Information security and risk management are analogous to each other. The security and risk management domain forms the baseline for all information security concepts and practices. This is the first domain in CISSP CBK. Concepts on the key areas explained in this domain are across the next seven domains of CISSP, and will serve as the conceptual foundation for more complicated topics. Hence, a strong foundational knowledge in this domain will help the students in understanding the concepts in the rest of the domains.
A candidate appearing for the CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security and risk management domain:
Asset protection
Confidentiality, Integrity, and Availability (CIA)
Security governance principles
Compliance
Legal and regulatory issues that pertain to information security in the global context
Professional ethics
Personnel security policies
Risk management principles
Threat modeling
Business continuity planning
Security risk considerations in acquisition strategy and practice
Security education training and awareness
This chapter gives an overview of Security, Compliance, and Policies using a high-level illustration. This is followed with an overview of asset and asset protection. Furthermore, the concepts of Confidentiality, Integrity, and Availability (CIA) are explained with suitable examples. Security governance principles, compliance frameworks, and legal and regulatory issues that can impact on compliance are covered from a global perspective. Management practices that relate to security policies, standards, procedures and guidelines, as well as personnel security policies, are covered toward the end.
Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.
Observe the following illustration:
Asset requires protection
Protection is based on the requirements of Confidentiality, Integrity and Availability (CIA) for the
Security is ensured through Security Governance that comprises management practices and management oversight
Security is demonstrated through compliance that could be legal or regulatory
Compliance consists of adherence to applicable legal and regulatory requirements; applicable policies, standards, procedures and guidelines; and personnel security policies
Compliance can be affected by security issues
Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.
Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.
If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.
An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.
To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.
Note
Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.
Assets are generally grouped as follows:
Physical assets: They are tangible in nature and examples include buildings, furniture, Heating, Ventilating and Air Conditioning (HVAC) equipment, and so on.
Hardware assets: They are related to computer and network systems. Examples include, servers, desktop computers, laptop, router, network cables and so on.
Software assets: They are intangible assets that an organization owns a license to use. In general, organizations may not have Intellectual Property Rights (IPR) over such assets. Examples include, Operating Systems (OS), Data Base Management Systems (DBMS), office applications, web server software, and so on.
Information assets: They are intangible in nature. They are owned by the organization. Examples include, business processes, policies and procedures, customer information, personnel information, agreements, and formulas developed in-house or purchased outright.
Personnel assets: People associated with the organization, such as employees, contractors, and third-party consultants, are grouped under this type.
Note
Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.
In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.
Types of security controls include:
Physical entry controls to an office building that allow only authorized personnel
Monitoring controls, such as CCTV, for surveillance of critical assets
Controls, such as locks, for hardware assets for protection from theft
Tamper proofing controls, such as hashing and encryption, for software and data asset
Copyrights or patent for information assets to protect legal rights
Identity management systems to protect personnel assets from identity theft
This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.
Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.
Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.
Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.
Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.
Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.
Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.
Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.
Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).
Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.
Information security for a long time was considered as a purely technical domain. Hence, the focus was to define and manage security predominantly through the Information Technology department in many organizations. It was more like protecting only the Information systems, such as computers and networks.
Information exists in many forms and the levels of assurance required vary, based on their criticality, business requirements and from legal, regulatory compliance requirements. Hence, the focus has to be on protecting the information itself, which is essential and much broader in scope compared to focusing only on Information Technology.
Information is a business asset and valuable to organizations. Information has a lifecycle. It could be handled, processed, transported, stored, archived, or destroyed. At any stage during the lifecycle, the information can be compromised. A compromise can affect the CIA requirements of the information.
Information protection is a business responsibility. It involves governance challenges, such as risk management, reporting, and accountability. Hence, it requires the involvement of senior management and the board to provide a strategic oversight for implementing and ensuring continual effectiveness.
Aligning and integrating information security with enterprise governance and IT governance frameworks is the primary strategy for the senior management and the board. It includes the definition of the current state of security and establishing goals and objectives to align with the corporate mission.
For such a strategy, goals and objectives will include understanding protection requirements, which are based on the value of information, expected outcomes of the information security program, benefits that are quantifiable, and methods to integrate information security practices with organizational practices.
A corporate mission is based on the definition of the business, its core purpose, values and beliefs, standards, and behaviors. An information security mission defines security requirements, their purpose, focus on risk management, commitment to continual maintenance, and the improvement of the information security program. Hence, aligning information security mission with the corporate's mission is one of the primary strategies of security governance.
