PII stands for Personally Identifiable Information.
As defined by the U.S. Office of Management and Budget (OMB), PII is information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth and mother’s maiden name.
Unfortunately PII fraud has become a prominent issue for banks, and they are increasingly using non-PII means to verify a consumer's identity.
The article Gartner's Litan: FFIEC Assessment Tool Falls Short featured by Bank Info Security, explains the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool is currently being integrated into regulators' cybersecurity examinations, but overall the tool has fallen short, causing more confusion than clarity. The FFIEC issued the tool in July 2015. It was designed to move banking institutions from a mentality of "checkbox" compliance to one of a multilayered risk-based approach, allowing institutions to assess the maturity level of their risk-assessment processes.
In light of the consistently increasing volume and sophistication of cyber threats, FFIEC developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness.
The reality is, today's financial institutions are increasingly dependent on information technology and telecommunications to deliver services to consumers and business every day. Disruption, degradation, or unauthorized alteration of information and systems that support these services can affect operations, institutions, and their core processes, and undermine confidence in the nation's financial services sector.
Managing Sensitive PII
Today, many enterprises experience critical challenges in identifying, classifying and managing PII in an organized and protected way and, unfortunately, lack leveraging a clear methodology to inventory information effectively.
This is a dangerous truth, as organized cybercrime is no longer made up primarily of small factions, and the days of lone hackers are all but gone.
Instead, currently enterprises fight against motivated organizations that — like legitimate businesses — are divided into teams, employ highly experienced developers with deep knowledge, leverage connections and encourage collaboration. The complexities of doing business at scale, both strategic and technical, create barriers to overcome in preventing these attacks from occurring.
A focus on user education and systematic protocols for operating a strong risk assessment program can provide value in that effort - with an emphasis on protecting PII.
Read Also: 8 Trends Impacting PII Strategies
In order for an organization to effectively manage information, it is important for the organization to have a true understanding of its PII. Optimizing PII traceability and management will benefit an enterpries in four key ways:
- Identification of PII: Full assessment of enterprise systems and operations to identify all PII being processed, accessed or stored in electronic or physical forms.
- PII Archival and Retention Strategy: Reduction of overall volume of PII and creation of newly defined procedure to avoid PII storage unless absolutely necessary.
- PII Compliance Strategy: Risk assessment and periodic reviews to ensure company policies, procedures and practices adhere to best practices and standards of care for all PII.
- PII Security and Controls: Tightly controlled applications and monitoring of all access to network resources information assets with supported business capabilities, as well as information risk level of application.
Managing Personally Identifiable Information
A breach of customer information could result in the organization’s loss of public trust, legal liability and significant cost to remedy damages. While it is best practice for organizations to limit the use, collection, and retention of PII to only what is absolutely required for business purposes, oftentimes it is not known exactly what information is stored and where it is located to effectively manage it and ensure its protection.