Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Sensitive information in non secured environment.

Posted on 2006-07-13
6
Medium Priority
?
479 Views
Last Modified: 2010-04-11
Hello friends,

Can you please let me know how critical it is to collect the Social Security number in non secured environment. I mean collecting the SSN in a webpage that has a web address starting with http.

Is this OK to to have this approoach or there is any standard to be followed to protect the sensitive information.

Thanks!
Run2004
0
Comment
Question by:run2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:kaerez
ID: 17106245
It is not recommended to accept such information over an unsecure connection.
It is recommended to use an https connection (which will encrypt the data
from the user to the server) and use a secure inaccessible database to store
the data - usually in encrypted form.

You can receive a free SSL certificate at www.cacert.org
0
 
LVL 8

Expert Comment

by:hiteshgupta1
ID: 17106798
you should try to avoid non secure way to collect sensitive information
also when using SSL ,try to use best encryption method to make the data secured and if possible protect user information off-line too
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17121991
It would not be recommended.

You should read through the privacy act.
http://www.usdoj.gov/04foia/privstat.htm
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 5

Accepted Solution

by:
kevinf40 earned 2000 total points
ID: 17122252
Hi run2004

Encrypting all sensitive data both in transit (e.g. from client to web server, from web server to app server etc) and anywhere it is stored (e.g. Database) is the sensible option.

Precedent’s have been set in this regard with the FTC having charged companies with negligence where data has been lost that wasn't encrypted.

It's all about taking reasonable precautions to ensure that any customer data you hold is not easily available to malicious individuals.

You don't mention what other data you are requesting / storing - this also has bearing as the more uniquely identifiable information you collect the more critical the requirement for encryption becomes.  If no other customer data were ever collected and for some reason a system just used a social security number as a unique way of identifying it's users then this would actually hold little value as it would be difficult for a malicious person to link the SS number to anything else such as name and address - this is I suspect a somewhat unlikely scenario...

As a final note bear in mind that encryption is not a 'silver bullet' - the implementation around it is just as important as the actual algorithm used - follow best practices for the whole infrastructure - e.g. harden server O/S's, secure your web servers, ensure that simple gotchas are covered off (e.g. a new CTI solution planned to be implemented at my place of work would log customer data into text log files by default - now amount of transit and DB encryption would have blocked this gaping hole...)

cheers

Kevin


0
 
LVL 6

Expert Comment

by:kaerez
ID: 17129062
Dear run2004,

Is any further assistance needed ?
If not please close the topic and assign
me the points.

Thank you

;-)
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 17129875
kaerez - a somewhat cheeky comment...
:-)
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question