Chat with us, powered by LiveChat Instructions To complete this assignment, you will ne | Coms Paper



To complete this assignment, you will need the attached files and the the Small Merchant Guide to Safe Payments documentation (click link to download) from the Payment Card Industry Data Security Standards (PCI DSS) organization.

Please read the instructions carefully and ask questions if anything is unclear.  You must use the attached template to complete this assignment.  The PowerPoint presentation (PDF) Effective Professional Memo Writing provides other essential information to help guide your work on this assignment.

The ability to communicate effectively is a critical skill for all students and is required for success in the workplace.  UMGC has a variety of resources to help students.  The Effective Writing Center is available through the “Resources” link on the Navigation bar. You are strongly encouraged to avail yourself of these resources.  Your writing abilities will be graded as part of the assignment. 



Chief executive, anne arundel County


Your Name


Enter Subject



Risk Assessment Summary

This is only placeholder text, be sure to read the Assignment Instructions for specific details about what should be included in this section and the sections that follow. To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own. Be sure to remove any placeholder text before submitting your assignment. Do not change font size, type or page margins. Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.


To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own. Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.

Concerns, Standards, Best Practices

To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own.

Example of a second paragraph: Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.

Action Steps

To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own. Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.



Writing: The

Adapted from a presentation by Xavier de Souza Briggs,

Department of Urban Studies and Planning, MIT

I F S M 2 01

Licensing Information
This work “Effective Professional Writing: The Memo”, a derivative of Effective Professional Writing: The

Memo, by the Massachusetts Institute of Technology, is licensed under a Creative Commons Attribution-

NonCommercial-ShareAlike 4.0 International License. “Effective Professional Writing: The Memo” by

UMGC is licensed under a Creative Commons Attribution-NonCommercial-

ShareAlike 4.0 International License.

“To do our work, we all have to read a mass
of papers. Nearly all of them are far too long.
This wastes time, while energy has to be
spent in looking for the essential points.
I ask my colleagues and their staffs to see to

it that their Reports are shorter.”

– W I N STO N C H U R C H I L L , AU G U ST 9 , 19 4 0

– S O U RC E ( A O N E PAG E R E A D ) : C H U RC H I L L’ S “ B R E V I T Y ” M E M O

Writing Memos

The context of professional writing

Why write memos?

How to write them?

How to make them better?


The Context

The workplace or field:

◦ Time is precious.

◦ Information has substantive as well as political implications.

The decision-maker as reader:

◦ Busy and distracted (attention “spread thin”), not necessarily patient while you get to the point.

◦ Info needs are varied, unpredictable, fluid.

◦ Decision-maker sometimes offers vague instructions.


Academic vs. professional writing

Differences (when writing concisely)

◦ The academic reader often demands nuance and relevance to established lines of thinking, while the
professional reader wants the “so what’s” for their decision making emphasized (relevance to their


◦ An academic assignment assumes a small and benevolent audience, but professional documents can be
“leaked,” end up in the hands of unintended readers.


◦ Strong essays and strong memos both start with your main ideas, but essays usually build toward
conclusion and synthesis. The memo’s conclusions are usually right up top.

◦ In both, persuasive argument = clear viewpoint + evidence

◦ In both, addressing counter-arguments tends to strengthen your case.


Top mistakes in memos

◦ off point or off task (major substantive

omissions, given the request);

◦ impolitic (risks political costs if leaked);

◦ inappropriate assumptions as to
background knowledge;

◦ no evidence.

◦ important info “buried,”

◦ no summary up top, format confusing,
not “skim-able.”

◦ Sentences long and dense,

◦ headings an after-thought.

◦ language too academic, too “preachy,”

or too casual;

◦ sentences long and/or dense.


Why write memos?

Professional communication

◦ Efficient

◦ Persuasive

◦ Focused

Two types of memos:

◦ Informational (provide analytic background)

◦ Decision or “action” (analyze issues and also recommend actions)


Consider Your Message in Context

Purpose Audience



Use a Clear Structure


◦ Summarize the entire memo

◦ Highlight major points to consider


◦ State the context


◦ Prove it, analyze it, address counter arguments (if any)


◦ Outline Next Steps or Next Questions


Action Memos: Recommend Decisions


◦ Summarize the entire memo, clearly, but more importantly, concisely

◦ State the broad recommendation(s)

◦ If the decision-maker reads only this section/paragraph, will he/she know what the situation
is/recommendation(s) is/are (without necessarily knowing specific action steps)


◦ Provide the context


◦ Prove it/Analyze it, perhaps with pros/cons by option (if there are multiple options)


◦ Outline next steps, don’t merely restate recommendation(s)


Tip: Construct a Clear, Concise,
Coherent Argument

In your opening summary, you may use more than one sentence to describe overall goals or

recommendations, however, as an exercise it typically helps to try to state your argument in one

sentence. Expand on the sentence as needed as your construct your opening summary.


◦ In order to recreate the organization’s image and reorganize our internal structure in the next 6 months,
we should focus on X, Y and Z.

◦ While the company is in compliance with State of California Privacy laws with respect to X, Y and Z, there
are two areas that still need to be addressed to reach our goal of 100% compliance: A and B.


2/23/22, 11:26 AM Ethics 1/17


Computers, like any other tool, can be used for the best of purposes or manipulated to

accomplish outcomes that are dangerous or illegal. There are well-established standards

or guidelines that define the appropriate use of information technology (IT) and all the

associated systems that support this technology—computers, networks, and so on. These

guidelines form the basis of IT ethics.

Codes of Conduct: The Particular to the General

We will begin our study of ethics in the information technology setting by looking first at

those issues that more immediately affect the employee in the document that describes

use of the organization’s IT resources: primarily computers and access to the internet.

Subsequently, we will investigate the policies and guidelines that define the employee’s

expected behaviors related to more than just IT use—the employee code of conduct.

Finally, we will look at the standards that outline the employee’s relationship to the larger

world outside the immediate organization.

User Access Agreements

Organizations expect employees to act ethically in all situations related to workplace

behavior and use of the employer’s resources. To act ethically means to make sound

decisions about what is right and wrong and to act accordingly. Every time employees log

onto their computers and click to accept the user access agreement, they agree to abide

by the rules specified by the user access agreement.

Learning Resource

2/23/22, 11:26 AM Ethics 2/17

Unauthorized “Surfing”

Rajiv is a new intern in the purchasing department at ABC Corporation. He

completed orientation and systems training during the first week at work and is now

eager to start working. Every morning Rajiv’s manager promises to meet and give

him assignments, but his manager just can’t seem to fit Rajiv’s training time into his

schedule. Day after day, Rajiv comes to work, logs into his computer, clicks “I

accept” on the user access agreement, then opens his company-provided email

account and the internet browser installed on his work computer.

Rajiv has internet access at work for conducting company business by email and for

ordering supplies and services. Since Rajiv doesn’t have any work to do, he

rationalizes that a little surfing on the computer wouldn’t hurt anything, and it

would keep him from getting so bored every day. The following week Rajiv’s

manager asks to speak with him privately. He tells Rajiv that he’s been fired for

surfing the internet, which violates the company’s user access agreement. Each time

Rajiv clicked “I accept” on the user access agreement, he agreed to abide by the

company’s policy.

The user access agreement consists of rules outlining the activities that are acceptable

and those that are not when using the employer’s computers, network, e-mail system,

website, databases, and any other forms of IT-related resources. This agreement is often

called an acceptable use policy. What type of language might such an agreement contain?

Acceptable Use Policy (adapted from UMGC, 2018):

Though the list here is brief, a well-written user access agreement will contain a longer

and more exact list of acceptable and unacceptable behaviors related to use of the

company’s computers and IT resources. Effective user access agreements will also contain

examples of what is considered acceptable and unacceptable use, along with the

sanctions or penalties for misusing the company’s resources. Generally, you will find

specific sections that deal with security, online etiquette, and valid use or misuse of the

organization’s resources.

1. Employees should use only the computer systems, network accounts, and computer

applications and files that they are authorized to use.

2. Employees may not use another employee’s network account or attempt to steal or

ascertain another employee’s password.

2/23/22, 11:26 AM Ethics 3/17

3. Employees are responsible for all computer resources assigned to them, including

both hardware and software, and shall not enable or assist unauthorized users to

gain access to the company’s network by using a computer.

4. Employees must not share their passwords with other employees or nonemployees

and must take all reasonable steps to protect their passwords and secure their

computer systems against unauthorized use.

5. Employees may not attempt to gain access to protected/restricted portions of the

company’s network or operating system, including security software and

administrative applications, without authorization.

6. Employees must not use the company’s computer resources to deploy programs,

software, processes, or automated transaction-based commands that are intended

to disrupt other computer or network users or damage software or hardware

components of a system.

7. Employees are responsible to promptly report any theft, loss, or unauthorized access

of the company’s network system, or illegal disclosure of any proprietary


Note: If you conduct additional research on the topics here, you may find differences in

how the components or documents are labeled: agreements, policies, guidelines,


An example of a modifiable template for a complete user access agreement

( (more

commonly called an acceptable use policy), is provided by the SANS Institute (2014).

Rajiv’s mistake was that he violated the user access agreement by surfing on the internet

when he didn’t have any work to do. Clicking “I accept” on the user access agreement is

necessary to gain computer access. It is of paramount importance to know and comply

with the terms of the agreement to maintain your computer access.

You might argue that Rajiv was never warned that his actions were violating the user

access agreement, or that his supervisor was at fault for not finding the time to complete

Rajiv’s training. The scenario is lacking several critical details as to why this action was

taken. The language of the user access agreement must be specific as to the actions to be

taken when a violation occurs. For example, Rajiv’s employment termination might have

been a result of a sanction such as this: “Failure to observe these policies will result in

immediate disciplinary action or termination at the discretion of the offending party’s

supervisor or department head.”

2/23/22, 11:26 AM Ethics 4/17

Rajiv had completed orientation and system training, and it is assumed that he knew the

contents of the user access agreement. And when Rajiv clicked on the “accept” button

when logging onto the internet, he was acknowledging that he understood the actions

allowed and prohibited by the user access agreement.

The Employee Code of Conduct

Expected Behaviors in an Organization

Compliance with the user access agreement is one of an employee’s expected behaviors

within the organization. A user access agreement is typically part of a larger document

that outlines both the mission of the organization and the organization’s approach to

employee behavior on the worksite. This document, often called the “employee code of

conduct,” contains the following (New South Wales Government, Industrial Relations,


So the user access agreement previously discussed would be a specific example of a set of

guidelines that might be found in such a document.

policies that outline the principles and practices that enable an organization to meet

its stated mission or purpose

the steps the organization will take in dealing with operational activities and how to

respond to requirements to comply with federal and state legislation and regulations

procedures that explain how to perform tasks and duties, who is responsible for

what tasks, and how the duties are to be accomplished

guidelines listing appropriate behaviors (and sanctions for violation of these

behaviors) related to a range of topics: harassment, safety, workplace attendance,

drug and alcohol use in the workplace, religious exercise, and computer use, for


These policies, steps, procedures and guidelines define the “what and when” for running

the organization and also define the organization’s expectations of all employees

collectively. The “what and when” in the organization means what needs to be done and

when it needs to be finished.

