search the site
In order to protect sensitive data, you need to examine your existing business processes. Review your existing business processes which request or process sensitive data in order to assess the state of data security.
Look at your existing business processes which request or process sensitive data and answer the following questions:
- Based on the Data Classification Table, is my department collecting "Restricted Data"?
(For more information on the different categories of sensitive data, review the ITS Data Classifcation Table here)
- How is the data being used?
- Is it necessary to performing a business function?
- Who within my group needs access to these data?
- How long do we need to keep these data?
Make a plan for restricting collection and storage to meet the "minimum necessary" standard for access to sensitive data. In other words: 1) One only collects the minimum that is required for a business process 2) Access to that data is only granted to the smallest number of employees required 3) The data is kept for the shortest period of time possible before it is properly disposed of.
Once you have completed this process, begin reviewing where data is stored and collected.
Page last reviewed: May 20, 2011