Question

In: Computer Science

A finance company has a database of customer documentation, including application forms containing a substantial amount...

A finance company has a database of customer documentation, including application forms containing a substantial amount of personally identifiable information (PII). The database contains the records of over 10,000 customers. The database is only accessible from inside the network of the company – it is not directly exposed to the Internet.

i. Suggest a suitable data classification for this information held by this database and explain why this classification is appropriate.  

ii. Suggest one threat actor, and why they might want to compromise these data.

iii. Suggest one preventative security control that might be used to mitigate a threat against these data. Briefly explain how the control reduces the threat of the data being compromised.

Solutions

Expert Solution

1.) Personally Identifiable Information (PII) is widely characterised as "any information that could possibly identify a particular person" and may be sensitive or non-sensitive. Sensitive PII is information that may result in harm to the data subject when revealed to an unauthorised party. On the other hand, disclosure of non-sensitive PII would result in little or no harm to the data subject.

In combination with one or more of the following data elements, PII is specified as a person's first name or first initial and last name:
Number for Social Security
State-issued number for driver's licence
State-issued number of identity card
In combination with a security code, access code or password that would allow access to the account, the financial account number
Data on medical and/or health insurance

The aim of this Guideline is to create a structure for classifying institutional data as required by the University's Information Security Policy on the basis of its level of sensitivity, significance and criticality to the university. Data classification can help to define baseline security controls for data protection

In order to understand why PII is so valuable to hackers, it is good to provide some examples to better understand what constitutes it. PII is any information that is attributed to an individual that identifies them and distinguishes individuals from one another. Examples include:

  • Social Security Number
  • Address
  • Phone Number
  • Driver’s License Number
  • Employer
  • Personal Habits or Interests
  • Biometric Data

.Any information that an individual provides – whether on an online form, a voter’s ballot or a retail transaction, etc. constitutes PII. In turn, this makes the stolen information even more useful for mounting highly targeted attacks on individuals for any number of purposes. For example, a hacker can take a person’s employee identification number and use it to uncover more sensitive information.

Any information that an individual provides – whether on an online form, a voter’s ballot or a retail transaction, etc. constitutes PII. In turn, this makes the stolen information even more useful for mounting highly targeted attacks on individuals for any number of purposes. For example, a hacker can take a person’s employee identification number and use it to uncover more sensitive information.

Types of PII-Related Data Breaches

There are multiple cybercrime scenarios that can involve PII. Bad actors may compromise direct consumer PII, target credit reports or conduct identity theft. Theft concerning PII can also serve as a means to another, greater end. For example, cybercriminals may target individuals who hold sensitive positions in corporate and government organizations for defamation, or to put their lives at risk.

Information that hackers steal can be used against targeted individuals in orchestrated attacks. Hackers may also leverage a PII-related cyberattack for other purposes, which just aren’t as obvious. For example, consumer’s PII can serve the purpose of monetary gain, such as a marketing commodity. For example, a hacker may infiltrate a computing system to gain access to PII, which s/he can repurpose as marketing lists to sell products. Cybercriminals may also be capable of harvesting and aggregating data, gaining more insights and painting a clearer picture of their target(s) through data points.

3.) Encryption is well known by security pros for preventing data loss. It’s a core tool for the strategies and tools within Data Loss Prevention (DLP). Encryption protects your business from cybercriminals accessing sensitive data or employees making an unintended mistake with your data.

Our data has a lifecycle – in use, at rest, and in motion. It’s considered best practice to encrypt across all these stages because data can be intercepted by threat actors at any stage.

Most commonly, organizations encrypt the following data:

Company Intellectual Property or Proprietary Data

Company Financial Reports

Personally Identifiable Information

Research and Development Data

Sensitive Customer Data

Upcoming Product Launch Details

The employees can even encrypt sensitive emails from their laptops, phones, tablets, or any other device used to send and store data to protect any critical data exposure or loss.


