The Navy CIO’s office has compiled a list of the top lessons learned from after-action reports on breaches of personally identifiable information, or PII.
In terms of operating procedures, it says to: eliminate or reduce the use, display and storage of PII, especially sensitive PII such as Social Security numbers, in business processes; ensure all email containing PII is digitally signed and encrypted; mark all documents containing PII as For Official Use Only; attach a Privacy Act coversheet to hard copy documents containing PII when carried, mailed, stored, faxed or worked on at a desk; and take special care when moving, closing or consolidating offices that handle PII.
Also: ensure shared drive access permissions are established and routinely checked; conduct compliance spot checks with correction of identified deficiencies; clearly define and widely publicize paper documents and hard drive disposal methods; and implement a records management program that includes a records disposal program and stopping unnecessary collection of PII when it is no longer needed.
In terms of personnel management, it says, “Insider threat is the most difficult breach to detect and prevent. While it represents a small number of DON breaches, it can lead to the clandestine compromise of large amounts of data in short periods of time. Managers must be vigilant and aware of the potential for this kind of misconduct. Problems have occurred when disgruntled or fired employees continue to have network access when the situation warrants an immediate suspension or revocation.” Also, employees should be trained regularly on the proper handling and safeguarding of PII.
In adds that leaders “at all levels must champion the need for comprehensive privacy programs and take the initiative to implement appropriate steps ensuring the proper access, use, disclosure, disruption, modification, and destruction of PII.”