Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sensitive information in non secured environment.

Posted on 2006-07-13
6
464 Views
Last Modified: 2010-04-11
Hello friends,

Can you please let me know how critical it is to collect the Social Security number in non secured environment. I mean collecting the SSN in a webpage that has a web address starting with http.

Is this OK to to have this approoach or there is any standard to be followed to protect the sensitive information.

Thanks!
Run2004
0
Comment
Question by:run2004
6 Comments
 
LVL 6

Expert Comment

by:kaerez
ID: 17106245
It is not recommended to accept such information over an unsecure connection.
It is recommended to use an https connection (which will encrypt the data
from the user to the server) and use a secure inaccessible database to store
the data - usually in encrypted form.

You can receive a free SSL certificate at www.cacert.org
0
 
LVL 8

Expert Comment

by:hiteshgupta1
ID: 17106798
you should try to avoid non secure way to collect sensitive information
also when using SSL ,try to use best encryption method to make the data secured and if possible protect user information off-line too
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17121991
It would not be recommended.

You should read through the privacy act.
http://www.usdoj.gov/04foia/privstat.htm
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 5

Accepted Solution

by:
kevinf40 earned 500 total points
ID: 17122252
Hi run2004

Encrypting all sensitive data both in transit (e.g. from client to web server, from web server to app server etc) and anywhere it is stored (e.g. Database) is the sensible option.

Precedent’s have been set in this regard with the FTC having charged companies with negligence where data has been lost that wasn't encrypted.

It's all about taking reasonable precautions to ensure that any customer data you hold is not easily available to malicious individuals.

You don't mention what other data you are requesting / storing - this also has bearing as the more uniquely identifiable information you collect the more critical the requirement for encryption becomes.  If no other customer data were ever collected and for some reason a system just used a social security number as a unique way of identifying it's users then this would actually hold little value as it would be difficult for a malicious person to link the SS number to anything else such as name and address - this is I suspect a somewhat unlikely scenario...

As a final note bear in mind that encryption is not a 'silver bullet' - the implementation around it is just as important as the actual algorithm used - follow best practices for the whole infrastructure - e.g. harden server O/S's, secure your web servers, ensure that simple gotchas are covered off (e.g. a new CTI solution planned to be implemented at my place of work would log customer data into text log files by default - now amount of transit and DB encryption would have blocked this gaping hole...)

cheers

Kevin


0
 
LVL 6

Expert Comment

by:kaerez
ID: 17129062
Dear run2004,

Is any further assistance needed ?
If not please close the topic and assign
me the points.

Thank you

;-)
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 17129875
kaerez - a somewhat cheeky comment...
:-)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question