classification’ is crucial for organizations to ensure the protection and appropriate handling of Personally Identifiable Information (PII). PII refers to any information that can be used to identify an individual, directly or indirectly. This may include names, addresses, social security numbers, email addresses, financial data, and more.

Available tools in the marketplace

Tools:

N/A – No tools recommendation

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – No template recommendation

Control implementation

Here are some guidelines to implement a PII Data Classification program:

• Identify PII Data Categories: Start by working with key stakeholders across different departments to identify the types of Personally Identifiable Information (PII) that the organization collects, processes, and stores. Common examples of PII include names, addresses, social security numbers, email addresses, and financial information.
• Create Data Classification Policy: Develop a comprehensive data classification policy that defines the criteria for classifying data into different categories based on its sensitivity and impact on individuals’ privacy. The policy should clearly outline the responsibilities of employees in handling different data classifications and the procedures for data handling.
• Classify PII Data: Use data classification and labeling tools, if available, to automatically tag and classify PII data within the organization’s databases, file servers, and other data repositories. If specific tools are not available, manual classification procedures should be established and communicated to relevant employees.
• Implement Access Controls: Ensure that appropriate access controls are in place to restrict access to PII data based on its classification. Only authorized personnel should have access to sensitive PII data, and access permissions should be regularly reviewed and updated as needed.
• Encrypt PII Data: Encrypt PII data, both in transit and at rest, to provide an additional layer of protection. Encryption helps prevent unauthorized access to sensitive data even if it falls into the wrong hands.
• Train Employees: Conduct regular training sessions to educate employees about the importance of data classification and the proper handling of PII data. Employees should be aware of the data classification policy and understand their responsibilities in safeguarding sensitive information.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Data Classification Policy: Auditors will review the organization’s data classification policy to ensure it clearly defines the criteria for classifying data, including PII data, into different categories based on sensitivity and criticality. The policy should also outline the responsibilities of employees in handling different data classifications.
• Data Classification Labels and Tags: Auditors will check for evidence of data classification labels and tags applied to data assets. This evidence may include screenshots or reports from data classification tools that show how PII data is appropriately labeled based on its classification.

Evidence example

For the suggested action, an example is provided below:

• Data Classification Policy

Use the provided Data Classification policy available within your TrustOps program.

• Data Classification Labels and Tags