Do you protect personal information against unauthorized access (both physical and logical)?
Explanation
Protection of personal information is what's under review, covering whether you guard it against unauthorized access through both physical and logical controls.
Personal information includes any data that can identify an individual, such as names, addresses, Social Security numbers, financial information, health records, etc. The question is being asked because protecting PI is a fundamental requirement of many privacy regulations (like GDPR, CCPA, HIPAA) and is essential for maintaining customer trust.
In a security assessment, this question helps evaluators understand if you have comprehensive controls in place to prevent unauthorized parties from accessing sensitive personal data. This includes both physical controls (like secure facilities with badge access) and logical controls (like authentication, encryption, and access management).
To best answer this question, you should describe your specific controls for both physical and logical protection of personal information. Include details about:
- Physical safeguards: Building security, access cards, visitor policies, secure storage areas
- Logical safeguards: Access controls, authentication requirements, encryption, data loss prevention
- Policies and procedures: How you manage access rights, conduct reviews, and handle violations
- Monitoring and auditing: How you detect and respond to unauthorized access attempts
Example Responses
Example Response 1
Yes, we protect personal information against unauthorized access through comprehensive physical and logical controls For physical protection, our data centers require multi-factor authentication for entry, with 24/7 security personnel, CCTV monitoring, and mantrap entries All visitors must be pre-approved, escorted, and logged For logical protection, we implement role-based access control (RBAC) with least privilege principles, requiring multi-factor authentication for all systems containing personal information All personal data is encrypted both in transit and at rest using industry-standard encryption (AES-256) We conduct quarterly access reviews to verify appropriate permissions, and our security team uses a SIEM solution to monitor for unauthorized access attempts in real-time All access to personal information is logged and audited monthly.
Example Response 2
Yes, our organization maintains strict controls to protect personal information Physical protection includes badge access systems at all entry points, with different security zones requiring increasing levels of authorization Server rooms containing personal data are restricted to IT personnel only and require biometric verification For logical protection, we implement network segmentation to isolate systems with personal information, require strong passwords with 90-day rotation policies, and enforce multi-factor authentication for remote access All personal data is classified according to sensitivity levels with corresponding access restrictions We use data loss prevention (DLP) tools to prevent unauthorized exfiltration of personal information, and all access attempts are logged We conduct annual penetration testing specifically targeting our personal information protection controls.
Example Response 3
No, we currently have partial protections for personal information but acknowledge gaps in our security posture While we have implemented basic logical controls such as password protection and standard network firewalls, we lack comprehensive physical security measures beyond standard office locks We do not currently encrypt all personal information at rest, and our access review process is manual and performed irregularly We're working to address these gaps through a security improvement plan that includes implementing encryption across all systems storing personal information, establishing formal access review procedures, and enhancing our physical security with badge access systems and visitor management We expect these improvements to be completed within the next 6 months.
Context
- Tab
- Privacy
- Category
- Data Privacy
Related questions
- Have you performed a Data Privacy Impact Assesssment for the solution/project?
- Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
- Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
- Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
- Do you have a documented list of personal data your service maintains?
- Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?

