Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

CIS7028 Information Security: Data Protection Strategies and PayPal

Verified

Added on 2022/08/18

AI Summary

This report provides an overview of data protection strategies in information security management, with a focus on PayPal Holdings Company. It discusses mechanisms such as data protection by default and by design, data classification, data discovery, data protection impact assessment (DPIA), data loss prevention (DLP), and privacy-enhancing technologies (PETs). The report highlights how these mechanisms are crucial for building trust and efficiency among stakeholders, ensuring data integrity, and complying with regulations like GDPR. It also emphasizes the importance of risk management, cost-effectiveness, and continuous improvement in security protocols to safeguard user information and maintain business operations.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Information Security Management 1
INFORMATION SECURITY MANAGEMENT
by (name)
Name of Supervisor
Name of Student
Course Affiliated
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Management 2
Task 1
Executive Summary
Data protection is an extensive field that most business needs to invest in as a measure of
attracting Customers. Due to market competition, enterprises have spent more on technology and
innovations favorable to customers. Ensuring security protocols is of high standard help the
business in reducing damages and losses which most developing organization continuously face.
PayPal Holding Company is known to offer the most efficient services across the world. This
report focuses on mechanism used in protecting data from damages such as hacking.
Introduction
PayPal Holdings is a global company that deals with online payment system which
supports online money transfers. The Company was established in 1998 with its headquarters in
the USA. Over the years the Company has expand with many people worldwide seeking its
services. Transfer of money is a sensitive service that requires intensive security measures that
safeguards the integrity of the Company. The Company has suppliers who supply essential
services such as electronics and over 5,000 employees from different cultures (Douglas, 2017).
Through the partnership, PayPal has many clients who seek their services. To access PayPal
services, Customers have to create an account using valid documents.
PayPal database holds employees, customers, clients and suppliers data to ensure
efficient services delivery. Ensuring data security of all stakeholders is paramount in all
companies. Implementation of security protocols are efforts taken by PayPal in safeguarding
Company database (Freiherr & Zeiter., 2016). Data protection is essential in dealing with

Information Security Management 3
corruption or loss of data. Also, it increases the amount of data storage through the creation of
more space.
Data Protection by Default
This mechanism is important in ensuring that the Company process information that is
important for the growth of the Company. The process links GDPR's principles which deal with
data minimization. For PayPal Company to comply with data protection by default, several
measures must be involved. First, PayPal ensures that it does not provide the illusion of choice to
data owners. Next refrain from handling additional information except the person provide
consent. Ensure personal information is not automatically made public except the owner wants
so. Also, individuals are given enough access and control their data sets (Proffitt, 2011).
Data protection by default involves the existence of embedded safeguards and protocols
in the running of the company activities. For one to transact on PayPal, it's a must for one to
create a PayPal account using valid credentials (Hansen, 2013). By default, one needs to have an
active email account, phone Contacts and a valid ID or a password. These items are essential in
validating the transactions. When access the PayPal account, one has to set a password and
verify it using phone number this protocol ensures the real owner of PayPal account are the only
one to access it (Koops & Leenes, 2014).
PayPal Company provides affordable services to all its clients across the world. The
Company has policy and regulations that is accessible to all its users. These policies ensure that
only eligible people can have an account with the Company. It's by default that one must be over
18 years old, have essential documents to transact. Different Nations and economic blocs have
different currencies; PayPal Company has ensured that its system is up to standard in providing

Information Security Management 4
that no computation errors occur in the process (McIntyre, 2020). The Company has the rights to
close PayPal accounts suspected of conducting malicious activities that are against the law.
Signing an agreement clause gives the Company to terminate the holders basing on valid
misconduct activities.
Elements of data protection by default ensure that the company database is secured.
These elements include the controller. The controller involves implementing appropriate
organizational and technical measures (Bygrave, 2017). The system is based on a risk-based
approach that focuses on the dynamic and contextual nature of the PayPal database which
contains clients, customers, employees and suppliers data. Another element involves data
protection principles and rights of the users. All Companies must comply with GDPR
compliance that regulates business operations.
Data Production by Design
Data protection by design ensures that PayPal Company maintains privacy and data
protection is at maximum level (Hildebrandt & Tielemans., 2013). The design phases ensure
company system is sufficient and running throughout the lifecycle. The Company has in place an
organizational and technical structure that focuses on data protection principles. The design also
ensures the safeguards of PayPal database is integrated into an efficient procedure in protecting
the rights of every individual. PayPal Company is free to sue all individuals in a court of law in
cases of misconducts that may lead to loss of money and property. Therefore, the employee of
PayPal engages in transparent activities.
Applications of data protection by design are numerous. With technology advancement,
PayPal has developed new software which enhances security. These soft wares aim at ensuring a