What’s the Difference Between Policies and Guidelines?

2/23/22, 11:26 AM Ethics 5/17

In an organization, employees are responsible for complying with both policies and

guidelines. Both are binding and are enforced, and both concern the organization’s

operation. The major differences between the two have to do with the authoring body

and specificity. Policies tend to be larger, relatively static documents authored and

approved by an organization’s governing body, most often its board of directors. Policies

are intended to be useful and applicable over time. To that end, they are normally written

with some degree of flexibility so that they can be adapted to changing circumstances.

Specific penalties and expectations are not usually included in a policy.

Guidelines are based on policy, but they tend to focus on a specific series of steps in the

functional area. Guidelines are normally approved and changed by the department or

division most affected by them. This approach puts authority in the hands of

knowledgeable staff. Because fewer individuals are involved in the drafting and approval

process, guidelines can be changed and adapted more quickly than policies. Guidelines are

typically much more explicit than policies in defining what’s allowed and specifying the

penalties for particular violations.

For example, an organization’s policy may state that everyone needs to have a user ID and

password to access a desktop computer. The organization’s guidelines may state that the

password must contain eight characters with at least two numeric digits and two

uppercase letters.

As a general rule, an employer expects you to behave as a responsible, mature, and ethical

person. In day-to-day terms, this means being respectful of your coworkers and of the

organization’s resources. Be aware that your use of the organization’s resources can have

an effect on others’ use of them. Broadly, it’s expected that you will:

As it relates specifically to use of computer resources, the code of conduct outlines the

employer’s expectation that computers, email, and the internet will be used primarily to

conduct the company’s business.

maintain the security and confidentiality of your user ID and password

take care of any property assigned to you

use your knowledge of organizational information in a responsible way

use the organization’s supplies and services for official purposes only

be respectful of others’ property and privacy rights

Professional Associations and Codes of Conduct

2/23/22, 11:26 AM Ethics 6/17

Codes of Conduct

We’ve covered the user access agreement and learned about an organization’s policies

and guidelines as applicable to the employee code of conduct within an organization.

Another way to look at what we’ve covered is that we first described the expected, ethical

behavior of the individual as outlined in the user access agreement. Next, we learned that

policies and guidelines define the “what and when” for running the organization and also

define the organization’s expectations of all employees collectively (as found in an

employee code of conduct).

Now, we take one step further in our discussion to describe general standards applicable

to and the behaviors that are expected of individuals who belong to professional

associations or who have obtained certifications in a particular field of expertise. How do

these codes of conduct differ from those written for a particular company, business, or


Many professional careers are not regulated by any external bodies such as federal and

state governments. Unlike doctors or accountants, for example, IT professionals do not

have specific regulations that govern their behavior, outside of established laws regarding

any type of illegal activity. Thus, professional organizations like those supporting IT

professionals develop a code of ethics, which is intended to guide and govern the

behaviors of its members. This, in one sense, is an attempt at self-regulation and ensuring

that the members demonstrate behaviors that reflect positively on the organization and

that profession as a whole.

When you look at the codes of ethics for such groups such as the Association for

Computing Machinery or the SANS Institute, you will find many of the same topics

addressed as those found within any single organization’s employee code of conduct—

being respectful of others’ property and privacy rights, using resources only when

authorized to do so, using knowledge of organizational information in a responsible way,

and the like. The basic elements of the code of ethics in professional associations revolve

around members conducting themselves “honorably, responsibly, ethically, and lawfully so

as to enhance the honor, reputation, and usefulness of the profession” (NSPE, 2007).

These professional associations provide a collective voice for members who are focused

on a particular field of expertise. The associations attempt to promote professional ethical

standards among their members. But the code of ethical conduct for a professional

association is written with less specificity than an employee code of conduct. The

contents are presented as standards of behavior and do not include the details of “who,

what, and when” that are found in an employee code of conduct. In a code of ethical

conduct for a professional organization, you might find phrases such as:

2/23/22, 11:26 AM Ethics 7/17

“I shall perform with honesty and integrity in all my professional relationships.”

” I shall not use my knowledge and experience in the field to take advantage of

others, thereby achieving personal gain.”

” I shall be willing to share my knowledge and expertise with others and always act

in such a way that reflects favorably on my profession.”

Of course, these same standards of behavior are part of any employee code of conduct,

but in that setting, there are generally specific policies and guidelines to be followed in

support of these standards. If we look at one item in all three documents (the ethical code

of conduct for a professional association, the employee code of conduct, and the user

access agreement), the same topic might be addressed in the following ways:

Ethical Code of Conduct

for a Professional


Employee Code of

Conduct User Access Agreement

“I shall protect the

privacy and

confidentiality of all

information entrusted to

“The employee will

maintain the security and

confidentiality of his/her

user ID and password.”

“The user ID and

password are to be used

only by the authorized

owner of the account and
only for the authorized

purpose specified by the

owner’s job description.”

An IT professional with a network engineering certification, faculty members in a

university with membership in the Middle States Association of College and Schools, or a

union plumber working on a construction site are a few examples of individuals who, by

virtue of their membership in a particular professional association, have subscribed to the

code of ethical conduct for that organization. Professional certifications and memberships

convey an assurance that the individual with the certification or membership has agreed

to abide by the established code of conduct.

One reason organizations hire certified professionals is to establish themselves as

organizations with competent and ethical professional employees. The rapidly changing

nature of technology makes a general standards approach very practical—it’s much easier

for organizations to rely on the credentials established by the certifying professional

organizations and boards than to hire employees without knowing their level of expertise

2/23/22, 11:26 AM Ethics 8/17

or their ethical and moral standing. An organization with a highly ethical and competent

staff distinguishes itself because the general standards of competency have a high level of

credibility in the workplace.

Standards and Behavior

Jenna is a network engineer and holds a Microsoft Certified Solutions Expert

(MCSE) certification. This certification attests to Jenna’s ability to design and

implement computer network systems. Chad holds several Certified Information

Systems Security Professional (CISSP) credentials. These credentials signify that

Chad has the experience to handle all issues related to information systems in

business environments, particularly those that relate to security of the systems. To

obtain these professional certifications and credentials, Jenna and Chad had to

agree to act in accordance with high moral and ethical standards in all activities

related to that profession. They also had to pass examinations to prove that they

had the appropriate subject knowledge. Therefore, a professional certification

attests not only to Jenna’s and Chad’s subject knowledge, but also to their high

ethical standards and behavior in their professional lives.

IT Ethical Issues

Software Piracy

Even though you have purchased a legitimate copy of this software for your use, lending it

to another person, even for a short time, is a violation of the license agreement you

agreed to when you installed the software on your machine. You are not allowed to lend

(or borrow) software, and doing so is a violation of copyright law. In general, US copyright

law makes it illegal to distribute or reproduce copyrighted work without the consent of

the copyright holder. These laws have a long history in the United States, and they are

rooted in the idea that strong intellectual property rights encourage invention and


2/23/22, 11:26 AM Ethics 9/17

Legal to Lend?

Jeff is upgrading his computer and has an old version of a document

creation/editing program. He asks to borrow your installation CDs for the newer

version of the same software application to load onto his machine until he has a

chance to purchase his own copy. You give him the CDs, and he loads the program

on his machine. But when he attempts to open the program, he gets notification

that he needs to register the application. He uses the activation code that is still

attached to the back of the set of CDs you lent him. Eventually, Jeff purchases his

own copy of the software and loads it on his machine.

It can be difficult to understand that software piracy is theft because the thief isn’t taking

anything physically, and because retail merchants are not present when the theft occurs. It

may seem strange that you can purchase something legally (like an iTunes song or an e-

book), and its use will become illegal if you load it more than the allowed number of times.

On the other hand, If you purchased a hardcover or paperback book, a music CD, or a

movie on a DVD, you can lend that item to as many people as you wish (as long as they do

not make copies).

Piracy, a type of software theft, occurs when software is illegally copied, registered,

activated, released, or sold. Software includes data files, music files, videos, pictures, game

files, e-books, computer applications, and operating system programs.

Software owners register or copyright their work to protect it. Software owners specify

the method and terms by which the software is distributed or shared with users. So if you

purchase a song from the iTunes store, you can load it or sync it with as many Apple

devices as you own and up to five computers that you own, but you cannot legally sync or

load songs from someone else’s computer or Apple device to yours. To do so would

constitute an infringement of the copyright on the song and transfer process claimed by

Apple. Or you can purchase an e-book and download it to your computer and then

transfer it to one or more electronic readers that you own—but you cannot transfer the

book legally to someone else’s electronic reader.

The victims of piracy are software manufacturers, writers, programmers, and owners of

the software. Ultimately, legitimate customers who purchase software are victims of

piracy as well, because the purchase price of software must increase in order to cover the

losses incurred by theft.

What Is Copyright and Does It Really Apply to Digital Media?

2/23/22, 11:26 AM Ethics 10/17

What Is Copyright?

Copyright refers to a series of rights that are granted to the author of an original work.

These rights focus on the reproduction and distribution of the work—specifically, “the

right to control copying.” Copyright owners are essentially given two specific entitlements:

the right to exploit their own copyrighted work, and the right to stop others from doing


In the United States, copyright is automatically granted to the creator of a work.

Copyright protection remains in effect for the life of the author plus an additional 70

years. Although individuals and companies concerned about protecting their copyright will

often place an explicit copyright notice on the work (e.g., “© 2010, all rights reserved”),

this notice is not required for the work to qualify for copyright protection.

What Can Be Copyrighted?

US law specifies eight general types of works that are copyrighted. These works are

specified below:

These include CDs, DVDs, video games, software, songs, poems, movies, plays, books,

databases, label designs, photographs, and websites.

literary works

musical works

dramatic works

pantomimes and choreographic works

pictorial, graphic, and sculptural works, including fabric designs

motion pictures and other audiovisual works

sound recordings

architectural works

What Cannot Be Copyrighted?

According to the US Copyright Office, “Copyright does not protect facts, ideas, systems,

or methods of operation, although it may protect the way these things are expressed.”

2/23/22, 11:26 AM Ethics 11/17

It’s important to point out that as a university student, you are likely going to be creating

original work throughout your academic career. Copyright law applies to you not just as a

consumer, but also as a creator of original work. In that capacity, copyright can protect the

work you own from being used without your permission. Do you think asserting your

rights under copyright law in your student work is never worth the time and effort?

Consider these cases:

What’s Special About Digital Media?

Student Sues Professors Over Intellectual Theft




Who Owns Your Great Idea?



Given that copyright law has more than 300 years of history behind it, why has this issue

suddenly become so contentious and prominent in the news? Has copyright law always

been as problematic as it is today? For most of its history, the topic of copyright has been

reasonably established and settled. It’s only recently that the topic has become so

newsworthy. Much of this attention is the result of changes in technology that make

reproduction and distribution much easier. Think of how much easier it is to distribute a

document digitally than in paper form, or to send friends a digital image compared to

mailing a printed photograph.

