CIS7028 Information Security: Data Protection Strategies and PayPal

Verified

Added on 2022/08/18

AI Summary

This report provides an overview of data protection strategies in information security management, with a focus on PayPal Holdings Company. It discusses mechanisms such as data protection by default and by design, data classification, data discovery, data protection impact assessment (DPIA), data loss prevention (DLP), and privacy-enhancing technologies (PETs). The report highlights how these mechanisms are crucial for building trust and efficiency among stakeholders, ensuring data integrity, and complying with regulations like GDPR. It also emphasizes the importance of risk management, cost-effectiveness, and continuous improvement in security protocols to safeguard user information and maintain business operations.

Information Security Management 1
INFORMATION SECURITY MANAGEMENT
by (name)
Name of Supervisor
Name of Student
Course Affiliated
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 2
Task 1
Executive Summary
Data protection is an extensive field that most business needs to invest in as a measure of
attracting Customers. Due to market competition, enterprises have spent more on technology and
innovations favorable to customers. Ensuring security protocols is of high standard help the
business in reducing damages and losses which most developing organization continuously face.
PayPal Holding Company is known to offer the most efficient services across the world. This
report focuses on mechanism used in protecting data from damages such as hacking.
Introduction
PayPal Holdings is a global company that deals with online payment system which
supports online money transfers. The Company was established in 1998 with its headquarters in
the USA. Over the years the Company has expand with many people worldwide seeking its
services. Transfer of money is a sensitive service that requires intensive security measures that
safeguards the integrity of the Company. The Company has suppliers who supply essential
services such as electronics and over 5,000 employees from different cultures (Douglas, 2017).
Through the partnership, PayPal has many clients who seek their services. To access PayPal
services, Customers have to create an account using valid documents.
PayPal database holds employees, customers, clients and suppliers data to ensure
efficient services delivery. Ensuring data security of all stakeholders is paramount in all
companies. Implementation of security protocols are efforts taken by PayPal in safeguarding
Company database (Freiherr & Zeiter., 2016). Data protection is essential in dealing with

Information Security Management 3
corruption or loss of data. Also, it increases the amount of data storage through the creation of
more space.
Data Protection by Default
This mechanism is important in ensuring that the Company process information that is
important for the growth of the Company. The process links GDPR's principles which deal with
data minimization. For PayPal Company to comply with data protection by default, several
measures must be involved. First, PayPal ensures that it does not provide the illusion of choice to
data owners. Next refrain from handling additional information except the person provide
consent. Ensure personal information is not automatically made public except the owner wants
so. Also, individuals are given enough access and control their data sets (Proffitt, 2011).
Data protection by default involves the existence of embedded safeguards and protocols
in the running of the company activities. For one to transact on PayPal, it's a must for one to
create a PayPal account using valid credentials (Hansen, 2013). By default, one needs to have an
active email account, phone Contacts and a valid ID or a password. These items are essential in
validating the transactions. When access the PayPal account, one has to set a password and
verify it using phone number this protocol ensures the real owner of PayPal account are the only
one to access it (Koops & Leenes, 2014).
PayPal Company provides affordable services to all its clients across the world. The
Company has policy and regulations that is accessible to all its users. These policies ensure that
only eligible people can have an account with the Company. It's by default that one must be over
18 years old, have essential documents to transact. Different Nations and economic blocs have
different currencies; PayPal Company has ensured that its system is up to standard in providing

Information Security Management 4
that no computation errors occur in the process (McIntyre, 2020). The Company has the rights to
close PayPal accounts suspected of conducting malicious activities that are against the law.
Signing an agreement clause gives the Company to terminate the holders basing on valid
misconduct activities.
Elements of data protection by default ensure that the company database is secured.
These elements include the controller. The controller involves implementing appropriate
organizational and technical measures (Bygrave, 2017). The system is based on a risk-based
approach that focuses on the dynamic and contextual nature of the PayPal database which
contains clients, customers, employees and suppliers data. Another element involves data
protection principles and rights of the users. All Companies must comply with GDPR
compliance that regulates business operations.
Data Production by Design
Data protection by design ensures that PayPal Company maintains privacy and data
protection is at maximum level (Hildebrandt & Tielemans., 2013). The design phases ensure
company system is sufficient and running throughout the lifecycle. The Company has in place an
organizational and technical structure that focuses on data protection principles. The design also
ensures the safeguards of PayPal database is integrated into an efficient procedure in protecting
the rights of every individual. PayPal Company is free to sue all individuals in a court of law in
cases of misconducts that may lead to loss of money and property. Therefore, the employee of
PayPal engages in transparent activities.
Applications of data protection by design are numerous. With technology advancement,
PayPal has developed new software which enhances security. These soft wares aim at ensuring a

