Fulfilling regulatory requirements is one of the biggest challenges that IT pros face today, regardless of their organization’s location, size or industry. To achieve compliance, companies must ensure the integrity, security and availability of information systems and the sensitive data they hold, such as personally identifiable information (PII) or financial records. In addition, some regulations require organizations to process requests from data subjects promptly. Failure to comply with these requirements can result in hefty fines, suspension of business and even jail time, as well as increase the risk of costly data breaches and data loss.
The first step in securing sensitive data and complying with regulations is to discover what sensitive data your organization has, where it stored and who handles it. Only with that intelligence can administrators implement appropriate policies and controls. This article explains why the best strategy for effective discovery is PII scanning software, and offers a solution to help.
Why Invest in PII Scanning Software?
You probably have more PII than you think, stored in more places than you realize.
As you consider ways to discover the PII you store, it’s essential to understand what falls under that umbrella. Naturally, it includes all information that can be used to directly identify or trace individuals, such as a name, address, telephone number or unique identifier like a Social Security number.
However, be aware that there are additional types of data that qualify as PII. In particular, NIST also includes any persistent static identifier that consistently links to a particular person or a small, well-defined group of people. It specifically mentions Internet Protocol (IP) or Media Access Control (MAC) addresses, but this could also include things like cookies and device IDs.
If that’s not enough, PII also includes information that, on its own, might not be able to identify a person, but that might be able to do so when combined with other information. For example, NIST lists date of birth, place of birth, race, religion, weight, activities and geographical indicators, as well as employment, medical, education and financial information.
In short, a wide set of data qualifies as PII. Moreover, it is often spread across a wide variety of local and cloud storage systems, and usually includes both structured and unstructured data.
Manual PII discovery and classification processes simply can’t keep up.
Some organizations attempt to discover and track the PII they store using manual processes, by having users classify PII as it’s captured or created. However, this approach has multiple drawbacks.
First of all, it is expensive, difficult and time-consuming. It requires providing extensive user training on your data classification policies. In addition, users need to be fluent in each of your data storage technologies, each of which has unique set of features and capabilities. To make matters worse, structured data is usually inaccessible to regular users, which makes it hard to maintain a unified process across data stores.
Second, manual discovery processes typically yield very poor results. With PII flooding in, users tend to rush through the task by picking whatever tags seem relevant to the content at first glance, or simply fail to classify content at all. In addition, two different users — or even the same user over time — will tag similar content differently. As a result of this unreliable and inconsistent process, non-sensitive data might be incorrectly labeled as PII, while data that is truly sensitive might not be given that label. All those false positives and false negatives mean that the organization is at risk of wasting its limited resources safeguarding non-sensitive data while leaving PII vulnerable.
PII tools offer a more effective and cost-efficient approach.
Advanced PII scanning software can mitigate all of these drawbacks. Automating the discovery and classification process minimizes the additional workload and ensures that newly created or ingested data is quickly and efficiently classified. Moreover, it eliminates human errors by ensuring that classification criteria are followed consistently.
How Netwrix Can Help
Accurately identify the PII you store across your IT environment.
The Netwrix Data Classification solution will scan for PII in both structured and unstructured storages across your network, from server file shares and cloud storages to databases. For example, the solution can accurately locate:
- US Social Security numbers (SSNs)
- UK National Insurance numbers (NINOs)
- Canada social insurance numbers (SINs)
- Australian tax file numbers (TFNs)
- Australian business numbers (ABNs)
- Credit card data, including primary account numbers (PAN data) and magnetic stripe track data
Even better, the Netwrix PII scanner supports a wide range of common formats, from plain text to XML. The solution even includes OCR technology, so it can tag document scans and photos based on their contents.
Get started quickly and expand as you see fit.
To automate the data discovery process and enable you to start collecting risk intelligence in no time, the product includes pre-built taxonomies for PII regulated by common mandates, including:
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act of 2002 (FISMA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm–Leach–Bliley Act (GLBA)
You can easily customize these taxonomies, as well as create additional ones, to meet your specific requirements.
Review PII in ways that work for you.
Easy to read reports and dashboards allow you to check classified data under different viewing angles – based on classification term, storage location or creation date, making it easier for you to stay in control of PII across an organization's infrastructure.
Prevent breaches and compliance failures.
Netwrix Data Classification also enables you to set up data remediation workflows that automatically spot data that’s at risk and take steps to secure it. For instance, the solution can automatically detect sensitive data in unauthorized locations, transfer it to a reserved quarantine area and notify the appropriate team who can decide what to do with it. Similarly, you can set up workflows to revoke excessive permissions.
Satisfy data subject access requests (DSARs) with far less effort and expense.
The Netwrix solution enables you to shift the burden of responding to DSARs away from your IT department; instead, your legal, privacy and marketing teams can perform DSAR searches on their own. Moreover, its reliable, consistent data classification speeds the searches and helps ensure accurate results, enabling you to meet strict DSAR response timelines even as the flow of requests increases.
Get more value from your other data security tools.
Netwrix Data Classification can write classification labels into custom metadata fields, where your data loss protection (DLP) solution and other security tools can access them. With reliable and accurate classification labels, those solutions will work more effectively.