Since that case, technology has continued to lower the cost and burden of reproducing

copyrighted work, most particularly media files—text, images, and audio and video

recordings. Similarly, advances in telecommunications have reduced the cost of

distributing such files. Much of the current controversy stems from the combination of

personal computers and the internet. Together, these technologies make reproducing and

distributing copyrighted work exceptionally inexpensive. These technologies have enough

potential to affect copyrighted works for which laws were put in place in the United

States specifically to address the issue.

Current concerns over copyright have their roots in the 1970s, when Sony popularized

videocassette recorders (VCRs). Until then, reproducing and distributing most forms of

copyrighted work required expensive equipment. The expense of reproduction generally

protected copyright holders from easy reproduction of their work. The widespread

consumer adoption of the VCR suddenly made reasonably high-quality reproduction of

2/23/22, 11:26 AM Ethics 12/17

copyrighted works easy and inexpensive. Concerned movie studios filed lawsuits against

Sony, culminating in a Supreme Court case


that protected the use of potentially copyright-infringing technology when the technology

in question had other (noninfringing) uses.

The Digital Millennium Copyright Act (DMCA) of 1998

As advances in technology made copyright infringement easier and less expensive, major

copyright owners sought additional protections to make such infringements easier to

penalize. At the same time, because the internet plays such a prominent role in this

potential infringement, both internet service providers (ISPs) and online service providers

(OSPs, those that host websites on the internet) sought limits on their own liability if their

networks and systems were used as a conduit to infringe on copyright.

Congress was concerned that without limiting the liability of online service providers, the

efficiency and growth of the internet as an important technology would be stifled. The

Digital Millennium Copyright Act (DMCA) was the legislative product of this controversy.

The law specifically sets out expectations and safe harbors for ISPs. Under the DMCA,

ISPs are encouraged to provide and improve online services such as network access

(thereby allowing their users to transfer files), but if illegal activity is detected, the ISP is

obligated to ensure that these illegal transfers or publications of copyrighted materials do

not continue.

So does the DMCA protect the copyright holder or just set the liability limits for OSPs and

ISPs? If you find that digital material for which you hold the copyright is appearing on a

site owned/managed by an online service provider (OSP) such as Facebook, Twitter,

YouTube, etc., you have the right to demand that the OSP remove the material. This is

called a “takedown notice,” and when an OSP receives such a notice, it is required to

remove or disable access to the accused material to avoid being held liable. This portion of

the DMCA “gives individual authors more power to protect their rights. At the same time,

the DMCA takedown mechanism has certain safeguards in place to protect the rights of

those who have a right to publish material that is not infringing” (Liu, 2013).

Under the DMCA, copyrighted works are given specific protections that prohibit the

circumvention of technological measures that control access to and prevent unauthorized

duplication of copyrighted works. The law also increased penalties for copyright


The DMCA goes beyond penalizing those for reproducing copyrighted software. Under

the law, it is illegal to bypass any protection the software manufacturer built into the

software. Developing, selling, and owning the tools to carry out the bypass are also illegal

2/23/22, 11:26 AM Ethics 13/17

under the law.

Prosecutions for copyright infringement and related news coverage of the issues of

copyright protection …

Professional Memo 1

IFSM 201 Professional Memo

Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe

Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)

organization. PCI Data Security Standards are established to protect payment account data

throughout the payment lifecycle, and to protect individuals and entities from the criminals who

attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities

that store, process, and/or transmit cardholder data, including merchants, service providers, and

financial institutions.

Purpose of this Assignment

You work as an Information Technology Consultant for the Greater Washington Risk Associates

(GWRA) and have been asked to write a professional memo to one of your clients as a follow-up

to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state

agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to

conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel

County), with a focus on business operations within the municipality.

This assignment specifically addresses the following course outcome to enable you to:

• Identify ethical, security, and privacy considerations in conducting data and information
analysis and selecting and using information technology.


Your supervisor has asked that the memo focus on Odenton’s information systems, and

specifically, securing the processes for payments of services. Currently, the Odenton Township

offices accept cash or credit card payment for the services of sanitation (sewer and refuse),

water, and property taxes. Residents can pay either in-person at township offices or over the

phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the

phone payment involves with speaking to an employee and giving the credit card information.

Once payment is received, the Accounting Department is responsible for manually entering it

into the township database system and making daily deposits to the bank.

The purpose of the professional memo is to identify a minimum of three current controls

(e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton

Township or a control provided by Anne Arundel county) that can be considered best

practices in safe payment/data protection. Furthermore, beyond what measures are

currently in place, you should highlight the need to focus on insider threats and provide a

minimum of three additional recommendations. Below are the findings from the Risk


• The IT department for Anne Arundel County requires strong passwords for users to
access and use information systems.

Professional Memo 2

• The IT department for Anne Arundel County is meticulous about keeping payment
terminal software, operating systems and other software (including anti-virus software)


• Assessment of protection from remote access and breaches to the Anne Arundel network:
Odenton Township accesses the database system for the County when updating resident’s

accounts for services. It is not clear whether a secure remote connection (VPN) is

standard policy.

• Assessment of physical security at the Odenton Township hall: the only current form of
physical security are locks on the two outer doors; however, the facility is unlocked

Monday-Friday, 8am-5pm (EST), excluding federal holidays.

• Employee awareness training on data security and secure practices for handling sensitive

data (e.g., credit card information) are not in place.

• The overarching conclusion of the risk assessment was that Odenton Township is not

fully compliant with the PCI Data Security Standards (v3.2).

Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid

to insider threats, citing a recent article about an administrator from San Francisco (see

Resources). Anne Arundel County wants to understand insider threats and ways to mitigate

so that they protect their resident’s personal data as well as the County’s sensitive

information. These are threats to information systems, including malware and insider threats

(negligent or inadvertent users, criminal or malicious insiders, and user credential theft).

Expectations and Format

Using the resources listed below, you are to write a 2-page Professional Informational Memo to

the Chief Executive for Anne Arundel County that addresses the following:

• Risk Assessment Summary: Provide an overview of your concerns from the risk

assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment,

the broad recommendations. Specific Action Steps will come later. The summary should

be no more than one paragraph.

• Background: Provide a background for your concerns. Briefly highlight why the

concerns are critical to the County of Anne Arundel and Odenton Township. Clearly

state the importance of data security and insider threats when dealing with personal credit

cards. Be sure to establish the magnitude of the problem of insider threats.

• Concerns, Standards, Best Practices: The body of the memo needs to justify your

concerns and clarify standards, based on the resources listed below, at minimum. The

PCI DSS standards are well respected and used globally to protect entities and

individual’s sensitive data. The body of the memo should also highlight three current

controls that are considered best practice; that is, you should highlight the positive,

what is currently in place, based on the risk assessment.

• Action Steps: Provide a conclusion establishing why it is important for Anne Arundel

County to take steps to protect residents and county infrastructure from insider threats

based on your concerns. Recommend a minimum of three (3) practical action steps,

including new security controls, best practices and/or user policies that will mitigate the

concerns in this memo. Be sure to include cost considerations so that the County is

Professional Memo 3

getting the biggest bang for the buck. The expectations are not for you to research and

quote actual costs, but to generalize potential costs. For instance, under the category of

physical security, door locks are typically less expensive than CCTV cameras.

• Be sure to review the PowerPoint presentation (in pdf format) Effective Professional

Memo Writing that accompanies these instructions.

• Use the Professional Memo template that accompanies these instructions.

o Use four section subtitles, in bold.

▪ Risk Assessment Summary

▪ Background

▪ Concerns, Standards, Best Practices

▪ Action Steps

o Do not change the font size or type or page margins.

o Do not include any graphics, images or ‘snips’ of any content from copyrighted

sources. The PCI Standards (PCI DSS) document is copyrighted material.

o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each

paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’

after each sentence. A single sentence is not a paragraph.

o ‘Subject’ is the subject of your memo, not the course name or number.

o Be sure to remove any remaining ‘placeholder’ text in the template file before


o The length of the template when you download it is NOT the intended length of

the entire memo. Your completed memo should be between 1.5 pages and 2

pages (total document, including the To:/From:/Re:/Subject header).

*Note: the Professional Memo is to be in a MS Word file and all work is to be in the

student’s own words (no direct quotes from external sources or the instructions) *

APA documentation requirements:

• As this is a professional memo, as long as you use resources provided with or linked

from these instructions, APA documentation is NOT required.

• Citing material or resources beyond what is provided here is NOT required.

• However, you should use basic attribution and mention the source of any data, ideas

or policies that you mention, which will help establish the credibility and authority of

the memo.

o For example, mentioning that the Payment Card Industry Data Security

Standards (PCI DSS) identify a certain control as best practice holds more

weight than simply stating the control is a best practice without basic


o Mentioning that Wired Magazine reported that a City of San Francisco IT

technician effectively hijacked and locked 60% of the city’s network capacity,

is more effective than saying “I read somewhere that…”

Professional Memo 4


1. Examples of Security Breaches Due to Insider Threats

San Francisco Admin Charged With Hijacking City’s Network
Microsoft database leaked because of employee negligence

General Electric employees stole trade secrets to gain a business advantage

Former Cisco employee purposely damaged cloud infrastructure

Twitter users scammed because of phished employees

2. PCI DSS Goals:


Professional Memo 5

3. References

FBI. (2021). The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy.

PCI DSS. (2021, Feb. 12). Payment Card Industry Security Standards.

Jingguo Wang, Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis

of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91-A7.



Professor Messer. (2014). Authorization and access control [Video file]. YouTube.

U.S. DHS. (2021). Insider Threat.


Wizuda. (2017). Data anonymisation simplified [Video file]. YouTube.

Yuan, S., & Wu, X. (2021). Deep learning for insider threat detection: Review, challenges and

opportunities. Computers & Security. https://doi-

Keywords: risk assessment, insider threats, data security

Submitting Your Assignment

Submit your document via your Assignment Folder as Microsoft Word document, or a document that can

be ready using MS Word, with your last name included in the filename. Use the Grading Rubric below to
be sure you have covered all aspects of the assignment.

Professional Memo 6



Far Above


Above Standards

Meets Standards

Below Standards

Well Below




Summary of



15 Points

Summary is highly

effective, thorough
and professional.

12.75 Points

Summary is

effective, thorough
and professional.

10.5 Points

Summary is

effective, thorough

and professional.

9 Points

Summary is


0-8 Points



for this section

are severely

lacking or






(to the Client)

of Data

Security and



10 Points

Discussion of

ba5ckground, data

security and
insider threats is

highly effective,
thorough, and


8.5 Points

Discussion of

background, data

security and insider
threats is effective,

thorough, and

7 Points

Discussion of

background, data

security and
insider threats is


thorough, and


6 Points

Discussion of

background, data

security and
insider threats is


0-5 Points



for this section
are severely

lacking or




Best Practices:


Concerns and



15 Points

Discussion of
concerns and

standards is highly

thorough, and

12.75 Points

Discussion of
concerns and

standards is
effective, thorough,

and professional.