Related Solutions

A finance company has a database of customer documentation, including application forms containing a substantial amount...
A finance company has a database of customer documentation, including application forms containing a substantial amount of personally identifiable information (PII). The database contains the records of over 10,000 customers. The database is only accessible from inside the network of the company – it is not directly exposed to the Internet. (15 marks total) Suggest a suitable data classification for this information held by this database and explain why this classification is appropriate. Suggest one threat actor, and why they...
Suppose your company has built a database application that runs on a centralized database, but even...
Suppose your company has built a database application that runs on a centralized database, but even with a high-end computer and appropriate indices created on the data, the system is not able to handle the transaction load, leading to slow processing of queries. What would be some of your options to allow the application to handle the transaction load?
unctional Requirements  Design a Windows Forms Application for a movie database providing appropriate controls for...
unctional Requirements  Design a Windows Forms Application for a movie database providing appropriate controls for the following data:  Movie Name  ISBN13 Number (optional)  Release Date  Location (Canadian OR International)  Genre (Action, Biography, Comedy, Drama, Educational, History, Horror, Musical, Mystery, Romance, Sci-Fi, Thriller OR Western)  Rating (1 to 5 stars)  Duration (in minutes)  Price  Support loading and saving of the data for multiple movies to a Sequential Text file  Display...
Consider a database containing information about all the car accidents between 1997 and 2005, including the...
Consider a database containing information about all the car accidents between 1997 and 2005, including the cars involved and their owners. The database has the following tables: Car (license, year, make, model); Accident (license, accident date, damage_amount zipcode); Owner (SSN, license, name, address, zipcode); // zipcode in Accident is the place where accident took place // assume that the same car does not get into an accident twice in a day // assume each owner has only one licensed car...
Carson company has obtained substantial loans from finance companies and commercial banks. The interest rate on...
Carson company has obtained substantial loans from finance companies and commercial banks. The interest rate on loans is tied to market interest rates and is adjusted every six months. Because of its expectations of a strong US economy, Carson plans to grow in the future by expanding its business and making acquisitions. It expects that it will need substantial loan-term financing and plans to borrow additional funds through loans or by issuing bonds. It is also considering stock to raise...
Bling-Bling Jewellery Company Limited (“BB”) has been engaging in selling jewellery. It keeps a substantial amount...
Bling-Bling Jewellery Company Limited (“BB”) has been engaging in selling jewellery. It keeps a substantial amount of gem stones as inventory. The gem stones are recognized as raw material in the financial statements, and the amount of the gem stones is considered as material for the financial statements. Lee, Wong & Partners (“Lee Wong”) is the auditor of BB for its financial statements for the year ended 31 December 2020. Michael Lau, the CFO of BB, understands that Lee Wong...
A company creates a database for its customers in which each customer is identified by their...
A company creates a database for its customers in which each customer is identified by their phone number. In this discussion, explore whether or not this is a function with your classmates. In your first post, address the following: Assign one variable as the input and the other variable as the output for this scenario. Is this relation a function? Justify your answer using the definition of a function, and explain your reasoning carefully. Do you think this is a...
For the given database schema. Answer the following questions. Company Database customer(cust_id, name, address) product(product_id, product_name,...
For the given database schema. Answer the following questions. Company Database customer(cust_id, name, address) product(product_id, product_name, price, quantity) transaction(trans_id, cust_id, time_date) product_trans(product_id, trans_id) Identify the primary keys and foreign keys for the relations and specify at least two different types of integrity constraints that would be applicable for different relations given.
Prompt Ortelere, a retired teacher, has built up a substantial amount of funds in her retirement...
Prompt Ortelere, a retired teacher, has built up a substantial amount of funds in her retirement plan before she retired because of "involutional psychosis" (a form of mental illness). She has previously specified that a lowered monthly retirement benefit would be paid to her so that her husband would get some benefit from the retirement plan if she died before he did.  After her mental problems began, she changed her payout plan and borrowed from the pension fund (....ok, lady, you're...
1. The amount of money spent by a customer at a discount store has a mean...
1. The amount of money spent by a customer at a discount store has a mean of $100 and a standard deviation of $30. What is the probability that a randomly selected group of 50 shoppers will spend a total of more than $5700? (Hint: The total will be more than $5700 when the sample average exceeds what value?) (Round the answer to four decimal places.) P(total > 5700) =   2. Five students visiting the student health center for a...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT