PII Security and Access Control Policy

The PII Security and Access Control Policy defines the organization’s PII-specific requirements for protecting personal information across systems, applications, services, devices, cloud environments and operational processes. It applies where PII is stored, transmitted, processed, accessed, administered or protected, and it covers controller, joint controller, processor and subprocessor contexts. The policy is explicitly designed to integrate with existing information security practices rather than replace a full information security management system, network security policy, secure development policy, backup policy, endpoint policy, cloud security policy, cryptographic standard, vulnerability management procedure or incident response procedure. Its core purpose is to ensure that PII is protected by appropriate, risk-aligned and auditable security and access controls throughout processing. To support that purpose, the policy establishes a PII security baseline and requires traceable evidence through REG02, REG08, REG10 and REG12. This evidence model is central to the policy: operational logs, security tool outputs, access review exports, vulnerability reports and configuration evidence may be attached to, summarized in or referenced by the canonical evidence objects, but they are not treated as separate PIMS registers. This allows the organization to demonstrate that controls are planned, implemented, reviewed, monitored and improved without duplicating security records. The policy sets detailed requirements for access control, authentication and privileged access. Access to PII must be restricted to approved roles and authorized users recorded or traceable in REG02 or REG12, and business purpose must be approved before access is provisioned. High-impact or sensitive PII systems require at least quarterly user access reviews, while other PII systems require at least annual review. Access must be removed or amended within one business day after role change, termination, contract completion or when access is no longer required. Privileged access requires documented justification, scope and approval before being granted, with monthly review for high-impact or sensitive PII systems and quarterly review for other PII systems. The policy also addresses technical security expectations for authentication, encryption, secure storage, logging, monitoring, configuration, vulnerability management, endpoint access and cloud access. Unique user identities are required for accounts with PII access, and strong authentication is required for privileged, remote, administrative or high-impact PII access. Encryption or approved compensating protection must be defined before high-impact, sensitive or externally transmitted PII is stored, transmitted or made accessible. Logging scope must cover authentication events, access events, privileged actions, PII export activity and material configuration changes. Configuration status and vulnerability coverage must be recorded in REG12, with unresolved high-risk vulnerabilities affecting PII recorded within five business days of validation. Governance responsibilities are assigned across Top Management, the Privacy Lead / PIMS Manager, Data Protection Officer / Privacy Advisor, Information Security Lead, Process Owner / Business Owner, System Owner / Application Owner, Vendor / Procurement Owner, Incident Response Coordinator and Internal Audit / Compliance Reviewer. The policy requires quarterly evidence completeness reviews across REG02, REG08, REG10 and REG12, quarterly review of baseline effectiveness and unresolved gaps, and audit sampling of access reviews, privileged access reviews, logging evidence and configuration evidence. Exceptions must be recorded before activation, include expiry, compensating control and review date, and receive Top Management approval when they affect high-impact PII, sensitive PII, privileged access, encryption, logging or unresolved high-risk vulnerabilities.