10.5 Points

Discussion of
concerns and

standards is

thorough, and


9 Points

Discussion of
concerns or

standards is

0-8 Points


for this section
are severely

lacking or




Best Practices:

Three current


identified and

justified as

best practice

15 Points

Three highly

relevant current
practices are

offered and
justified as best

practices. Overall

presentation is
clear, concise, and


12.75 Points

Section may be

lacking in number

or relevancy or

justification or


10.5 Points

Section is lacking

in number of

or relevancy or
justification or



9 Points

Section is lacking

in two or more of
the following:

number of

or relevancy or

justification or


0-8 Points


for this section

are severely
lacking or



Professional Memo 7

Action Steps:



ons minimum

identified and




discussion of



20 Points

Three highly


are offered and
justified, with


discussion of cost

presentation is

clear, concise, and


17 Points

Section may be

lacking in number

or relevancy or

justification or a

discussion of cost
considerations or


14 Points

Section is lacking

in number of

or relevancy or
justification or a

discussion of cost

considerations or


12 Points

Section is lacking

in two or more of
the following:

number of

or relevancy or

justification or a
discussion of cost

considerations or


0-11 Points


for this section

are severely
lacking or






10 Points

Overall use of
basic attribution is

highly effective in

credibility and

8.5 Points

Overall use of basic
attribution is

effective in

credibility and

7 Points

Overall use of
basic attribution is

partially effective
in establishing

credibility and

6 Points

Overall use of
basic attribution

is partially
effective in

credibility and


Additional basic
attribution may

have been

0-5 Points

Overall use of

was minimally

effective or
not used.






n needed only

if sources

external to the


are introduced

15 Points


reflects effective

organization and

writing; follows

provided; uses

correct structure,
grammar, and

spelling; presented
in a professional

format; any
references used

are appropriately

incorporated and
cited using APA


12.75 Points

Submission reflects


organization and
clear writing;

follows instructions
provided; uses

correct structure,

grammar, and
spelling; presented

in a professional
format; any

references used are

incorporated and

cited using APA

10.5 Points

Submission is

adequate, is

organized, follows

provided; contains

minimal grammar

and/or spelling
errors; and follows

APA style for any
references and

9 Points

Submission is not

well organized,

and/or does not

provided; and/or


grammar and/or
spelling errors;

and/or does not
follow APA style

for any
references and

citations. May

inadequate level

of writing.

0-8 Points

Document is

poorly written

and does not
convey the






2/23/22, 11:27 AM Privacy 1/11


Introduction to Privacy

You might say that your entire life is stored somewhere online—in medical records, tax

records, driver’s license records, credit reports, and so on. Because so many of the records

that contain identifying information about you are stored on computers, it is important

that the places where these records are kept are readily accessible but still secure from

unauthorized users. You have a role as well in keeping your own information secure. In

this module, we will look at what constitutes personally identifiable information (PII) and

the steps to ensure it is accessed only by those who have a need to see it.

Consequences of Identity Theft

Learning Resource

2/23/22, 11:27 AM Privacy 2/11

A Host of Emails

Maya’s friends and family started asking her about the barrage of emails she was

sending to everyone. The subject lines in the e-mails were blank, and the messages

contained only links to unknown websites.

Maya checked her sent messages and found that numerous messages had been sent

to her friends and family from her account without her knowledge. She started to

think something was wrong. She didn’t know what to do.

Later that day, Maya was checking Facebook and noticed that a message had been

sent to all her friends on Facebook with a link to a video she had never seen before.

“What is going on?” she wondered.

Finally, she got a call from her friend Alvin, who told her that he had received one of

the suspicious emails, and he recognized it as a malware infection.

Many people find themselves in situations similar to Maya’s. This scenario addresses some

of the threats and consequences encountered in the online environment. They parallel the

threats and consequences of everyday life. We all know there are bad people in the world.

We learn at a young age not to take candy from strangers, not to let a stranger in the

door, and not to leave valuables unattended. We lock our doors, park in well-lit areas, and

avoid seedy neighborhoods at night. We learn how to be safe and avoid the threats in the

world. The same goes for the online world.

Personally Identifiable Information

So, what are the threats you might encounter in the online world? Theft, particularly of

your personally identifiable information (PII), tops the list of information data thieves are

after. PII is any piece of information that can potentially be used to uniquely identify,

contact, or locate a particular person. PII includes your full name, or first initial with your

last name, linked to your social security, bank account, credit card, or driver’s license

number. PII is generally kept private and is often used for financial, medical, or research


2/23/22, 11:27 AM Privacy 3/11

Personally Identifiable Information (PII)

Source: Janet Zimmer.

With this kind of information, malicious individuals and intruders can commit identity

theft. Identity theft occurs when someone uses another person’s PII to take on that

person’s identity in order to commit fraud or other crimes. Imagine the inconvenience of

having to close your bank account and open a new one, or trying to convince your credit

card company that you are not responsible for certain charges.

Your online user ID and password are at the top of the list of information that malicious

people are after. You probably have multiple user IDs and passwords for websites you

visit, various online accounts, and your email account. User IDs and passwords can

provide access to additional PII or other information you would like to keep confidential.

For example, you may have stored personal information in your email account profile,

privacy settings, and security settings. If someone gets access to your e-mail ID and

password, he or she may gain access to additional PII. Also, users sometimes include their

calendars or vacation plans in email or online postings, which can make those users

potential targets for home robberies.

2/23/22, 11:27 AM Privacy 4/11

Other than trying to access your account and personal information, malicious individuals

may also be interested in compromising your computer and other connected resources,

such as an iPad, smartphone, or Xbox. What do intruders do when they compromise these

resources? They send spam, launch attacks on others, store files, advertise services,

capture keystrokes, snoop for additional targets of value, and generally exploit whatever is

available or profitable.

Why Would Someone Want to Trick You into Providing PII?

An attacker may be trying to steal your personal information for financial gain. For

example, an attacker could use your bank account number, or the username and password

for your online banking site, to withdraw money from your account.

Stolen PII can also be used to obtain and create personal documents, such as obtaining a

birth certificate to create a driver’s license, and then using the documents to get a fake

passport. An attacker might steal your social security number to open a credit card in your

name. For this and other reasons, it is recommended that you provide only the last four

digits of your social security number to verify your identity.

Social Engineering

The “Lost” USB Drive

On the floor of a hallway in her office building, Mary finds a USB drive, also called a

USB flash drive. Thinking that it must belong to one of her coworkers, she plugs the

USB drive into her computer so that she can look at what is stored on it and attempt

to find its owner. Two days later, Mary’s computer is suspended from the network

due to a malware infection. A malicious person had left the USB drive on the floor,

hoping to lure someone into launching the malware that was set up to run

automatically when the USB drive was plugged into a computer.

Social engineering is a technique whereby a malicious person uses deception to gain your

trust and to trick you into providing information you would not freely give. Social

engineering is usually associated with identity theft.

2/23/22, 11:27 AM Privacy 5/11

Trying to Help

For instance, if a stranger calls your cell phone to ask for your company ID and

password, you would likely refuse to provide the information and hang up. But when

the same person calls you and introduces himself as a staff member from the help

desk, you might not hesitate to provide any information the caller is asking for, even

your personally identifiable information.

Types of Social Engineering

Social engineering by e-mail. You may receive an email explaining that your Yahoo

account is about to be disconnected. In order to prevent this from happening, you are

prompted to provide personal information such as your user ID, password, and full name.

If you respond to this phishing email with the requested information, you will have given a

hacker access to your email and to PII located within your account.

Social engineering by phone. Pretending to be someone in a position of authority at a

phone company or bank, a hacker calls to persuade the user to provide sensitive


Social engineering by dumpster diving. Also known as trashing, a hacker searches for

sensitive information such as bank statements, preapproved credit cards, and student loan

paperwork in the garbage. To prevent becoming a victim of dumpster diving, it is wise to

shred documents with sensitive information.

Online social engineering. Hackers often try to trick users into providing sensitive

information via e-mail, instant messaging, chat rooms, social networking sites, and the like.

For instance, a hacker will send a fraudulent email claiming to be a banking institution,

credit card company, or department store. The hacker requests that the user verify his or

her user name, password, and user ID, either by responding to the email or by clicking on

a link that directs the user to a legitimate-looking, but fake, website.

Reverse social engineering. A hacker poses as a technical aide to fix a computer problem

that he or she actually created, or that doesn’t exist at all. The user contacts this aide and

is then prompted to give sensitive information to the aide in order to fix the problem. The

user provides the required information and the problem seems to be solved.

2/23/22, 11:27 AM Privacy 6/11

Social engineering with USB drives. Hackers can also use USB drives to gain access to

sensitive information kept on a computer or network. Hackers may infect one or more

USB drives with a virus or Trojan horse, that, when run, will provide hackers with access

to log-ins, passwords, and information on a user’s computer. The hacker may then leave

the infected USB unattended on the floor, in or next to a computer in an open lab, in

hallways, in restrooms, or in any other area with a relatively high volume of traffic. A user

who finds the USB drive may install the device in order to locate its owner, thus allowing

the virus or Trojan horse to infect the computer. The hacker is then able to get PII from

the infected computer and proceeds to victimize the user of that machine.

Note that social engineering, as illustrated in these examples, does not rely on technical

prowess, but rather on tricking other people into deviating from normal security

procedures. Being aware of some of the commonly used social engineering schemes

should make you more alert and help you avoid becoming a victim.


The most common online social engineering method is “phishing,” when an attacker goes

“fishing” for personal information, such as a user account name and password, a credit

card number, a social security number, or some other piece of information that is

considered valuable. Typically, an attacker lures victims into providing this information

using fraudulent emails or websites as bait.

In this section, you will be introduced to the most common methods of phishing, some key

indicators that can help you recognize phishing attempts, and strategies to protect

yourself from falling victim to a phishing attack.

In a study conducted at Carnegie Mellon University in 2009, researchers found that across

university departments, years of study, and gender, students aged 18 to 25 were

consistently more vulnerable to phishing attacks than older participants. A complete

presentation of the study results can be found at

Here is a summary of the study (Blair, Cranor, & Kumaraguru, 2009):

Some Study Findings

In 2005, it was estimated that 73 million US adults received more than 50 phishing

emails each.

2007 statistics estimate that 3.6 million adults lost $3.2 billion in phishing attacks.

2/23/22, 11:27 AM Privacy 7/11

Financial institutions, corporations, and military communities are also victims.

Why Phishing Works

Phishers take advantage of internet users’ trust in legitimate organizations.

Internet users may lack computer and security knowledge.

Not all internet users use good strategies to protect themselves.

What Are Antiphishing Strategies?

Find and take down phishing websites.

Detect and delete phishing emails.

Warn other users about the threat.

Use antiphishing toolbars and web browser features.

Train users not to fall for attacks.

Carnegie Mellon designed a training package and a laboratory experiment to determine if

training helped users detect phishing emails.

Things learned from the laboratory experiment (Blair, Cranor, & Kumaraguru, 2009):

Security notices are ineffective for training users.

Users with embedded training make better decisions than those sent security


Participants retained knowledge after seven days.

Training does not increase false positive errors.

Before training, traditional-age students (18-22 years of age) are significantly more

likely than staff to fall for phishing schemes.