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 5
valid owner of PayPal is the only one to make transactions. Any organization must ensure that
that data protection strategies and privacy notices are simple and users can conduct transaction
smoothly (Romanou, 2018).
Effectiveness is another element of data protection by design. The Company cites must
always be effective in ensuring the stakeholders are accessible to services all the time. PayPal
deal with critical services of transferring money across the world and this has attracted many
customers. The Company always has introduced measures that curb fraud cases where many
people complain of losing cash while transacting online. Transaction process through PayPal is
still simple, taking a few minutes. This effectiveness has attracted many clients across the world-
leading to the expansion of the Company.
Another element that must be considered while implementing data protection by design
involves cost, risk and the processes of implementations. Security is a critical issue that needs
serious consideration. First, the Company must evaluate the cost involved when designing
security protocols. Seeking services from suppliers to create company system may be so costly
and the Company needs to assess the viability of the designing process. Risk is another critical
issue that needs essential evaluation. When making security changes to the company system, the
Company must take appropriate measure to ensure that the Company system is not damaged
when installing security protocols (Hoepman, 2014).
In summary, PayPal company management has put in place an appropriate measure in
safeguarding users' information. With billions of users across the globe, PayPal has ensured a
smooth and secure transaction at an affordable fee. Technology advancements have led to both
positive and negative impacts on business operations. With regards to the adverse effects, causes

Information Security Management 6
of frauds have continuously increased, affecting the business operation and trust in the sectors.
Default and design mechanism is essential to ensure money transaction is efficient, thus
enhancing business operation across the globe.
Task 1.2
PayPal holding Company has put in place varies mechanism that enhances data
protection through default and design. These mechanisms include data classification, Data loss
prevention, privacy enhancement, data discovery and data processing impact. These mechanisms
are critical in building trust and efficiency between varies stakeholders of the Company.
Data Classification
Data classification provides the best ways for the Company to determine and arrange
relevant values for the information processed. It's essential in ensuring that the organization
maintains integrity in its operation. Classification of data is important as it help board of
management to make informed decision. An analyst can identify unstructured data in the
designing process of data protection by design and separate valuable information (Mather &
Tso., 2016).
Classifying data into varies categories is essential in making default settings for users.
Supplier's clients, customer's data are organized differently to remove confusions in the running
of the company processes. When signing up PayPal account one is required to identifying the
type of account one needs whether it's a personal or Business account. Further, one is required to
select regions and selection varies links that one can link the accounts. Filling all requirements

Information Security Management 7
enables PayPal Company to put in place security measures to protect user data from any fraud
activities.
Data Discovery
Data discovery entails identifying and tracking sensitive data to secure it or delete it. This
mechanism enables PayPal to identify transactions for authentication purposes. The Company
must verify the sender and receiver are right person organizations. The integrated system is run
automatically and one is able to locate where, when and amount transaction for every
transactions. Data discovery enhance context security awareness through identifying and
classifying information that makes the Company determine threats in the company system
(Rajan, 2013).
Benefits of data discovery are numerous. First, the Company is to know where data are
stored, who can access them and how transactions are done. PayPal can use data discovery
mechanism to set protection measures and set pre-defined classification. Data visibility and
tracking of sensitive data are achieved through the discovery process. Risk management is
critical in business operation; data discovery is essential in helping Business to manage risk.
Regulatory compliance and risk management is critical to the success of the Company hence data
discovery mechanism provides the best platform in tracking every transaction made via PayPal.
Data Protection Impact Assessment (DPIA)
This mechanism is important helpful when identifying risk that need immediate attention
Company projects. The mechanism is essential in the extensive and systematic evaluation of the
company processes. It is also critical in assessing accountability and demonstrates compliance

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 8
measures in the Company data protection policies. DPIA is useful in enhancing efficiency and
measuring cost-effectiveness through risk approach in managing resources. There are seven
stages in the DPIA mechanism.
The first step involves identifying the need for DPIA. It's critical to profile processes
based on weights of the risk. It assesses how risks which are considered high can cause an impact
on data subjects. Step two entails describing the process taken. The Company has to explain why
and how it plans to use personal data. The description must outline the nature, scope and reason
of processing. Step three involves considering consultations whether internal or externally.
Before starting any activity, all stakeholders or users must be informed as its legal. The next step
is assessing proportionality and necessity as outline in the law and identifying and assessing risk,
whether physical, material or emotional in line to economic significance. Identifying processes to
mitigate risk is essential when refraining from data collection of individual variables. The last
step involves signing off and recording outcomes and documenting it for future reference and
planning (Bieker et al., 2016).
Data Loss Prevention
Data loss prevention mechanism is a strategy taken by most organizations in ensuring end
users doesn’t share sensitive data outside the corporate system. The tool also controls data that
users can share. Competitions and security threats are primary reasons that have led to PayPal
and other Companies restrict data accessible on the Company platform. DLP tools monitor
unauthorized users and block them from access the Company Services.
Data loss prevention is applicable in three cases. Protection of personal data is essential
in an organization such as payment cards information and other necessary data (Liu & Kuhn.,

