Solved

Best ways to mitigate sensitive data loss if the data needs to be taken out for a business event

Posted on 2016-11-10
7
88 Views
Last Modified: 2016-11-11
We have a need to take out a list of customers' names, credit card# &  PII (Personally Identfble Info)
to a Lucky Draw event to validate customers identity who won the lucky draw when the customers
come forward to claim their prizes.  We can't cancel such an event nor post the reward to them.

However, this is against PCI-DSS (which we're certified).  So what's the best ways to take out these
sensitive data to the event?

a) for sure, printing them out on hardcopy papers is not safe in case the papers got lost so this
    should be disallowed

b) save these data on a secure laptop (where the HDD is encrypted, Wifi & USB port disabled )
    &  validate by viewing against the info in the screen : is this alone good enough?  I think it
    helps in the event the laptop got lost/stolen during the event, the encrypted HDD will mitigate

c) have IT security staff to escort the laptop during the event?  Is this needed?


Any other better options?

I thought of bringing a laptop that could VPN into the backend secure server to view the data
remotely but this is a bit too late to prepare for at this time but is this more secure than option
b above?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 150 total points
ID: 41882810
Can you salt and hash each value, so that when a verification is needed you get the value from the customer, add the same salt, hash it, and compare it with your list of hashed values?
1
 
LVL 78

Assisted Solution

by:arnold
arnold earned 70 total points
ID: 41882856
Along the suggested path above, you could use firstname, lastname, dob, use md5
Then use the provided info with md5 and match the string.

The other option is to have someone at work on duty, someone would call in to confirm.
All your list will have is internal identifier, first name, lastname. To avoid having the call overheard with identifying info, the caller will provide the internal identifier, and the other individual known info, dob, last four of cc if needed.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 60 total points
ID: 41882865
1. Do not bring it
2. Perhaps a secure web location.
3. Bring it on a secure Notebook/laptop.  
4. Last resort a USB/Thumb drive.    
As always it depends on:  
A. The data.  
B. Why it needs to be brought to a event.  
C. How the data is being used at the event.   (Presentation, working session); Normally the use of statistics for display and fake data for demos is better
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 64

Accepted Solution

by:
btan earned 160 total points
ID: 41883120
1. Account for the Personal data using your issued official notebook and do the VPN (2FA) instead. I supposed your notebook is protected since you are PCI certified. Ideally a clean notebook with USB and wireless disabled for the VPN. Disk HDD is minimally required. Bring along the cable lock.

2. Use encrypted thumbdrive which is 2FA protected. Information accessible after authentication check against a token or biometric. Make sure no other information inside.

3. Sanitised the personal data such that the NRIC reveal the last digit only, applies this for phone, credit card and identifiable fields. I will say you just need really the name and photo ID. This is to minimise (not totally avoid) exposure of the whole personal data set.

Do get the authorisation and signed off AUP for accountability as well as know the incident procedure in event of loss. Also note media statement is to be prepare for use in event of personal data loss.

I still see a clean notebook with VPN OS preferred. Otherwise hardcopy and you really keep constant sight of the copy and do not make duplicates. Have it watermark and sealed in envelope and shred it onve it ia not necessary for use. Have a criss cur shredder on site.
0
 

Author Comment

by:sunhux
ID: 41883220
It's not feasible to extract the photos from the system to match against the lucky draw winners'  :
presume you meant a photo ID is less likely to be fabricated.

I've checked with the business user & was told last few digits of the card and ID/NRIC is not good enough,
they need the full numbers.

Salting is feasible, just that need a salting/hashing tool to be installed on the laptop
0
 
LVL 64

Expert Comment

by:btan
ID: 41883317
User encrypted storage but I do preferred the notebook that can be cable locked. Lockdown the machine not to be connected wired or wireless. More of standalone.

You can do obfuscation if worry but password protect the document in zip or Veracrypt on top of the disk encryption.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 60 total points
ID: 41883734
Perhaps I'm missing something, but if you're just trying to identify individuals when they come up for their prize, why not just take a list of names.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question