How Would a Cyber Criminal Attempt to Phish Your Personal


Email is one of the most common vehicles for phishing. You may receive an email that

looks and feels legitimate—from a friend, an entity with whom you have an account (such

as eBay, PayPal, or Citibank), or a business contact. The message might prompt you to

2/23/22, 11:27 AM Privacy 8/11

verify your account number or your user ID and password, either by immediately replying

to the email or by clicking a link that directs you to a fraudulent web page.

Sample Phishing Email

Recently, many Fakebank account holders received an email message from

[email protected]” with the subject “Important Security Update.” The message,

shown below, claimed to be from Fakebank and prompted recipients to validate their

“account ownership security” to avoid suspension by clicking on a link to a fake version of

Fakebank’s web log-in page. Account holders who visited the fake website and provided

their user IDs and passwords gave a cyber criminal access to their online financial records.

Subject: Important Security Update

Date: Monday, 5 April 5, 2016

From: Fakebank ([email protected])

Dear Valued User,

Your Account security validation has expired. This may be as a result of wrong or

incomplete data entered during the last update.

It’s strongly required that you should validate your account ownership security, to avoid

service suspension.

Login to Fakebank at

We apologize for any inconveniences caused.

Security Department,


Protecting Yourself Against Phishing

Since protecting your PII is important in protecting yourself against identity theft, let’s

take a deeper look at how you can distinguish legitimate emails from phishing attempts.

Keep in mind that most phishing messages have an urgency, warning you to respond


The email is most likely a phishing attempt if:

2/23/22, 11:27 AM Privacy 9/11

the message is alarmist and warns you to respond immediately to verify account

information or take advantage of an offer. Often there’s a threat of dire


the message does not address you by name or include other identifying information.

the message includes long links that don’t make sense or misspells the company

name in a URL.

the message includes misspellings and grammatical errors.

If you suspect you received a phish, simply delete the email. Do not respond to the email,

click on an embedded link, or open the attachment. If you are not sure, verify the

legitimacy of the message by contacting the supposed sender through an alternate

communication channel. Don’t use the contact information provided in the suspicious

email; instead, use a phone number you obtain directly from a bank statement, use an

existing bookmarked URL to log in to your provider’s site, or use an email address that

you’ve successfully used before.

Putting It All Together

Threats on the internet are similar in concept to threats on the highway. You are better

protected when you follow traffic regulations and take certain precautions. Good safety

measures include keeping your car maintained, fastening your seatbelt, stopping at stop

signs and traffic lights, and avoiding potholes. To avoid theft, you keep your valuables

locked away, out of sight. You lock your car.

Take the same types of security and safety measures with your computer and on the

network. Keep your computer running well by updating your software and backing up

your files regularly. Install antivirus software and make sure it updates daily. Avoid

opening the door to untrusted sources by not opening their attachments, not clicking on

their links, not installing their software, and not providing them with your sensitive data or

password. Protect your personal information from theft by locking it behind strong

passwords that you do not share with others. Physically lock your computing devices

when unattended.

Remember, prevention is the best protection.

Visit the Federal Trade Commission’s website at for resources on

deterring, detecting, and defending against identity theft.

2/23/22, 11:27 AM Privacy 10/11

Protecting Your Privacy

Considering every possible threat to your information and resources is probably not

realistic. Most of us don’t have the time or resources to commit to predicting the long-

term outcomes of our every action.

Rather than trying to analyze every action, it’s helpful to rely on some general rules to

protect your PII.

Keep your passwords to yourself and change them regularly. Most cases of PII can

be avoided simply by maintaining a strong password and not sharing it.

Use different passwords for different accounts. Remembering multiple passwords

can be a challenge, and it’s often convenient to use the same password for multiple

accounts, from Facebook and your bank account to your UMGC ID and Twitter

accounts. The danger is that a compromise of any one of these accounts could also

result in the compromise of others, if the same password is used for multiple


Use strong passwords. Many of your user IDs require strong passwords to gain entry

into one or more systems. In those instances when you can choose any password

configuration, pick a strong password to protect your information. Changing strong

passwords often is the most important thing you can do to keep your PII safe.

Check your credit reports annually. Sometimes people don’t learn that they are

victims of identity theft until their credit rating and identity are destroyed. It’s

proactive to get copies of your credit reports from the credit bureaus and review

them for errors. Follow up with the credit bureaus to make corrections to your

reports if needed. By law, you can get one free credit report from each of the three

credit bureaus every year.

“Google” yourself. Enter your name in a search engine and see what data comes up.

Investigate postings about yourself in the information that you find. Look for

suggestions that your PII may be compromised.

Remember that people can be a weak link in security. No matter how secure you

make passwords and how careful you are with technology, there is always a human

element to protecting your information.

Control physical access to your devices. It’s important not to leave laptops and

other mobile devices unattended in public locations, like a coffee shop or other

places with free Wi-Fi. An unattended machine is at risk, both for theft and for other

security threats. When you aren’t controlling physical access to your machine (by

locking it in your room), don’t let it out of your sight.

2/23/22, 11:27 AM Privacy 11/11

Remember to log out or lock your computer when you are finished using

it. Whether it’s your email, bank account, Target shopping account, or library

account, always remember to log out when you leave the website.

Remember to lock your computer with a password when you are finished using

it. By requiring a password to access your computer or other electronic device, you

are helping to protect your information. You are also making your computer useless

to a thief who cannot break password locks.


Blair, M. A., Cranor, L. F., & Kumaraguru, P. (2009). Results from “Help us protect the

Carnegie Mellon community from identity theft” study. Retrieved from

Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T.

(2009). School of phish: A real-world evaluation of anti-phishing training. Retrieved from

Licenses and Attributions

Personally Identifiable Information (PII) by Janet Zimmer is available under a Creative

Commons Attribution-ShareAlike 3.0 Unported (

sa/3.0/deed.en) license.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/23/22, 11:27 AM Security 1/18


Most people think of security as a protective measure that’s physical, like a home security

alarm to prevent theft, or a door with a lock and key to prevent unauthorized entry. While

it’s true that security is physical, we’ll be looking at security from an information

technology (IT) perspective. Moreover, we’ll focus on the IT view: security is a safeguard.

Security is something that we need online—to protect personally identifiable information

(PII) and to protect our computers from cyber criminal attack.

Security in practice applies to all types of information. However, in this module we will

discuss protecting a specific type of information—PII.

Understanding Compromise and Risk

Many people assume that protecting their information is strictly about safeguarding PII by

using strong passwords, making sure to log out of online accounts, using a password to

lock your computer, and keeping your computer physically secured. These habits are

important, but blindly using these methods ignores other components of your

responsibility and capability to protect information and resources. Two of the most

important aspects are:

having a clear understanding of just what is at risk—how extensive and sensitive are

the information and resources that you are protecting, and how accessible are they?

recognizing the role that your personal behaviors and decisions play in increasing or

mitigating the risk to your information and resources.

When we talk about risk, in most cases we’re considering the threat of compromising the

resource. In the context of information security, compromise may have a slightly different

meaning than you are used to:


Learning Resource

2/23/22, 11:27 AM Security 2/18

In the field of information security, a compromise is a breach in the security of a

specific resource—potentially a computer, an account, a file or another resource. A

resource can be compromised in many ways, including actions by a malicious

attacker hacking into a system, but also by a well-intentioned user forgetting to log

out of a machine.

Confidentiality, Integrity, and Availability

We have already talked about compromise and risk, but let’s quickly summarize the

concepts. A compromise is a specific breach in security. Risk is a threat that the potential

security compromise may actually occur.

So what comes first: a compromise or a risk?

If there’s a risk to security, does that mean it might happen, or that it already happened?

Of course, a risk means that something might happen. Taking a risk or chance comes

before acting on that risk. For example, since I left the computer unprotected (taking a

risk), a virus infected the computer.

On the other hand, if there’s a security compromise, does it mean that it might happen, or

that it already happened? Yes, it already happened. A compromise or security breach is a

completed action. It’s a done deal. For example, since someone took advantage of the

unprotected computer to install and activate a virus, the computer is compromised.

Since risk is a chance that something might happen, and compromise is a completed

action, then risk comes before compromise.

Why do you need to know that risk comes before compromise? To answer that question,

let’s zero in on risk. Risk is key to how the compromise happened. Risk isn’t singular; it has

three dimensions—confidentiality, integrity, and availability (often referred to as “CIA”).

Let’s look at an example of each of the three risk dimensions. Keep in mind that we’re

looking at one example of each. In reality, each dimension can have lots of examples.

Confidentiality risk: exposing a secret password and user ID

Example: Gabe gives Taylor his user ID and password so that she can finish the

report they are coauthoring by the end of the day. Gabe’s user ID and

password are compromised because they aren’t secret once he gives them to

Taylor. When the user ID and password are no longer secret, that’s a breach of


2/23/22, 11:27 AM Security 3/18

Integrity risk: an unauthorized change to shared documents

Example: Evelyn accidentally changes the wrong pages on a shared document

at work; she changes Robin’s pages instead of her own. Robin is furious

because she had spent all day making changes to the document, and now she

doesn’t know whether she can remember all of them.

Availability risk: improper control of physical access

Example: Thomas, a supervisor, finds that he cannot access the data in a

personnel file because the permissions for access to that database and the

data contained therein have been changed by another supervisor, Martha. The

data has not been compromised (there is no security breach), nor has there

been a violation of the integrity of the data. But that data is not available to

Thomas, and thus there has been a breach of availability.

Each example has a different risk and a single compromise or breach.

Why do we need to know that risk comes before compromise?

When we know the risk, we can sometimes prevent the compromise.

Now, we have a preview into the dimensions of risk—confidentiality, integrity, and

availability. Our next step is to learn more about each dimension so we can apply some

techniques and best practices to making good decisions using risk and compromise.

Dimensions of Risk

How Is Risk Assessed?

Assessing risk involves a consideration of how well protected a resource might be, and

what the consequences could be if the resource is compromised. Simply asking yourself

whether you are doing something that might “put resources at risk” is probably not a

useful approach for most people, though. To some extent, all actions have a degree of risk;

your real goal is to assess that risk in a useful way.

That assessment can be a real challenge—security and risk are complicated and

multifaceted. Because information protection can seem like a large and all-encompassing

issue, security experts break the problem of security into three distinct aspects,

considering the confidentiality, integrity, and availability of resources, first as discrete

pieces and then collectively.

2/23/22, 11:27 AM Security 4/18

Confidentiality, Integrity, Availability (CIA)

Source: Janet Zimmer

By focusing on one specific dimension at a time, you’re able to break the process of

evaluation down into more manageable parts. And by then considering these parts

collectively, you can make decisions that can best reflect your own priorities and



2/23/22, 11:27 AM Security 5/18


Source: Janet Zimmer


The confidentiality of a resource refers to who is able to read or access it.

Maintaining the confidentiality of a resource does not require that it be completely

secret or inaccessible; rather, it is about ensuring that only authorized users—the

right people—have access and that unauthorized users—the wrong people—do not.