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Management 5
valid owner of PayPal is the only one to make transactions. Any organization must ensure that
that data protection strategies and privacy notices are simple and users can conduct transaction
smoothly (Romanou, 2018).
Effectiveness is another element of data protection by design. The Company cites must
always be effective in ensuring the stakeholders are accessible to services all the time. PayPal
deal with critical services of transferring money across the world and this has attracted many
customers. The Company always has introduced measures that curb fraud cases where many
people complain of losing cash while transacting online. Transaction process through PayPal is
still simple, taking a few minutes. This effectiveness has attracted many clients across the world-
leading to the expansion of the Company.
Another element that must be considered while implementing data protection by design
involves cost, risk and the processes of implementations. Security is a critical issue that needs
serious consideration. First, the Company must evaluate the cost involved when designing
security protocols. Seeking services from suppliers to create company system may be so costly
and the Company needs to assess the viability of the designing process. Risk is another critical
issue that needs essential evaluation. When making security changes to the company system, the
Company must take appropriate measure to ensure that the Company system is not damaged
when installing security protocols (Hoepman, 2014).
In summary, PayPal company management has put in place an appropriate measure in
safeguarding users' information. With billions of users across the globe, PayPal has ensured a
smooth and secure transaction at an affordable fee. Technology advancements have led to both
positive and negative impacts on business operations. With regards to the adverse effects, causes

Information Security Management 6
of frauds have continuously increased, affecting the business operation and trust in the sectors.
Default and design mechanism is essential to ensure money transaction is efficient, thus
enhancing business operation across the globe.
Task 1.2
PayPal holding Company has put in place varies mechanism that enhances data
protection through default and design. These mechanisms include data classification, Data loss
prevention, privacy enhancement, data discovery and data processing impact. These mechanisms
are critical in building trust and efficiency between varies stakeholders of the Company.
Data Classification
Data classification provides the best ways for the Company to determine and arrange
relevant values for the information processed. It's essential in ensuring that the organization
maintains integrity in its operation. Classification of data is important as it help board of
management to make informed decision. An analyst can identify unstructured data in the
designing process of data protection by design and separate valuable information (Mather &
Tso., 2016).
Classifying data into varies categories is essential in making default settings for users.
Supplier's clients, customer's data are organized differently to remove confusions in the running
of the company processes. When signing up PayPal account one is required to identifying the
type of account one needs whether it's a personal or Business account. Further, one is required to
select regions and selection varies links that one can link the accounts. Filling all requirements

Information Security Management 7
enables PayPal Company to put in place security measures to protect user data from any fraud
activities.
Data Discovery
Data discovery entails identifying and tracking sensitive data to secure it or delete it. This
mechanism enables PayPal to identify transactions for authentication purposes. The Company
must verify the sender and receiver are right person organizations. The integrated system is run
automatically and one is able to locate where, when and amount transaction for every
transactions. Data discovery enhance context security awareness through identifying and
classifying information that makes the Company determine threats in the company system
(Rajan, 2013).
Benefits of data discovery are numerous. First, the Company is to know where data are
stored, who can access them and how transactions are done. PayPal can use data discovery
mechanism to set protection measures and set pre-defined classification. Data visibility and
tracking of sensitive data are achieved through the discovery process. Risk management is
critical in business operation; data discovery is essential in helping Business to manage risk.
Regulatory compliance and risk management is critical to the success of the Company hence data
discovery mechanism provides the best platform in tracking every transaction made via PayPal.
Data Protection Impact Assessment (DPIA)
This mechanism is important helpful when identifying risk that need immediate attention
Company projects. The mechanism is essential in the extensive and systematic evaluation of the
company processes. It is also critical in assessing accountability and demonstrates compliance

