Solved

Sensitive information in non secured environment.

Posted on 2006-07-13
6
465 Views
Last Modified: 2010-04-11
Hello friends,

Can you please let me know how critical it is to collect the Social Security number in non secured environment. I mean collecting the SSN in a webpage that has a web address starting with http.

Is this OK to to have this approoach or there is any standard to be followed to protect the sensitive information.

Thanks!
Run2004
0
Comment
Question by:run2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:kaerez
ID: 17106245
It is not recommended to accept such information over an unsecure connection.
It is recommended to use an https connection (which will encrypt the data
from the user to the server) and use a secure inaccessible database to store
the data - usually in encrypted form.

You can receive a free SSL certificate at www.cacert.org
0
 
LVL 8

Expert Comment

by:hiteshgupta1
ID: 17106798
you should try to avoid non secure way to collect sensitive information
also when using SSL ,try to use best encryption method to make the data secured and if possible protect user information off-line too
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17121991
It would not be recommended.

You should read through the privacy act.
http://www.usdoj.gov/04foia/privstat.htm
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 5

Accepted Solution

by:
kevinf40 earned 500 total points
ID: 17122252
Hi run2004

Encrypting all sensitive data both in transit (e.g. from client to web server, from web server to app server etc) and anywhere it is stored (e.g. Database) is the sensible option.

Precedent’s have been set in this regard with the FTC having charged companies with negligence where data has been lost that wasn't encrypted.

It's all about taking reasonable precautions to ensure that any customer data you hold is not easily available to malicious individuals.

You don't mention what other data you are requesting / storing - this also has bearing as the more uniquely identifiable information you collect the more critical the requirement for encryption becomes.  If no other customer data were ever collected and for some reason a system just used a social security number as a unique way of identifying it's users then this would actually hold little value as it would be difficult for a malicious person to link the SS number to anything else such as name and address - this is I suspect a somewhat unlikely scenario...

As a final note bear in mind that encryption is not a 'silver bullet' - the implementation around it is just as important as the actual algorithm used - follow best practices for the whole infrastructure - e.g. harden server O/S's, secure your web servers, ensure that simple gotchas are covered off (e.g. a new CTI solution planned to be implemented at my place of work would log customer data into text log files by default - now amount of transit and DB encryption would have blocked this gaping hole...)

cheers

Kevin


0
 
LVL 6

Expert Comment

by:kaerez
ID: 17129062
Dear run2004,

Is any further assistance needed ?
If not please close the topic and assign
me the points.

Thank you

;-)
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 17129875
kaerez - a somewhat cheeky comment...
:-)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question