To support the information security strategy and to meet the goals and objectives, organizational processes need to be aligned to the mission. Such processes include defining the roles and responsibilities of the personnel involved with effective implementation and day-to-day management; establishing monitoring mechanisms that include reporting, review and approval processes, and ensuring that management support is available to such organizational processes.
Information security is everyone's responsibility in any organization. Specific security roles and responsibilities are to be considered from the security governance perspective. Hence, the information security responsibilities of the board of directors/trustees, executives, steering committee, and chief information security officer are important at management level.
To support the information security strategy and the mission, control frameworks are established by the organization. Such frameworks contain controls under three broad categories, namely, management, administrative, and technical.
Management controls are characterized by stating the views of the management and their position in particular topics, such as information security.
For example, the Information security policy is a management control, wherein the management states its intent, support, and direction for security.
While a policy is a high-level document that provides the intent of the management, administrative controls are to implement such policies.
For example, procedures, guidelines, and standards are administrative controls that support the policies. These are covered later in this chapter.
Information is stored and processed predominantly in IT systems. Hence, technical controls are established to support management and administrative controls in the information systems.
Firewall, intrusion detection systems, antivirus, and so on, are some examples of technical controls.
It is important that intent and management support to information security programs is visible across the organization to investors and customers. Hence, an organization should demonstrate due diligence and due care pertaining to information security processes and activities.
Understanding risk and estimating the same, in view of the organizations' mission, prevailing threats, vulnerabilities, and attacks, and legal, regulatory compliance, form a part of the due diligence process by the management.
Implementing security governance by way of organizational processes, defining roles and responsibilities, establishing risk management processes, and monitoring effectiveness of the information security controls are due care activities by the management.
Information security breaches in the past two decades have necessitated new security-related legal and regulatory frameworks or updates to existing legal and regulatory frameworks to include security-related compliance provisions across various countries. Requirements to comply with legal and legislative frameworks have increased exponentially due to global nature of the Internet, cross-border information exchange, electronic commerce, and services. Compliance frameworks are abundant with terms and jargon that a security professional should be aware of. Following are some of the legal and regulatory frameworks, terms, and jargons that are relevant to the Information Security domain.
Common law is a law that is developed based on the decisions of courts and tribunals rather than through statutory laws (legislative statutes). The legal system that uses common law is called common law legal systems. Countries, such as the United Kingdom, the United States of America (most of the states in the USA), Canada, Australia, South Africa, India, Malaysia, Singapore, and Hong Kong follow common law.
There are three categories under common law that are generally established:
Regulatory law, also called as Administrative law, primarily deals with the regulations of administrative agencies of the government.
Criminal law deals with the violations of government laws. Criminal laws are filed by government agencies against an individual or an organization. The punishment under criminal laws includes imprisonment as well as financial penalties.
Civil law deals with the lawsuits filed by private parties, such as corporations or individuals. Punishments under this law are financial or punitive damages or both.
Statutory law, legislative statute, or statute law is a legal system that is set down by the legislature or executive branch of the government. Statutory law under certain instances is also termed as codified law.
Religious are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.
Civil Law laws are legal systems based on religious principles. Examples include Hindu, Islam, and Christian laws.
Civil Law is a legal system based on codes and legislative statutes as opposed to common law. France, Germany, and many other countries in the world follow civil law. Hence, there is a civil law category in the common law system and a civil law system itself.
Privacy is protection of Personally Identifiable Information (PII)about individuals or Sensitive Personal Information (SPI) that can be used to identify a person in context with a group. Protection under privacy is from disclosure or selective disclosure based on the individual's preferences.
National Institute of Standards and Technology (NIST) has published a guide to protecting the confidentiality of the personally identifiable information-wide NIST special publication 800-122. As per the guide, PII is defined as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Privacy laws deal with protecting and preserving the rights of an individual's privacy.
A few examples of privacy laws in the United States include the following:
Health Insurance Portability and Accountability Act (HIPAA)
Financial Services Modernization Act (GLB), 15 U.S. Code: 6801-6810
Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313
In the UK, they include the following:
Data Protection Act 1998 (United Kingdom)
Data Protection Directive (European Union)
Intellectual Property (IP) refers to creative works using intellect, that is, mind, music, literary works, art, inventions, symbols, designs, and so on fall under intellectual property. The creator of such intellectual work has certain exclusive rights over the property. These exclusive rights are called Intellectual Property Rights (IPR).
Intellectual property law is a legal domain that deals with Intellectual Property Rights (IPR).