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 8
measures in the Company data protection policies. DPIA is useful in enhancing efficiency and
measuring cost-effectiveness through risk approach in managing resources. There are seven
stages in the DPIA mechanism.
The first step involves identifying the need for DPIA. It's critical to profile processes
based on weights of the risk. It assesses how risks which are considered high can cause an impact
on data subjects. Step two entails describing the process taken. The Company has to explain why
and how it plans to use personal data. The description must outline the nature, scope and reason
of processing. Step three involves considering consultations whether internal or externally.
Before starting any activity, all stakeholders or users must be informed as its legal. The next step
is assessing proportionality and necessity as outline in the law and identifying and assessing risk,
whether physical, material or emotional in line to economic significance. Identifying processes to
mitigate risk is essential when refraining from data collection of individual variables. The last
step involves signing off and recording outcomes and documenting it for future reference and
planning (Bieker et al., 2016).
Data Loss Prevention
Data loss prevention mechanism is a strategy taken by most organizations in ensuring end
users doesn’t share sensitive data outside the corporate system. The tool also controls data that
users can share. Competitions and security threats are primary reasons that have led to PayPal
and other Companies restrict data accessible on the Company platform. DLP tools monitor
unauthorized users and block them from access the Company Services.
Data loss prevention is applicable in three cases. Protection of personal data is essential
in an organization such as payment cards information and other necessary data (Liu & Kuhn.,

Information Security Management 9
2010). The Company must always secure users data from unlawful access. IP protection is
outline in intellectual property and states secrets. With this law in place, the Company is
protecting one from unwanted exfiltration. Data visibility is essential in DLP, comprehensive
mechanism help in tracking Company activities. Trends in DLP adoption include growth of
CISO role, compliance mandates, and data breach among others. Prevention is essential for the
Company to re-organize itself to adopt new challenges. To win the market war, it's the
responsibility of management to assure the stakeholders of their stake.
Privacy Enhancing Technologies (PETs)
Privacy Enhancing Technologies mechanism focus on creating fundamental data
protection principles, through maximizing data security protocols and emphasizing on protecting
users. It allows users to protect their privacy of personal information and handling of services
(Pfitzmann & Hansen., 2010). The mechanism minimizes individual accessing data in a measure
to increase the stability of the Company system. Examples of PETs include Pseudonymization
which involves information management and de-identification process through replacing
identifiers by pseudonyms of artificial identifiers. Obfuscation is another example that consists
of adding misleading data that is useful during precision analytics of disclosed data. Differential
privacy is another example of PETs mechanism which uses algorithms in publishes information
in statistical databases.
In summary, data protection by design and default is extensive to safeguard critical data.
PayPal holding company must support integrity in transactions that people do daily. Security
measures should not be hindrance money transaction by policy to ensure satisfaction for both
parties involved in the process. Proper planning and support from management are essential in

Information Security Management 10
ensuring suppliers, clients and customers enjoy the best services offered by PayPal. Total
corporation form all stakeholders are vital in data protection activities.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Management 11
Reference
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H. and Rost, M., 2016, September. A
process for data protection impact assessment under the european general data protection
regulation. In Annual Privacy Forum (pp. 21-37). Springer, Cham.
Bygrave, L.A., 2017. Data protection by design and by default: deciphering the EU’s legislative
requirements. Oslo Law Review, 4(02), pp.105-120.
Douglas, E., 2017. PayPal is New Money: Extending Secondary Copyright Liability Safe
Harbors to Online Payment Processors. Mich. Telecomm. & Tech. L. Rev., 24, p.45.
Freiherr, A.V.D.B. and Zeiter, A., 2016. Implementing the EU general data protection
regulation: a business perspective. Eur. Data Prot. L. Rev., 2, p.576.
Hansen, M., 2013, April. Data protection by default in identity-related applications. In IFIP
Working Conference on Policies and Research in Identity Management (pp. 4-17). Springer,
Berlin, Heidelberg.
Hildebrandt, M. and Tielemans, L., 2013. Data protection by design and technology neutral
law. Computer Law & Security Review, 29(5), pp.509-521.
Hoepman, J.H., 2014, June. Privacy design strategies. In IFIP International Information Security
Conference (pp. 446-459). Springer, Berlin, Heidelberg.
Koops, B.J. and Leenes, R., 2014. Privacy regulation cannot be hardcoded. A critical comment
on the ‘privacy by design’provision in data-protection law. International Review of Law,
Computers & Technology, 28(2), pp.159-171.

