Major privacy concerns are when an organization is faced a with wide variety of privacy issues. Organizations must always be aware of all security alerts and scams; they must protect consumer Personally Identifiable Information (PII), and be knowledgeable of all current laws and regulations that were established to protect the company and the consumer. Because of the massive amount of data transmitted and stored during regular business hours will create will put companies at risk with privacy issues.
The following areas that could cause major issues with privacy like RFID tags, credit card transactions, wireless network usage, company sponsored e-mail service, social media presence, healthcare data collection practices. This paper is in response to the concerns of the CEO; first I will address his concerns with the amount of data that is collected, stored and maintained within the company. Next, conduct an analysis of the sporting goods store for any potential privacy risks.
Then explain all potential security risks and the laws associated with those risks. Finally, I will address all the security measures that the sporting goods store can implement that would diminish any risks. Potential Privacy RisksAll of the privacy issues mentioned are primary concerns for the sporting goods store. Because the sporting goods store accepts credit card payments they must protect and secure credit card information. The sporting goods store’s e-mail server presents two privacy risks, to employees and the company. With the presence of social media is a concern for potential privacy risks that will adversely affect the sporting goods store. There are also Potential Privacy Risks when it comes to the collection of healthcare data.
The increase of mobile devices, embedded devices, virtualization software, social media and the consumerization of IT are the top five security threats for healthcare organizations. (Merrill, 2011) 1. So Many Mobile Devices, So Much Risk Mobile devices are ever-present in society, and there are a number of different types of devices used by medical staff, patients and visitors have increased in healthcare organizations throughout the country. Providing network access is crucial when instant communication is needed to guarantee adequate patient care is given. It is recommended that using a network access control (NAC) solutions which will allow them to recognize each user, connect each device, and look for threats. 2. Embedded Devices Become the Norm As tablets and mobile devices with wide-area network and Wi-Fi capabilities – including medication scanners, patient-monitoring systems, and imaging devices – become more common, embedded connectivity makes tracking, monitoring and managing enterprise productivity easier while helping reduce errors (Merrill, 2011). These devices could expose the network to viruses and breaches.
It is recommended that they integrate a security solution to safeguard the integrity of the data and protect against any vulnerabilities to the network. * 3. Virtualization from Desktops to Servers it is suggested that 80 percent of the organizations use “virtualization” strategy so they can run more than one application on the server.
The strategy is achieved by using virtualization software, which allows servers to run multiple applications with limited investment in hardware and which reduces costs associated with energy, lowering an organization’s carbon footprint (Merrill, 2011). It is recommended that these organizations ensure that the NAC solution can view the hosted virtualized desktops (HVDs) in the same manner that they view a PC. 4. Viruses Spreading through Social Media With the widespread use of social media, it is virtually impossible to block access to these sites.
The recommendation is to quickly identify the infected which will help maintain the network security and safeguarding critical data. 5. IT Becomes Consumer FriendlyBecause more and more users will be using their personal devices organizations are finding it difficult to manage; which will increase network security threats. The recommendation is to use a solid NAC system because it will help reduce the threat. Security Risks and Applicable LawsIf the sporting goods store experienced a security breach it would disclosure customer information.
The law requires all businesses to protect employees and customers personally identifiable information (PII). Here are the areas that have been identified as a risk for the sporting goods store and the pertinent laws and safety measures intended to protect everyone involved. Security risk associated with Credit card payments: the sporting goods store has put itself at risk because they are accepting credit cards and payments. It is imperative that they comply with PCI DSS this will allow them to protect the cardholder information. The Payment Card Industry’s (PCI) list of security measures, called the Data Security Standard (DSS), is a contractual agreement between a company and the credit card issuing company that safeguards the protection of consumer credit card information (Grama, Ch. 4).
When employees use their company e-mail there is a risk of a phishing attack which would jeopardize the system and expose private information. When employees use the company email the law does not consider this private information; as a result, the employer has the authority to monitor all e-mail traffic on the server. Federal wiretap laws apply to intercepting e-mail communications on employer owned equipment (Grama, Ch. 6).
Security risk associated with Health screening are disclosing patient information. Any data being collect must be in compliance with HIPAA Privacy, Security Rules and HITECH government regulations. HIPAA protects the privacy and security of personally identifiable health information and the HITECH Act enforces compliance of HIPAA privacy and security (Grama, Ch. 6).
Training should include the dangers malware, spam and phishing schemes. They provide directions on how to detect and prevent these types of attacks. Provide notice of e-mail monitoring to employees in a written policy that employees are made aware of and completely understand the policy (Grama, Ch. 2). While conducting health screening personnel should limit the amount of personally identifiable information (PII) they are collecting; only collect the necessary information needed to complete the health screening. This could help diminishes any potential risk of medical identity fraud resulting from a breach.
It is also recommended that personnel use “active data collection” which is a practice that clarifies data collection is in progress and identifies what is being collected. Companies must provide a security policy that clearly explains social media on workplace devices. The company should include provisions for employees to provide comments or release patient information by employees. The best way to secure social media accounts is to create a strong password this will help deter hackers from trying to access the account. The company must restrict access social media and allow certain personnel to post information on behalf of the company.