Confidentiality is at risk whenever unauthorized users have access to information,

whether explicitly (such as password sharing) or unintentionally (such as mistaken

file-sharing permissions or a virus accessing files). “A loss of confidentiality is an

unauthorized disclosure of information” (NIST, 2008).

A Loss of Confidentiality

Morgan provides computer support for the HiTech organization. She
gets a request from Robert, the human resources director, to recover
files that were accidentally deleted. After Morgan successfully finishes
the file recovery process, she opens a file to make sure its contents are
complete. Morgan opens the file and sees the annual salary of each
employee at HiTech.

Although Robert authorized Morgan to recover the deleted files, he did not intend

to release any information about employees’ salaries—so the confidentiality of the

salary information has been compromised or breached.

2/23/22, 11:27 AM Security 6/18


Source: Janet Zimmer


Maintaining the integrity of information means ensuring that the data has not been

changed inappropriately, whether these changes are accidental and innocent or

intentional and malicious. As the name implies, integrity addresses the question of

how confident you can be about the state of your resources and information. “A loss

of integrity is the unauthorized modification or destruction of information” (NIST,


2/23/22, 11:27 AM Security 7/18

A Loss of Integrity

Nicholas, a technical writer on the systems development team, is
writing the new user guide for the Masters Plumbing Supplies
inventory system. He sends the Version 1 draft of the user guide to the
development team for review, received all of their editorial changes
two weeks ago, and incorporated them into a new Version 2 of the
user guide. He sent Version 2 of the guide to team members for review
last week and has already incorporated some of their changes into the
next version of the user guide.

Just as Nicholas finishes incorporating Jim’s comments into the new Version 3 user

guide, Jim, one of the team members, calls Nicholas and tells him that he

incorporated his comments into the wrong version. Jim incorporated his Version 3

comments into Version 1 instead of Version 2.

Now Nicholas doesn’t know the new information from the original information in

the user guide. Since the information in the user guide is mixed up between versions

2 and 3, the information in the user guide has lost its integrity. Nicholas can’t be

sure which version of the user guide is correct; the integrity of the user guide is

compromised because of Jim’s error in using the wrong version for his editorial




Source: Janet Zimmer

2/23/22, 11:27 AM Security 8/18


The availability of a resource refers to how timely and reliable access to that

resource is. Maintaining the availability of a resource means that authorized users

are able to reliably get to the specific machine or information when needed;

availability can be threatened by technical malfunctions (such as a networking

problem that prevents access) or by human factors, such as a changed password. “A

loss of availability is the disruption of access to or use of information or an

information system” (NIST, 2008).

A Loss of Availability

Xing had set up a workstation for new employees to use until their
permanent computers are assigned, but he hasn’t been diligent about
keeping it up-to-date. This carelessness comes back to haunt him when
someone maliciously attacks the computer by exploiting a software
vulnerability to access his machine and change the passwords on it.
Now Xing can’t log in to the computer to perform the updates.

Because he has physical access to the machine, Xing will eventually be able to get

the work done. The process won’t be fast, and during that time he won’t be able to

perform the updates; the availability of this resource has been compromised.

As you can see, considering how you protect your information and resources using these

three dimensions can allow for more focus in evaluating your risks. It can also help you

more clearly identify the consequences if your resources are compromised.

Confidentiality, Integrity, and Availability in Practice

So far, we’ve learned about the three dimensions of risk—confidentiality, integrity, and

availability—one at a time. The reality is that most threats and compromises can involve

multiple dimensions. Sharing your password, for example, can compromise both the

availability and the confidentiality of your information if someone changes your password

and looks at what the password is protecting. It can also compromise the integrity of your

information if someone changes it without your permission. In practice, this means you

should consider possible dangers and threats in the context of all three of the dimensions.

What’s at Stake?

2/23/22, 11:27 AM Security 9/18

Although some of the examples that are included above may seem extreme or unlikely, it’s

important to understand just what is at stake if your user ID and password are

compromised. If you worked at Monumental Corporation with Michael and Sammy, what

type of data can be exposed if your user ID and password are used without your

permission? Is there really a danger of someone changing your files or information?

Recognize that your user ID and password are the key to an exceptional amount of

corporate and personal information. With regard to confidentiality, for example, someone

with your credentials may be able to see:

your email

your work schedule

your salary and other human resource-related information

your work records, including your active and inactive files

In addition to being able to review information that most people would consider

confidential, your user ID and password allow you (and anyone who has your access) to

change information, including:

altering your work schedule for meetings

sending and changing any emails

changing or deleting your work files

Finally, using your user ID and password, someone can place severe limits on the

availability of some of your resources by:

changing your password

deleting your files

canceling or changing access to some programs or files

These are not just theoretical possibilities; all of the bullet points above represent actual

resource compromises that have affected people. Sometimes these compromises have

been the result of malicious actions. Sometimes they’ve occurred by mistake or been

intended as pranks. However, they are situations that real people have had to face.

Cyber Criminal Tactics

2/23/22, 11:27 AM Security 10/18

A Damaging Link

Since starting his new job in another city, Gustaph finds himself relying on Facebook

to stay connected with friends and family. Shortly after logging in one afternoon,

Gustaph receives a Facebook message with a link to “Funny Party Pictures” from his

cousin Vivian. Certain the pictures must be from his family’s annual picnic that he

missed the previous weekend, Gustaph clicks the link to view the pictures, but they

don’t appear. Then he tries to move and click the mouse again, but the mouse arrow

freezes. Frustrated, he presses the power button until the computer turns off. When

he powers it back on again, the computer boots to a blue screen, rather than the

login screen Gustaph expected. He restarts his computer a few more times, only to

get the same result. Giving up, Gustaph takes his computer to a computer repair

shop in town, where he learns that his computer was infected with malware. A virus

had erased his hard drive and all the information he had on it.

Gustaph ended up spending a lot of time finding all the CDs containing the software

applications he had loaded on his machine. In some cases, he had to dig up records

of legal copies he had downloaded from the software provider. He looked through

his emails for links to software purchases. He did his best to give the repair shop all

the software to configure his computer back to the way it was before the crash.

Some software could not be recovered because Gustaph had obtained it from a

friend without a user license. The cost of restoring his computer was more than

$400. Since Gustaph had never backed up his files, all his personal files, resume,

photos, music, and movies were lost. All he has left is the information in his emails.

Cyber Criminals

In computing, cyber criminals are people who circumvent security controls in order to gain

unauthorized access to computers and networks. In the past, these individuals were often

motivated by the intellectual exercise of defeating security controls. Today, cyber

criminals are often motivated by money or political ambitions such as revenge or

competitive advantage. Much like in the physical world, where thieves must use tools and

specialized knowledge to bypass locks, alarm systems, guards, and other lines of defense,

cyber criminals similarly use tools and specialized knowledge to bypass computer security


In the previous module on privacy, you learned how cyber criminals try to lure you into

providing access to your computing resources and personal information through social

engineering scams, particularly phishing. It’s important that you also know about other

2/23/22, 11:27 AM Security 11/18

methods cyber criminals use to force their way into your computer.


The tools that cyber criminals often use can be generalized as “malware” and may consist

of computer viruses, worms, Trojan horses, and spyware. These types of specialized

software take advantage of vulnerabilities in computer hardware and software. Malware is

short for “malicious software.” Modern malware tends to combine from all four categories

to the point that the terms have become nearly synonymous.

Computer viruses

Computer viruses piggyback on other programs or files in order to infect your computer.

Viruses can spread to other computers via email, websites, file sharing, USB drives, and

other removable media. Cyber criminals rely on social engineering and require user

intervention to spread a computer virus, i.e., someone has to open an attachment or file,

click on a link, or plug in a USB drive. Viruses may cause a computer’s processing function

to slow considerably.


Worms, unlike viruses, spread across networks by exploiting software vulnerabilities to

launch copies of themselves on new victims without user intervention. Simply connecting

to a network with a computer running outdated software may result in a worm infection.

Trojan horses

Trojan horses are malicious programs disguised as legitimate software. Victims are lured

into installing them with promises of desired functionality. Viruses and worms may silently

install Trojan horses to further compromise systems, or they may be buried deep within

legitimate software. “Backdoor” Trojan horses can even facilitate unauthorized access to

computers. Bolder Trojan horses may pretend to be security programs, which generate

imaginary virus warnings and demand payment to remove viruses that in reality do not



Spyware is a type of malware that collects information about computers or their users and

sends it to third parties without consent. Besides secretly monitoring user actions (e.g.,

logging keystrokes, emails, or instant messages), spyware can collect personally

identifiable information (PII), which may lead to identity theft. Spyware may interfere with

web browsing; even when using bookmarks or typing in the URL for a website, the

2/23/22, 11:27 AM Security 12/18

browser will redirect to a fraudulent site designed to capture usernames and passwords or

inject malicious content. An example of this would be a phony form on a legitimate-

looking banking site asking for PII.


Spam messages are unsolicited messages sent to email accounts or cell phones from

advertisers or cyber criminals. Advertisers use spam to attract attention to their products.

Advertising spam can be a nuisance, but is often benign to computers. Spam messages can

also contain fraudulent information, like check overpayment scams, foreign lotteries,

investment schemes, and other cons. Although these kinds of spam can separate someone

from their money, they won’t harm computers. Other spam messages have malware

attached or include links to malicious sites. Opening those attachments or clicking those

links may install malware.

Protection from Cyber Criminal Attacks

How do you protect yourself and your computer from cyber criminal attacks?

Install Antivirus Software

Antivirus software scans your computer and files to protect it from known viruses. Since

new malware is always being released, you’ll need to update your antivirus software

regularly and configure it to scan your computer at least once a week.

Install Firewall Software

As related to information technology, a firewall is a protective layer or “wall” between the

computer and internet. While antivirus software scans your computer and files, firewall

software monitors, blocks, and filters activity between your computer and the internet.

Like antivirus software, firewall software needs to be updated regularly to maintain its

effectiveness. Antivirus and firewall software may sometimes be purchased in a single


There are good, legal, and free software alternatives when considering antivirus and

firewall software. Just type “free antivirus software” or “free firewall software” into a

search engine. Be sure, however, that the site you choose is a trusted site such as a

recognized product review site: PCWorld, CNET, and Comodo are some of the best-


Install Software Updates

2/23/22, 11:27 AM Security 13/18

Operating systems software developers continuously improve their products to add

security and to fix errors in previously released versions. It is important to download and

install updates as soon as you are notified that an update is available in order to keep your

devices (phones,computers, tablets, etc.) secure.

Use a Strong Password

It’s a good practice to change all your passwords every 90 days. If you suspect that any of

your passwords have been compromised, change them immediately.

A strong password is reasonably difficult to guess in a short period of time, either through

human guessing or through the use of specialized software.

Password Guidelines

The following are general recommendations for creating a strong password.

A strong password should:

be at least eight characters in length

contain both upper and lowercase alphabetic characters (A-Z, a-z)

include at least one numeric character (0-9)

use at least one special character (e.g., ~ ! @ # $ % ^ & * ( ) _ – + =)

A strong password should not:

spell a word or series of words that can be found in a standard dictionary

spell a word with a number added to the beginning and/or the end

be based on any personal information such as user ID, family name, pet, birthday,


The following are several recommendations for maintaining a strong password:

Do not share your password with anyone for any reason. Passwords should not be

shared with anyone, including any managers, coworkers, or friends. If someone

needs information that’s on your computer, email the file or place the file on a

shared network. Passwords should not be shared even for the purpose of computer

support or repair.