Information Security Management 9
2010). The Company must always secure users data from unlawful access. IP protection is
outline in intellectual property and states secrets. With this law in place, the Company is
protecting one from unwanted exfiltration. Data visibility is essential in DLP, comprehensive
mechanism help in tracking Company activities. Trends in DLP adoption include growth of
CISO role, compliance mandates, and data breach among others. Prevention is essential for the
Company to re-organize itself to adopt new challenges. To win the market war, it's the
responsibility of management to assure the stakeholders of their stake.
Privacy Enhancing Technologies (PETs)
Privacy Enhancing Technologies mechanism focus on creating fundamental data
protection principles, through maximizing data security protocols and emphasizing on protecting
users. It allows users to protect their privacy of personal information and handling of services
(Pfitzmann & Hansen., 2010). The mechanism minimizes individual accessing data in a measure
to increase the stability of the Company system. Examples of PETs include Pseudonymization
which involves information management and de-identification process through replacing
identifiers by pseudonyms of artificial identifiers. Obfuscation is another example that consists
of adding misleading data that is useful during precision analytics of disclosed data. Differential
privacy is another example of PETs mechanism which uses algorithms in publishes information
in statistical databases.
In summary, data protection by design and default is extensive to safeguard critical data.
PayPal holding company must support integrity in transactions that people do daily. Security
measures should not be hindrance money transaction by policy to ensure satisfaction for both
parties involved in the process. Proper planning and support from management are essential in

Information Security Management 10
ensuring suppliers, clients and customers enjoy the best services offered by PayPal. Total
corporation form all stakeholders are vital in data protection activities.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security Management 11
Reference
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H. and Rost, M., 2016, September. A
process for data protection impact assessment under the european general data protection
regulation. In Annual Privacy Forum (pp. 21-37). Springer, Cham.
Bygrave, L.A., 2017. Data protection by design and by default: deciphering the EU’s legislative
requirements. Oslo Law Review, 4(02), pp.105-120.
Douglas, E., 2017. PayPal is New Money: Extending Secondary Copyright Liability Safe
Harbors to Online Payment Processors. Mich. Telecomm. & Tech. L. Rev., 24, p.45.
Freiherr, A.V.D.B. and Zeiter, A., 2016. Implementing the EU general data protection
regulation: a business perspective. Eur. Data Prot. L. Rev., 2, p.576.
Hansen, M., 2013, April. Data protection by default in identity-related applications. In IFIP
Working Conference on Policies and Research in Identity Management (pp. 4-17). Springer,
Berlin, Heidelberg.
Hildebrandt, M. and Tielemans, L., 2013. Data protection by design and technology neutral
law. Computer Law & Security Review, 29(5), pp.509-521.
Hoepman, J.H., 2014, June. Privacy design strategies. In IFIP International Information Security
Conference (pp. 446-459). Springer, Berlin, Heidelberg.
Koops, B.J. and Leenes, R., 2014. Privacy regulation cannot be hardcoded. A critical comment
on the ‘privacy by design’provision in data-protection law. International Review of Law,
Computers & Technology, 28(2), pp.159-171.

Information Security Management 12
Liu, S. and Kuhn, R., 2010. Data loss prevention. IT professional, 12(2), pp.10-13.
Mather, P. and Tso, B., 2016. Classification methods for remotely sensed data. CRC press.
McIntyre, T.J., 2020. Regulating the Information Society: Data Protection and Ireland's Internet
Industry. The Oxford Handbook of Irish Politics (Oxford: Oxford University Press, forthcoming
2020).
Pfitzmann, A. and Hansen, M., 2010. A terminology for talking about privacy by data
minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and
identity management.
Proffitt, B., 2011. The PayPal Official Insider Guide to Selling with Social Media: Make money
through viral marketing. Pearson Education.
Rajan, K. ed., 2013. Informatics for materials science and engineering: data-driven discovery
for accelerated experimentation and application. Butterworth-Heinemann.
Romanou, A., 2018. The necessity of the implementation of Privacy by Design in sectors where
data protection concerns arise. Computer law & security review, 34(1), pp.99-110.