Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Question for a security expert...Question for a security expert...
Previous
 
Next
New Post
3/12/2008 9:42 AM
 
memond

www.manchesternh.gov
Joined: 9/20/2007
Posts: 253

I am making a module for job applications, in it is, as you might imagine, some highly private data like ssn's. I am trying to see what steps I need to take to make sure that security is bullet proof around this data, there by insuring my continued employment :)  This is what I have so far, please tell me if I am missing something that would close any loop holes:

  • Limit the Number of hosts and admins and train on the importance of securing their workstations when not at them.
  • Set page and module level access to a security group (likely a limited number of HR employees with the same security training)
  • Turn on CAPTCHA
  • Check "encrypt url" (this is a feature of the product used to make the form/ module - xmod)
  • Purchase SSL certificate from Verisign or other, load to the site and checked "active" on the sensitive pages

I feel a little hazy on the actual server security needed. We have the web server on one machine, the sql db on another, both have security but I'm wondering what specifically is needed and if that will allow other db's to function normally?

Any input would be most educational. Thanks! Mike

Michael Emond
City of Manchester NH
www.manchesternh.gov
 
New Post
3/12/2008 10:37 AM
 
Sanjay Mehrotra

www.acuitisolutions.com
Joined: 5/30/2003
Posts: 591

If you're storing the SSN in the db, I would recommend encrypting the SSN's in the table that you're storing them. In general, think like a hacker and try and assume that you (as a hacker) have got access to the db - what things would be useful from the tables regarding a person - his dob, name, address, SSN - all these are sensitive fields and whatever you do to make it harder for the hacker to get access to them (encrypting them, etc) would be a good security solution.

Sanjay

AcuitiDP - Oracle Data Provider for DotNetNuke
 
New Post
3/13/2008 8:43 AM
 
memond

www.manchesternh.gov
Joined: 9/20/2007
Posts: 253

Ok, and after doing all those items above plus encrypting the db tables with sensitive info, is there anything further that is done by companies that is not covered here? I guess what I'm wondering is if we hired a 3rd party to handle sensitive data through a separate web app, would they be offering anything more secure than what the above steps would provide? Thereby wasting our money on something I could just do myself? Or are you really paying for someone else to take the blame if info does get out?
Thanks
Mike

Michael Emond
City of Manchester NH
www.manchesternh.gov
 
New Post
3/13/2008 9:05 PM
 
Harold Rumel

Joined: 3/13/2008
Posts: 11

If the site is publicly assessible, you should not collect ssn.  The candidate will shy away from providing ssn.  Plus you will have to safegaurd this data.  If it is leaked out, your company will be liable for it.  If the HR insists to collect SSN, you tell them check with legal.  Also let them know that there were 5 chinese hackers tabed into the pentagon network recently. 

Best,
Harold Rumel
 
New Post
3/14/2008 12:09 AM
 
Michael Gerholdt


Joined: 6/17/2003
Posts: 763

HR would have to get SSN - not from applicants, but as part of post-hire data collection. Gotta have their SSN in order to pay them.

Is your company hosting the web and database servers, or hiring it out? If hosting self, inside two firewalls with a DMZ? Who can get at the servers, via network, applications or on foot?

If you pay another company to host - are you familiar with their level of secure practices and have they signed confidentiality agreements concerning your data? Are they known for and capable of this level of secure service?

From a tech perspective, I think you are covering yourself ok. Hashing the SSN may be a good idea, or it may be overkill if it is going to be used a lot in-house; more important there is limiting who has access to the data and normal strong technical security.

pmgerholdt
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Question for a security expert...Question for a security expert...


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out