Information Security Management 12
Liu, S. and Kuhn, R., 2010. Data loss prevention. IT professional, 12(2), pp.10-13.
Mather, P. and Tso, B., 2016. Classification methods for remotely sensed data. CRC press.
McIntyre, T.J., 2020. Regulating the Information Society: Data Protection and Ireland's Internet
Industry. The Oxford Handbook of Irish Politics (Oxford: Oxford University Press, forthcoming
2020).
Pfitzmann, A. and Hansen, M., 2010. A terminology for talking about privacy by data
minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and
identity management.
Proffitt, B., 2011. The PayPal Official Insider Guide to Selling with Social Media: Make money
through viral marketing. Pearson Education.
Rajan, K. ed., 2013. Informatics for materials science and engineering: data-driven discovery
for accelerated experimentation and application. Butterworth-Heinemann.
Romanou, A., 2018. The necessity of the implementation of Privacy by Design in sectors where
data protection concerns arise. Computer law & security review, 34(1), pp.99-110.

Information Security Management 13
Task 2
Executive Summary
Many organizations have report security breaches over recent years. Security attack has a
massive impact on organization growth. The organization should safeguard Customers'
credentials and should not share them without the owner's permission. Cases of cyber security
have increased at a more significant percentage that most people are nowadays afraid to engage
in online business. In 2019 alone, more than ten organizations reported a security attack on the
company systems. Canva, one of the most excellent online graphic platforms, recorded security
breaches on its platform. This report elaborates on the Canva security attack, data vulnerabilities,
attackers' tools and mechanisms used to prevent such incidents from happening.
Introduction
Canva Company was established in 2012 in Sydney, as a graphic design platform. The
platform helps users to create posters, presentations, graphics and visual content. Canva is
available on tablets, mobile and web. The Company has over 800 employees, with over 130
million users worldwide. Canva Company detected on May 24, 2019, affecting over 139 million
users. The information breach exposed users' sensitive data to frauds. This report seeks to expand
more on the impact of the attack, Canva loss and vulnerability to the company system.
The Company data breach exposed the customers' sensitive data to attackers. The
Customers usernames, email addresses, real names and locations is critical exposing it exposes
people to security threats. Canva database has over 78 million users' uses Gmail addresses out of

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 14
139 million Canva users. With an email address, attackers can go further and access other
sensitive data such as bank information where people can lose (Piersanti, 2019).
GnosticPlayers was behind the attack on Canva security breach. Even though the hacker
managed stole 61 million users password, unfortunately, the password was encrypted with Bcrpt
algorithms. The Company also lost Google Tokens used by many users in signing into their
account without necessarily having a password. Customers' payment card information was not
stolen according to Canva management.
Vulnerability
The Canva system security exposes the system to many security threats. The system was
exposed to viruses which affect the system performance. Computer worms are another security
threat which spread from one computer to another affect users contacts. The Trojan is malicious
software that attacker could have install to the system and users could have downloaded it.
Rootkit tools cause system failure as it gains permission to access one data hence exposing the
computer to threats. SQL injection is another threat where malicious code affects data system
(Chou, 2013).
Another network vulnerability that Canva faced is gaps in application security. The case
could lead to open doors for code injection and cross-site scripting, which affect most
Companies systems affecting operations. Insecurity object references can cause damage to the
system hence affecting many users seeking the Company systems.
Data vulnerability to attack is frequent in the most business involved in online activities.
Vulnerability is categorized into four main types which include physical, economic, social and

Information Security Management 15
attitudinal. Physical damage is experienced by industry and people living around the Company
for support. If a business closes down people who depend on Company for water, good
infrastructure will be affected. The economic impact is realized when the industry makes loss
due to loss of customers facing the Company to conduct retrenchment. The attitude towards the
Company can also change and former employees can betray bad company image hence losing
customers. Social impact is affected by a security breach where Canva can start to operate
differently and cut ties with partners if they suspect it to behind the attack (Maçada & Luciano.,
2010).
Attack manifestation
Canva alleged that hackers obtain encrypted Canva users password copies. After getting
the password, hackers salted and hashed with bcrypt. This process ensures that users' passwords
remain unreadable by external parties. The incident was reported on May 24, 2019 by the Canva
management. The board took relevant actions by informing the users and also reports the case to
security agencies and the FBI.
The attacker obtained cryptographically secure password of the Canva users. The
Company has over 139 million users; hence managing all users was a massive task for the
Company to realize security breach instantly. Also, the Company did not want to expose the
news instantly for fear of losing its esteem Customers. The hacker contacted ZDNet, where data
of about 139 million users were compromised in the process. GnosticPlayers online was behind
the attack, and it is associated with many more cyber-attacks.
The tool used by attackers

