Information Privacy: The Other Side Of The E-commerce Coin By Mark Merkow, CCP, CISSP
September 24, 1999
C. Data and Network Security
Security of personally identifiable information, whether stored in electronic, paper or micrographic form, is the topic of many books, journals, trade magazines, and conferences. Only the major points are listed here. For additional information, consult professional and trade associations, resources on the Web, as well as libraries and your nearest technical bookstore.
Do you have staff specifically assigned to data security? Do staff members participate in regular training programs in order to keep abreast of technical and legal issues?
Is physical access restricted to computer operations and paper/micrographic files which contain personally identifiable information? Do you have procedures to prevent former employees from gaining access to computers and paper files?
Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?
Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?
Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "foolproof" methods?
Is encryption used to protect extremely sensitive information (a particularly important measure when transmitting personally-identifiable information over public networks such as the Internet)?
Do you regularly conduct "systems penetration tests" to determine if your systems are "hacker" proof?
If your organization is potentially susceptible to "industrial espionage," have you taken extra precautions to guard against leakage of information?
D. Additional "Common Sense" Security Practices
Case: A medical office photocopied more of a car accident victim''s record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman''s child, given up for adoption 30 years ago, eventually became part of the court record, i.e. a public document.
When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information which has no relevance to the transaction is either removed or masked (the process of "redacting" or "severing" the record)?
Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?
Are all employees who handle personal information -- including temporary, back-up and contract staff -- trained to be able to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? "Pretext" interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled.
E. Records Retention and Disposal
Case: An automobile dealer did not shred its loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who had applied for a car loan.
Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or magnetic/ electronic (computer) media?
When disposing of computers, diskettes, magnetic tapes, hard drives and any other electronic media which contain personally identifiable materials, are all data erased (with an "initialize" process) and/or is the hardware destroyed?
When disposing of waste and recycling paper, are all documents which contain personally identifiable information placed in secure padlocked containers or shredded?
Does your recycling company certify its disposal/destruction methods?
Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
IE 7
Firefox 2.0
