Ten Tips for Corporations to Protect Customer Information from Identity Theft

Ten Tips for Corporations to Protect Customer Information from Identity Theft.

Cyberguard sent out an interesting press release today that provides “Ten Tips for Corporations to Protect Customer Information from Identity Theft”.

The list is pretty self explainatory:

  1. Unless there is a specific reason that personal information
    is being stored, get rid of it. If information needs to be there, set a
    timetable for its length of stay and when it can be disposed of.
  2. Make sure that the server holding personal information is
    isolated to its own network with limited access. The network should be
    secured/protected by a strong firewall that protects from attacks at
    the network, protocol and most importantly the application layer.
  3. The server that contains the personal information should NOT allow direct connectivity to any user on the public Internet.
  4. The isolation of the database server should provide protection
    not only from the Internet but from other Internet facing servers as
    well as the internal network.
  5. Under no circumstance should the database server be permitted to initiate connections to the Internet.
  6. The controls afforded by the application layer defenses must
    include the ability to control not only what the database can query,
    but the explicit commands that can be run, as well as the number of
    responses per query.
  7. Both the security mechanisms and the database server should be
    operated on kernel hardened operating systems to mitigate the risk of
    operating system bugs or vulnerabilities.
  8. Strict controls of who can access the server should be in
    place, be enforced, and reviewed to validate the need for access rights.
  9. A multi-defense is your best defense; take full advantage of
    both security mechanisms available within the database application and
    strong encryption as well as security mechanisms of the application
    level firewall.
  10. All communication of personal data sent to/from the database
    across public and private networks should be permitted over encrypted
    channels (HTTPS / SSL SSH).

[Dana Epp's ramblings at the Sanctuary]

Leave a comment