Information Security Management 16
Attackers use many tools to access the Canva Company LAN. The primary tool that
attackers mainly use is kali Linux. Kali Linux is an open-source that contains a large number of
testing tools used in varies security niches and forensic fields. The attack on Canva was well
planned and involved experts competent in programming. The attacker hijacks users' sessions
and control victims account. The attacker could also have used social engineering attacks
mechanism and gain legitimate access to Canva wireless network and run Wireshark and access
user credentials (Demetz & Bachlechner., 2013).
Attackers could have to use the Aircracker-NG to access encrypted passwords to access
additional entry network access. Canva uses Telnet and FTP, which are unencrypted and the
attacker can gain further control of hosts on the system and transfers through FTP. SQL database
security may be low where users can gain privileges via the SQL agent.
The significant damage that the attackers caused includes gaining access to the company
database profile. The database was containing users' critical information. Also, the management
claim that the attacker managed to accessed cryptographic protected password. The obtained
OAuth login token and view files within the time the system was hacked.
Prevention mechanism
Canva management took firm action after realizing an attack on the Company system.
First, users were notified about the incident and prompted to change their password. Users were
also required to reset OAuth tokens. The Company further coordinated with varies partners to
help them solve the event. The email was notified about the incident since users were using
email to create accounts with Canva. Also, users were asked to report suspicious email to the
Company for investigation purposes (Bendovschi, 2015).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Management 17
Preventive measures against data breaches can include both physical and digital. Do not
write down your passwords on sticky notes and tape them to your monitor. Always make sure
you lock your computer when you're walking away from it, and ensure that you do have a
password to get back into it. To physically protect your laptop, the essential thing that you can do
when travelling is to make sure that you're using a backpack or some other inconspicuous non-
laptop bag while you're going. Use password management software on a laptop (Levy, 2010).
Encrypt individual files within Windows and offered password storage solutions. Two
options will be given, Windows Firewall and Windows Firewall with Advanced Security, you
can accomplish a lot of the same things with either tool. Removing the malicious code is one
option if your system becomes infected (Johnson, 2019).
Investing more on security measures build users convince in the Company. Most business
close down due to weak security measures in the Company. Canva, as one of the largest online
platform, needs to carry out mass campaign educating users on the need to have a strong
password. Also, a constant reminder to secure account helps users to be aware of current trends
in the market. Partnership with other agencies that offer security services such as firewalls is
essential in building robust security protocols. Canva could have stopped the attack if hired
security agency that helps them to constant check security loop in their system. The Company
could have best security measure, but with the current trend in the sector, the more productive
action must be put in place. Constant training of their workers helps the Canva to ensure the
employee has the best skills to handle emergent trends in fighting security threats.
Conclusion

Information Security Management 18
Security attacks are frequent in most Business that deals with online services. The attack
on Canva system was critical considering the Company has users in 180 Countries and over 139
million users. The impact of the attack brought considerable losses in the company growth. Even
though many agencies protect user’s credentials, it's the responsibility of every user to enhance
security measures on personal accounts continually. People are vulnerable to many attacks that
can damage the good mutual relationship that varies users many with online companies.

Information Security Management 19
Reference
Bendovschi, A., 2015. Cyber-attacks–trends, patterns and security countermeasures. Procedia
Economics and Finance, 28, pp.24-31.
Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of
Computer Science & Information Technology, 5(3), p.79.
Demetz, L. and Bachlechner, D., 2013. To invest or not to invest? Assessing the economic
viability of a policy and security configuration management tool. In The economics of
information security and privacy (pp. 25-47). Springer, Berlin, Heidelberg.
Johnson, K.M., 2019. Mitigating Barriers to Chronic Disease Risk Factor Prevention and
Management in Disadvantaged Communities.
Levy, E., Symantec Corp, 2010. Capturing a security breach. U.S. Patent 7,725,937.
Maçada, A.C.G. and Luciano, E.M., 2010. The influence of human factors on vulnerability to
information security breaches. In AMCIS (p. 351).
Piersanti, J.C., METAL NOET Srl, 2019. Flexible head platform of canva or draper with double
swather and attaching device. U.S. Patent Application 16/108,617.