2/23/22, 11:27 AM Security 14/18

Change your password periodically. As a general rule, changing your password every

90 days is recommended. If you suspect someone has compromised your account,

change your password immediately. If you work in an office, report the incident to

computer security personnel.

Consider using a passphrase instead of a password. A passphrase is a password

made up of a sequence of words with numeric and/or symbolic characters inserted

throughout. A passphrase could be a lyric from a song or a favorite quote.

Passphrases typically have additional benefits such as being longer and easier to

remember. For example, the passphrase “My fav2rite [email protected] dri4er!” is 26

characters long and includes alphabetic, numeric and special characters. It is also

relatively easy to remember. It is important to note the placement of numeric and

symbolic characters in this example as they prevent multiple words from being

found in a standard dictionary. The use of blank spaces also makes a password more

difficult to guess.

Do not write your password down or store it in an insecure manner. To the extent

possible, avoid writing down your passwords. In cases where it is necessary to write

down a password, that password should be stored in a secure location and properly

destroyed when no longer needed.

Avoid reusing a password. When changing an account password, you should avoid

reusing a previous password. If a user account was previously compromised, with or

without your knowledge, reusing a password could allow that user account to

become compromised once again. Similarly, if a password was shared for some

reason, reusing that password could allow someone unauthorized access to your


Avoid using the same password for multiple accounts. Though using the same

password for multiple accounts makes it easier to remember your passwords, it can

also have a chain effect, allowing an attacker to gain unauthorized access to multiple

systems. This is particularly important when dealing with more sensitive accounts

such as your credit card account or your online banking account.

Do not use automatic log-on functionality. The option of storing your password so

that you can save time by skipping your password entry the next time you log on is

called automatic log-on functionality. Using automatic log-on functionality negates

much of the value of using a password. If a malicious user is able to gain physical

access to a system that has automatic log-on configured, he or she will be able to

take control of the system and access potentially sensitive information.

Consider using a strong password generator to create passwords. There are many

such programs available. Type “strong password generator” into any search engine to

find programs that are available for use.

2/23/22, 11:27 AM Security 15/18

Consider using a password “base.” Remembering a great number of different

passwords is challenging. Consider using a base portion of a password and then

changing some portion to use as a separate password. Do not just add numbers to

the end of the base portion, however. Scatter the changes into the middle of the

password base. For example, if the base is “UtahIowa” then one password might be:

Uta4hIo9wa. Then change the numbers in the password to be used with the next

site, keeping the Uta-hIo-wa.

Develop Good Security Habits

Throughout this module, you have been introduced to good security practices. Here’s a

summary of good security habits:

Never open unexpected email attachments. If in doubt, verify the authenticity by

calling or sending a new email to the sender using a phone number or address from

a source other than the suspect email. An attachment could be malware in disguise.

Beware of links sent to you via email, on social networking sites, or through text

messages. Maliciously crafted links could direct you to malware or phishing sites.

Be sure to use log-on passwords. Never leave your computer unattended without

locking it, even if you’re stepping away for only a minute.

Consider locking up laptops in a desk or cabinet drawer when not in use. Unsecured

laptops are easy targets.

Always lock your doors and never leave your computer unattended in a public


If you share your computer with friends, watch what they might be doing to your

computer and with your identity.

When visiting websites that require logging in, make sure you log out when you’re


When you finish using a computer, log out of it.

Watch out for “shoulder surfing.” Make sure no one is watching you enter your

password or other personal information.

Always back up your data and files, and lock the backups in a safe place.

Use encryption (see below) for sensitive data storage and transmission.


2/23/22, 11:27 AM Security 16/18

Encryption is the process of transforming information from plaintext into an unreadable

format to keep it secret. Only authorized entities should be able to reverse the process.

Using encryption, information can be stored or transmitted via shared media without

risking disclosure.

When encrypting information, applications will typically ask for a password. The password

is the key to locking and unlocking the information. If you lose the password, you won’t be

able to recover information. Certain applications like Microsoft Word provide optional

encryption functionality. Find out whether the applications you use support encryption. If

they don’t, avoid using them when processing sensitive data including passwords and

other PII.

Certain websites, especially ones that allow financial transactions, use encryption

between your browser …

Payment Card Industry Security Standards Council


Guide to Safe Payments
Version 2.0 • August 2018

Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate
merchants and other entities involved in payment card processing. For more information about the PCI SSC and
the standards we manage, please visit
The intent of this document is to provide supplemental information, which does not replace or supersede PCI
Standards or their supporting documents.



Understanding your risk

As a small business, you are a prime
target for data thieves.

When your payment card data is
breached, the fallout can strike quickly.
Your customers lose trust in your ability
to protect their personal information.
They take their business elsewhere.
There are potential financial penalties
and damages from lawsuits, and your
business may lose the ability to accept
payment cards. A survey of 1,015 small
and medium businesses found 60% of
those breached close in six months.



(Verizon 2017)


(Beaming UK)


(Ponemon Institute)



£30 billion



(Dept for Culture Media and Sport)

4Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

What’s at risk?


The Payment Card
Industry Data Security
Standard (PCI DSS)
is a set of security
requirements that can
help small merchants
to protect customer
card data located on
payment cards.

Small merchants
may be familiar with
validating their PCI
DSS compliance via
a Self-Assessment
Questionnaire (SAQ).

For more information
on PCI DSS, see the
Resources at the end
of this guide.





Expiration date

Magnetic stripe
(Data on tracks 1 and 2)

Card security code
(American Express)

Card security code
(All other payment brands)

Follow the actions in this guide to protect against data theft.

Examples of payment card data are the primary account number (PAN) and three or four-digit card security
code. The red arrows below point to types of data that require protection.

5Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

the entire process for accepting
card payments. Also called the
cardholder data environment (CDE),
your payment system may include
a payment terminal, an electronic cash register, other devices or systems
connected to a payment terminal (for example, Wi-Fi for connectivity or a
PC used for inventory), and the connections out to a merchant bank. It is
important to use only secure payment terminals and solutions to support
your payment system. See page 21 for more information.

Understanding your payment system: Common payment terms



A PAYMENT TERMINAL is the device used to take
customer card payments via swipe, dip, insert, tap, or
manual entry of the card number. Point-of-sale (or POS)
terminal, credit card machine, PDQ terminal, or EMV/chip-
enabled terminal are also names used to describe these

ENCRYPTION (or cryptography) makes card data
unreadable to people without special information (called
a key). Cryptography can be used on stored data and data
transmitted over a network. Payment terminals that are part of a
PCI-listed P2PE solution provide merchants the best assurance about
the quality of the encryption. With a PCI-listed P2PE solution, card
data is always entered directly into a PCI-approved payment terminal
with something called “secure reading and exchange of data (SRED)”
enabled. This approach minimizes risk to clear-text card data and
protects merchants against payment-terminal exploits such as
“memory scraping” malware. Any encryption that is not done within a
PCI-listed P2PE should be discussed with your vendor.

Accepting face-to-face card payments from your customers requires special equipment. Depending on where in the world you are
located, equipment used to take payments is called by different names. Here are the types we reference in this document and what
they are commonly called.

A MERCHANT BANK is a bank or financial institution that
processes credit and/or debit card payments on behalf of
merchants. Acquirer, acquiring bank, and card or payment
processor are also terms for this entity.

terminal and electronic cash register in one, meaning it
takes payments, registers and calculates transactions, and
prints receipts.

An ELECTRONIC CASH REGISTER (or till) registers and
calculates transactions, and may print out receipts, but it
does not accept customer card payments.

6Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your E-commerce Payment System

An E-COMMERCE WEBSITE houses and presents
your business website and shopping pages to your
customers. The website may be hosted and managed by
you or by a third party hosting provider.

An E-COMMERCE PAYMENT SYSTEM encompasses the entire
process for a customer to select products or services and for
the e-commerce merchant to accept card payments, including a
website with shopping pages and a payment page or form, other
connected devices or systems (for example Wi-Fi or a PC used for
inventory), and connections to the merchant bank (also called a
payment service provider or payment gateway). Depending on
the merchant’s e-commerce payment scenario, an e-commerce
payment system is either wholly outsourced to a third party,
partially managed by the merchant with support from a third party,
or managed exclusively by the merchant.

When you sell products or services online, you are classified as a e-commerce merchant.
Here are some common terms you may see or hear and what they mean.

Your PAYMENT PAGE is the web page or form used to
collect your customer’s payment card data after they
have decided to purchase your product or services.
Handling of card data may be 1) managed exclusively
by the merchant using a shopping cart or payment
application, 2) partially managed by the merchant with
the support of a third party using a variety of methods,
or 3) wholly outsourced to a third party. Most times,
using a wholly outsourced third party is your the safest
option – and it is important to make sure they are a PCI
DSS validated third party.

Your SHOPPING PAGES are the web pages that show
your product or services to your customers, allowing
them to browse and select their purchase, and provide
you with their personal and delivery details. No payment
card data is requested or captured on these pages.










7Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

How is your business at risk?

How do you sell your
goods or services?
There are three main

1. A person walks
into your shop and
makes a purchase
with their card.

2. A person visits
your website and
pays online.

3. A person calls your
shop and provides
card details over
the phone, or
sends the details
in the mail or via

The more features your payment system has, the more complex it is to secure.

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet-
connected cameras, or call recording systems for your business. If not properly configured and managed, each of
these features can provide criminals with easy access to your customers’ payment card data.
If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your
website. In most cases, using a wholly outsourced third party to capture and process payments is the safest option.





8Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your risk: Payment system types

Use the Common Payment Systems to help you identify
what type of payment system you use, your risk, and the
recommended security tips as a starting point for conversations
with your merchant bank and vendor partners.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.




Dial-up payment terminal
Payments sent via phone line1


Dial-up payment terminal
shows it is dialing for each

The payment terminal is
connected to bank by a
dial-up telephone line


Paper documents
with card data

For this scenario, risks to card data are present at above. Risks explained on next page.


TYPE RISK PROFILEPayment terminal connects to electronic cash
register, with additional connected equipment.
Payments sent via Internet.









Card data can be
entered on electronic
cash register or
payment terminal

Merchant might also use Wi-Fi
capability in addition to wired
networking, and/or may offer Wi-Fi for
customer use

For this scenario, risks to card data are present at above. Risks explained on next page.
There are many risk points here due to numerous systems connected to the Internet and to
payment terminals. Each system has to be configured and managed properly to minimize risk.


Complex payment system for in-shop purchases, with Wi-Fi,
cameras, Internet phones, and other attached systems

Simple payment system for in-shop purchases

Complex e-commerce payment system for online shop purchases,
with merchant managing their own website and payment page

9Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.




How do you protect your business?

