Risk Assessments

 View Only
  • 1.  Identifying/Categorizing NPI/NPPI Risk

    Posted 06-28-2024 07:53 PM

    Has anyone identified/categorized different levels of risk when it comes to different types of NPI/NPPI? (And can you provide examples?)

    Most risk assessments I see are yes or no on NPPI, with some instantly labeling the vendor as high risk with a yes. 

    Categorizing information seems like it would be more efficient since name, phone number, make of vehicle, account number/activity are all very different things.

    Thanks!



  • 2.  RE: Identifying/Categorizing NPI/NPPI Risk

    Posted 07-01-2024 11:18 AM

    I think it helps to have a more granular understanding of what NPI is for your organization. For instance, what sort of non-public information would allow a hacker to steal credit or identity? That's what my org counts as NPI. Names, phone numbers, addresses, make of vehicles - those are NOT NPI according to our definition. In fact anyone could find that information out by calling the library. But an account number and password could be. 

    For us, "NPI" is SSN, account ID number, passwords, credit/debit card numbers, or sometimes (case-by-case) instances of a non-encrypted combo of name/phone/address/email. This is troublesome information if it became public. So, any org that we say YES to sharing NPI should absolutely be high risk and that's correct!



    ------------------------------
    Diego Fable
    Enterprise Data Management Admin
    Midsize Mortgage Nonprofit
    ------------------------------