Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

Sensitive information in non secured environment.

Hello friends,

Can you please let me know how critical it is to collect the Social Security number in non secured environment. I mean collecting the SSN in a webpage that has a web address starting with http.

Is this OK to to have this approoach or there is any standard to be followed to protect the sensitive information.

Thanks!
Run2004
0
run2004
Asked:
run2004
1 Solution
 
kaerezCommented:
It is not recommended to accept such information over an unsecure connection.
It is recommended to use an https connection (which will encrypt the data
from the user to the server) and use a secure inaccessible database to store
the data - usually in encrypted form.

You can receive a free SSL certificate at www.cacert.org
0
 
hiteshgupta1Commented:
you should try to avoid non secure way to collect sensitive information
also when using SSL ,try to use best encryption method to make the data secured and if possible protect user information off-line too
0
 
jabiiiCommented:
It would not be recommended.

You should read through the privacy act.
http://www.usdoj.gov/04foia/privstat.htm
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
kevinf40Commented:
Hi run2004

Encrypting all sensitive data both in transit (e.g. from client to web server, from web server to app server etc) and anywhere it is stored (e.g. Database) is the sensible option.

Precedent’s have been set in this regard with the FTC having charged companies with negligence where data has been lost that wasn't encrypted.

It's all about taking reasonable precautions to ensure that any customer data you hold is not easily available to malicious individuals.

You don't mention what other data you are requesting / storing - this also has bearing as the more uniquely identifiable information you collect the more critical the requirement for encryption becomes.  If no other customer data were ever collected and for some reason a system just used a social security number as a unique way of identifying it's users then this would actually hold little value as it would be difficult for a malicious person to link the SS number to anything else such as name and address - this is I suspect a somewhat unlikely scenario...

As a final note bear in mind that encryption is not a 'silver bullet' - the implementation around it is just as important as the actual algorithm used - follow best practices for the whole infrastructure - e.g. harden server O/S's, secure your web servers, ensure that simple gotchas are covered off (e.g. a new CTI solution planned to be implemented at my place of work would log customer data into text log files by default - now amount of transit and DB encryption would have blocked this gaping hole...)

cheers

Kevin


0
 
kaerezCommented:
Dear run2004,

Is any further assistance needed ?
If not please close the topic and assign
me the points.

Thank you

;-)
0
 
kevinf40Commented:
kaerez - a somewhat cheeky comment...
:-)
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now