You have been hired as an information security analyst at a small company called Astounding Appliances, which sells appliances online. Astounding Appliances owns and hosts all of its IT assets and forward-facing web applications onsite. The assets are about 5 years old, and the company is seeking to expand its operations in the next 5 years.
When existing or potential customers go to the Astounding Appliances webpage to shop for appliances, they are informed that the website collects cookies. Website cookies are small text files that are stored on a website visitor’s computer when the visitor views a website. The cookie files are updated if the visitor comes back to a webpage on a subsequent visit. The company uses cookies to remember visitors to the webpage and understand ways to enhance the visitors’ experience. Cookies are also used to provide access to a visitor’s account profile if the visitor has created a profile with the company.
If a customer orders an appliance, Astounding Appliances collects the customer’s name, address, telephone number, email address, and credit card information to process the sale transaction. Of course, to process the sale, the appliance make and model and the price of the appliance are documented and added to the customer’s transaction history record. All of this information is stored in the customer’s account profile, which is stored in the company’s customer database.
The company wants to expand the number of appliances it offers to its customers. The Astounding Appliances sales team is researching whether different categories of customers are more or less likely to buy high-end, expensive appliances. The sales team would like to collect the following information from visitors to the website to figure out what appliances the company should stock:
Household income level
Education level
Employment status
Veteran status
Whether a person is left or right handed
How many times a month a person eats a meal at a restaurant
Question 1. Identify the personal information that the company is already collecting from customers.
Question 2. Identify the personal information that the company is collecting from visitors to its website
Question 3. Of the new data that the sales team wants to collect, which element do you think is the most sensitive? Why?
Question 4. Of the new data that the sales team wants to collect, which element(s) should have a PIA completed before data collection takes place? Why?