Solved

Best ways to mitigate sensitive data loss if the data needs to be taken out for a business event

Posted on 2016-11-10
7
77 Views
Last Modified: 2016-11-11
We have a need to take out a list of customers' names, credit card# &  PII (Personally Identfble Info)
to a Lucky Draw event to validate customers identity who won the lucky draw when the customers
come forward to claim their prizes.  We can't cancel such an event nor post the reward to them.

However, this is against PCI-DSS (which we're certified).  So what's the best ways to take out these
sensitive data to the event?

a) for sure, printing them out on hardcopy papers is not safe in case the papers got lost so this
    should be disallowed

b) save these data on a secure laptop (where the HDD is encrypted, Wifi & USB port disabled )
    &  validate by viewing against the info in the screen : is this alone good enough?  I think it
    helps in the event the laptop got lost/stolen during the event, the encrypted HDD will mitigate

c) have IT security staff to escort the laptop during the event?  Is this needed?


Any other better options?

I thought of bringing a laptop that could VPN into the backend secure server to view the data
remotely but this is a bit too late to prepare for at this time but is this more secure than option
b above?
0
Comment
Question by:sunhux
7 Comments
 
LVL 35

Assisted Solution

by:Terry Woods
Terry Woods earned 150 total points
ID: 41882810
Can you salt and hash each value, so that when a verification is needed you get the value from the customer, add the same salt, hash it, and compare it with your list of hashed values?
1
 
LVL 77

Assisted Solution

by:arnold
arnold earned 70 total points
ID: 41882856
Along the suggested path above, you could use firstname, lastname, dob, use md5
Then use the provided info with md5 and match the string.

The other option is to have someone at work on duty, someone would call in to confirm.
All your list will have is internal identifier, first name, lastname. To avoid having the call overheard with identifying info, the caller will provide the internal identifier, and the other individual known info, dob, last four of cc if needed.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 60 total points
ID: 41882865
1. Do not bring it
2. Perhaps a secure web location.
3. Bring it on a secure Notebook/laptop.  
4. Last resort a USB/Thumb drive.    
As always it depends on:  
A. The data.  
B. Why it needs to be brought to a event.  
C. How the data is being used at the event.   (Presentation, working session); Normally the use of statistics for display and fake data for demos is better
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 63

Accepted Solution

by:
btan earned 160 total points
ID: 41883120
1. Account for the Personal data using your issued official notebook and do the VPN (2FA) instead. I supposed your notebook is protected since you are PCI certified. Ideally a clean notebook with USB and wireless disabled for the VPN. Disk HDD is minimally required. Bring along the cable lock.

2. Use encrypted thumbdrive which is 2FA protected. Information accessible after authentication check against a token or biometric. Make sure no other information inside.

3. Sanitised the personal data such that the NRIC reveal the last digit only, applies this for phone, credit card and identifiable fields. I will say you just need really the name and photo ID. This is to minimise (not totally avoid) exposure of the whole personal data set.

Do get the authorisation and signed off AUP for accountability as well as know the incident procedure in event of loss. Also note media statement is to be prepare for use in event of personal data loss.

I still see a clean notebook with VPN OS preferred. Otherwise hardcopy and you really keep constant sight of the copy and do not make duplicates. Have it watermark and sealed in envelope and shred it onve it ia not necessary for use. Have a criss cur shredder on site.
0
 

Author Comment

by:sunhux
ID: 41883220
It's not feasible to extract the photos from the system to match against the lucky draw winners'  :
presume you meant a photo ID is less likely to be fabricated.

I've checked with the business user & was told last few digits of the card and ID/NRIC is not good enough,
they need the full numbers.

Salting is feasible, just that need a salting/hashing tool to be installed on the laptop
0
 
LVL 63

Expert Comment

by:btan
ID: 41883317
User encrypted storage but I do preferred the notebook that can be cable locked. Lockdown the machine not to be connected wired or wireless. More of standalone.

You can do obfuscation if worry but password protect the document in zip or Veracrypt on top of the disk encryption.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 60 total points
ID: 41883734
Perhaps I'm missing something, but if you're just trying to identify individuals when they come up for their prize, why not just take a list of names.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question