Solved

Best ways to mitigate sensitive data loss if the data needs to be taken out for a business event

Posted on 2016-11-10
7
40 Views
Last Modified: 2016-11-11
We have a need to take out a list of customers' names, credit card# &  PII (Personally Identfble Info)
to a Lucky Draw event to validate customers identity who won the lucky draw when the customers
come forward to claim their prizes.  We can't cancel such an event nor post the reward to them.

However, this is against PCI-DSS (which we're certified).  So what's the best ways to take out these
sensitive data to the event?

a) for sure, printing them out on hardcopy papers is not safe in case the papers got lost so this
    should be disallowed

b) save these data on a secure laptop (where the HDD is encrypted, Wifi & USB port disabled )
    &  validate by viewing against the info in the screen : is this alone good enough?  I think it
    helps in the event the laptop got lost/stolen during the event, the encrypted HDD will mitigate

c) have IT security staff to escort the laptop during the event?  Is this needed?


Any other better options?

I thought of bringing a laptop that could VPN into the backend secure server to view the data
remotely but this is a bit too late to prepare for at this time but is this more secure than option
b above?
0
Comment
Question by:sunhux
7 Comments
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 150 total points
ID: 41882810
Can you salt and hash each value, so that when a verification is needed you get the value from the customer, add the same salt, hash it, and compare it with your list of hashed values?
1
 
LVL 76

Assisted Solution

by:arnold
arnold earned 70 total points
ID: 41882856
Along the suggested path above, you could use firstname, lastname, dob, use md5
Then use the provided info with md5 and match the string.

The other option is to have someone at work on duty, someone would call in to confirm.
All your list will have is internal identifier, first name, lastname. To avoid having the call overheard with identifying info, the caller will provide the internal identifier, and the other individual known info, dob, last four of cc if needed.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 60 total points
ID: 41882865
1. Do not bring it
2. Perhaps a secure web location.
3. Bring it on a secure Notebook/laptop.  
4. Last resort a USB/Thumb drive.    
As always it depends on:  
A. The data.  
B. Why it needs to be brought to a event.  
C. How the data is being used at the event.   (Presentation, working session); Normally the use of statistics for display and fake data for demos is better
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 61

Accepted Solution

by:
btan earned 160 total points
ID: 41883120
1. Account for the Personal data using your issued official notebook and do the VPN (2FA) instead. I supposed your notebook is protected since you are PCI certified. Ideally a clean notebook with USB and wireless disabled for the VPN. Disk HDD is minimally required. Bring along the cable lock.

2. Use encrypted thumbdrive which is 2FA protected. Information accessible after authentication check against a token or biometric. Make sure no other information inside.

3. Sanitised the personal data such that the NRIC reveal the last digit only, applies this for phone, credit card and identifiable fields. I will say you just need really the name and photo ID. This is to minimise (not totally avoid) exposure of the whole personal data set.

Do get the authorisation and signed off AUP for accountability as well as know the incident procedure in event of loss. Also note media statement is to be prepare for use in event of personal data loss.

I still see a clean notebook with VPN OS preferred. Otherwise hardcopy and you really keep constant sight of the copy and do not make duplicates. Have it watermark and sealed in envelope and shred it onve it ia not necessary for use. Have a criss cur shredder on site.
0
 

Author Comment

by:sunhux
ID: 41883220
It's not feasible to extract the photos from the system to match against the lucky draw winners'  :
presume you meant a photo ID is less likely to be fabricated.

I've checked with the business user & was told last few digits of the card and ID/NRIC is not good enough,
they need the full numbers.

Salting is feasible, just that need a salting/hashing tool to be installed on the laptop
0
 
LVL 61

Expert Comment

by:btan
ID: 41883317
User encrypted storage but I do preferred the notebook that can be cable locked. Lockdown the machine not to be connected wired or wireless. More of standalone.

You can do obfuscation if worry but password protect the document in zip or Veracrypt on top of the disk encryption.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 60 total points
ID: 41883734
Perhaps I'm missing something, but if you're just trying to identify individuals when they come up for their prize, why not just take a list of names.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now