These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk
reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

The good news is, you can start protecting your business today with these security basics:

Use strong passwords
and change default




Risk Mitigation

Don’t give hackers
easy access to your




Risk Mitigation

Use anti-virus



Risk Mitigation

Scan for vulnerabilities
and fix issues



Risk Mitigation

Use secure payment
terminals and




Risk Mitigation

Protect your business
from the Internet



Risk Mitigation

For the best protection,
make your data useless

to criminals



Risk Mitigation

Protect your card data
and only store what

you need



Risk Mitigation

Inspect payment
terminals for



Risk Mitigation

Install patches from
your vendors



Risk Mitigation

Use trusted business
partners and know

how to contact them



Risk Mitigation

Protect in-house
access to your

card data



Risk Mitigation

11Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use strong passwords and change default ones

like a toothbrush. Don’t let anyone else use them and get new ones
every three months.

TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service
providers about default passwords and how to change them.
Then do it! Also, if your service provider manages passwords for
your systems, ask them if they’ve changed those vendor default

MAKE THEM HARD TO GUESS. The most common passwords are
“password” and “123456.” Hackers try easily-guessed passwords
because they’re used by half of all people. A strong password has
seven or more characters and a combination of upper and lower
case letters, numbers, and symbols (like [email protected]#$&*). A phrase can
also be a strong password (and may be easier to remember), like

DON’T SHARE. Insist on each employee having their own login IDs
and passwords – never share!

Ponemon Institute

of SMBs that have a password
policy do not strictly enforce it



Risk Mitigation



[name of product/

1234 or 4321




company name











Your passwords are vital for computer
and card data security. Just like a lock
on your door protects physical property,
a password helps protect your business
data. Also be aware that computer
equipment and software out of the box
(including your payment terminal) often
come with default (preset) passwords
such as “password” or “admin,” which
are commonly known by hackers and
are a frequent source of small merchant

It’s Time to Change
Your Password

Learn Password Security in 2

For more about password security, see these resources on the
PCI Council website:

12Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Protect card data and only store what you need

ASK AN EXPERT. Ask your payment terminal vendor, service
provider, or merchant bank where (or if) your systems store data
and if you can simplify how you process payments. Also ask
how to conduct specific transactions (for example, for recurring
payments) without storing the card’s security code.

OUTSOURCE. The best way to protect against data breaches
is not to store card data at all. Consider outsourcing your
card processing to a PCI DSS compliant service provider. See
Resources on page 25 for lists of compliant service providers.

Securely destroy/shred card data you don’t need. If you need to
keep paper with sensitive card data, mark through the data with
a thick, black marker until it is unreadable and secure the paper
in a locked drawer or safe that only a few people have access to.

LIMIT RISK. Rather than accepting payment details via email, ask
customers to provide it via phone, fax, or regular mail.

TOKENIZE OR ENCRYPT. Ask your merchant bank
if you REALLY need to store that card data. If you do,
ask your merchant bank or service provider about
encryption or tokenization technologies that make
card data useless even if stolen.




Risk Mitigation


Cryptography uses a
mathematical formula
to render plaintext
unreadable to people
without special
knowledge (called a key).
Cryptography is applied
to stored data as well as
data transmitted over a

plaintext into cyphertext.

cyphertext back into

For example:

It’s impossible to protect card data
if you don’t know where it is.

What can you do?

Another place to consider whether you are storing payment
data is in emails. If you receive card details via email, you
can still process the transaction, but delete the email
immediately and then let the sender know how you prefer
to receive cardholder data (and that email is not the best
way to send it). Do not simply reply using the original email
from your customer. Instead delete the card details from
the reply email, otherwise you are further exposing the card
data via storing the original email, the sent email, etc.

Tokenization has a similar goal to encryption but works
differently. It substitutes card data with meaningless data
(a “token”) that has no value to a hacker. Merchants can
use tokens to submit subsequent transactions, process a
refund, etc. without needing to store the actual payment
card details. The token is used by your payment processor
to look up the card details, which they store instead of you.



13Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Inspect payment terminals for tampering

Be vigilant and follow these steps:

KEEP A LIST of all payment terminals and take pictures (front, back,
cords, and connections) so you know what they are supposed to
look like.

LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals
over access cover plates or screws, odd/different cabling, or new
devices or features you don’t recognize. The Council’s guide
(referenced below) can help.

PROTECT TERMINALS. Keep them out of customers’ reach when
not in use and restrict public viewing of the screens. Make sure
your payment terminals are secure before you close your shop for
the day, including any devices that read your customers’ payment
cards or accept their personal identification numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from
authorized repair personnel, and only if you are expecting them.
Tell your staff too. Monitor any third-parties with physical access to
your payment terminals, even if they are there for another reason,
to make sure they don’t modify your payment terminals.

CALL your payment terminal vendor or merchant bank
immediately if you suspect anything!



Risk Mitigation

“Skimming devices” sweep up your
customers’ card data as it enters a
payment terminal. It’s vital that you and
your staff know how to spot a skimming
device, what your payment terminals
should look like, and how many you
have. You need to regularly check your
payment terminals to make sure they
have not been tampered with. If there
is any suspicion that a terminal has been
tampered with, DO NOT USE it, and
report this immediately to your merchant
bank and/or terminal vendor.

See the PCI Council’s guide: Skimming
Prevention – Overview of Best Practices for

14Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use trusted business partners and know how to
contact them


Refer to the table
in the Questions to ask your
Vendors for more details
about these common

• Payment terminal

• Payment application

• Payment system installers
(called Integrators/

• Service providers that
perform payment
processing, or
e-commerce hosting or

• Service providers that
help you meet PCI DSS
requirement(s) (for
example, providing
firewall or antivirus

• Providers of Software as
a Service

KNOW WHO TO CALL. Who is your merchant bank? Who else
helps you process payments? Who did you buy your payment
device/software from and who installed it for you? Who are your
service providers?

KEEP A LIST. Now that you know who to call, keep company and
contact names, phone numbers, website addresses, and other
contact details where you can easily find them in an emergency.

Is your service provider adhering to PCI DSS requirements? For
e-commerce merchants, it is important that your payment service
provider is PCI DSS compliant too! See Resources on page 25 for
lists of compliant service providers.

ASK QUESTIONS. Once you know who your outside providers
are and what they do for you, talk to them to understand how they
protect card data. Use Questions to ask your Vendors to help you
know what to ask.

UNDERSTAND COMMON VENDORS. Review the sidebar to the
right to understand common types of vendors or service providers
you may work with.



Risk Mitigation

You use outside providers for
payment-related services, devices and
applications. You may also have service
providers that you share card data with,
that support or manage your payment
systems, or that you give access to card
data. You may call them processors,
vendors, third parties, or service
providers. All of these impact your ability
to protect your card data, so it’s critical
you know who they are and what security
questions to ask them.

15Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Install patches from your vendors


Risk Mitigation

ASK your vendor or service provider how it notifies you of new
security patches, and make sure you receive and read these

from vendors of your payment terminal, payment applications,
other payment systems (tills, cash registers, PCs, etc.), operating
systems (Android, Windows, iOS, etc.), application software
(including your web browser), and business software.

MAKE SURE your vendors update your payment terminals,
operating systems, etc. so they can support the latest security
patches. Ask them.

E-COMMERCE MERCHANTS. Installing patches as soon as
possible is very important for you too. Also look out for patches
from your payment service provider. Ask your e-commerce hosting
provider whether they patch your system (and how often). Make
sure they update the operating system, e-commerce platform and/
or web application so it can support the latest patches.

FOLLOW your vendor’s/service provider’s instructions and install
those patches as soon as possible.

Software can have flaws that are
discovered after release, caused by
mistakes made by programmers when
they wrote the code. These flaws are
also called security holes, bugs or
vulnerabilities. Hackers exploit these
mistakes to break into your computer and
steal account data. Protect your systems
by applying vendor-supplied “patches”
to fix coding errors. Timely installation of
security patches is crucial!

It is important that you know how your
software is being regularly updated
with patches and who is responsible
(it could be you!). Also, some patches
install automatically when they become
available. If you’re not sure how patches
get added or who is responsible, make it
a point to ask your vendor/ supplier.

16Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Protect in-house access to your data

grant access only based on a “business need-to-know.” As the
owner, you have access to everything. But most employees can
do their job with access only to a subset of data, applications, and

LIMIT ACCESS to payment systems and unencrypted card data
to only those employees that need access, and only to the data,
applications and functions they need to do their jobs.

KEEP A LOG. Track all “behind the counter” visitors in your
establishment. Include name, reason for visit, and name of
employee that authorized visitor’s access. Keep the log for at least
a year.

SECURELY DISPOSE OF DEVICES. Ask your payment system
vendor or service provider how to securely remove card data
before selling or disposing of payment devices (so data cannot be

SHARE THIS INFORMATION. Give this guide to your employees,
business partners, and third-party service providers (such as
e-commerce hosting providers) so they know what is expected.

MAKE USER IDS UNIQUE for each person with access to your
payment system whenever possible. This will help you keep track of
who logs in and when, and any changes they make.



Risk Mitigation

Consider giving
employees access to
take payments but not
to process refunds, or
to take new bookings/
orders but not to
access payment card
data related to existing
booking/orders. Some
employees should
have no access at all.

Verizon 2017


Privilege abuse means a person using…

Someone else’s information and details
to gain access to systems or data
that person is not authorized to have
access to.


17Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Don’t give hackers easy access to your systems

If your vendor supports
or troubleshoots your
payment system from
their office (and not
from your location)
they are using the
Internet and remote
access software to do

Examples of products
your vendor may install
on your terminal and
use to support you
remotely include VNC
& LogMeIn.



Risk Mitigation

FIND OUT. Ask your payment system vendor or service provider if
they use remote access to support or access your business systems.

access programs are always on, or always available by default,
meaning the vendor can access your systems remotely all the time
(this also means that hackers can access your systems too since
many vendors use commonly-known passwords for remote access).
Reduce your risk – ask your vendor how to disable remote access
when not needed, and how to enable it when your vendor or
service provider specifically requests it.

DISABLE IT WHEN DONE. To protect your business, it’s important
that you take a part in managing how and when your vendors can
access your systems.

USE STRONG AUTHENTICATION. If you must allow remote
access, require multi-factor authentication and strong cryptography.

one must use remote access credentials that are unique to your
business and that are not the same ones used for other customers.

ASK FOR HELP. Ask your vendor or service provider for
help disabling remote access, or (if your vendor or service
provider needs remote access) for help setting up multi-factor
authentication. See Questions to ask your Vendors to help you
know exactly what to ask them.


One of the easiest ways for hackers to
get into your system is through people
you trust. You need to know how your
vendors are accessing your system to
make sure it’s not opening up any holes
for hackers.

Multi-factor authentication uses a username
and password plus at least one other factor (like
a smart card, dongle*, or one-time passcode).
*a handy device that connects to a computer to allow
access to wireless, software features, etc.

18Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use anti-virus software

SYSTEM. It is easy to install and can be obtained from your local
office supply shop or IT retailer.

get the most recent protection available.

GET ADVICE. Ask your IT retailer about products they recommend
for anti-virus/anti-malware protection.

RUN AUTOMATIC SCANS. Schedule regular full system …

error: Content is protected !!