Following are some of the IPR-related terminologies:
Copyright: This is an intellectual property that grants exclusive rights to the creator of the original work, such as deriving financial benefits out of such work, ownership credits, and so on. Others do not have 'right to copy' such work. Copyright is country-specific.
Patent: This is a set of exclusive rights granted to the inventor of new, useful, inventive, and industry applicable inventions. This right excludes others from making, using, selling, or importing the invention. Patents are granted for a specific period of time. A patent is a public document.
Trademark: This is a unique symbol or mark that is used by individuals or organizations to uniquely represent a product or a service. Trademark is also used to distinguish from products and services of other entities.
Trade secret: This is a formula, design, process, practice, or pattern that is not revealed to others. This is to protect the information being copied and gain competitive advantage.
Information compromise or security breach that could lead to civil or criminal liability on the part of an organization will be grouped under legal and regulatory issues. For example, if a hacker intrudes into a system, obtains Personally Identifiable Information (PII), and publishes the same in an Internet portal, then the liability for failure to protect such information falls on the organization.
The following list of issues may have legal or regulatory ramifications.
A computer crime is a fraudulent activity that is perpetrated against computer or IT systems. The motivation could be for financial gain, competitive gain, popularity, fame, or adventure.
In computer crime, the term computer refers to the role it plays in different scenarios. Whether the crime is committed against a computer, whether the crime is committed using the computer, whether the computer is incidental in the crime, or a combination of all the three.
The following paragraphs provide some of the common computer crimes. Remember, CIA compromise or breach will be the end result of a crime.
Manipulation of computer records, such as data diddling, salami slicing, or any other techniques, or a deliberate circumvention of computer security systems, such as cracking or unethical hacking for monitory gain, is termed as fraud.
Note
Data diddling is a malicious activity to change the data during input or processing stage of a software program to obtain financial gain. Salami slicing, also known as penny shaving, is a fraudulent activity to regularly siphon extremely small quantity of money so as to prevent from being observed or caught.
Hacking refers to the discovery of vulnerabilities, holes, or weaknesses in computer software and associated IT systems either to exploit the same for improvising the security or to prevent intentional fraud. Hackers are persons who do hacking. However, hacking is classified with different names to distinguish the objective:
Black-hat hackers are people with malicious intent, who compromise the computer systems to commit crime. Such a hacker is called a cracker and the malicious hacking activity is termed as cracking.
White-hat hackers or ethical hackers are people who try to compromise the computer systems to discover holes and improve the security.
Grey-hat hackers are ambiguous wherein their actual intention is not known.
Identity theft is to steal someone's identity. The intention is to pretend to be someone else to commit fraud. Stealing passwords, login credentials, and credit card information are examples of identity theft.
Intellectual property theft is stealing software code or designs for financial gain.
A malware is malicious software that is designed to compromise, damage, or affect the general functioning of computers, gain unauthorized access, collect private, and sensitive information and/or corrupt the data.
Writing or spreading malware is a computer crime. Viruses, worms, Trojan horses, spyware, such as Key logger, and so on are examples of malware and are explained as follows:
A computer virus is a malicious program or a malicious code that attaches to files and can spread from one file to another file or from one computer to another computer. Technically, a virus can spread or infect the computer if the user opens the infected file.
Worms are similar to viruses, but are self-replicating and propagating. Generally, worms do not require the human intervention of opening an infected file.
A Trojan horse is a malware that hides its identity within a legitimate program. Users are tricked into opening the file containing the malware by way of social engineering.
Note
Social engineering is a type of nonintrusive attack in which humans are tricked into circumventing security controls. Some of the attacks, such as phishing and Cross Site Request Forgery (CSRF), use social engineering techniques. More details about CSRF are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Spyware is a malicious code that tracks the user actions. Examples of user actions include web browsing patterns, files opened, applications accessed, and so on. A spyware is best explained as a snooping software.
Key loggers are a type of spyware that capture keystrokes and transmit them to an attacker's server. Sensitive information, such as username and passwords, are captured using key loggers. Key loggers can be a hardware or software.
Criminal activities that are perpetrated using communication networks, such as the Internet, telephone, wireless, satellite, and mobile networks, are called as cyber crimes:
Cyber terrorism is a type of cybercrime perpetrated against computers and computer networks and they generally are premeditated in nature. The objective of the attacks could be to cause harm based on social, ideological, religious, political, or similar objectives.
Cyber stalking is a type of cybercrime in which the offender harasses or intimidates the victim using the Internet and other electronic means. It is a criminal offence under various state anti stalking, harassment laws.
Information warfare is a type of cybercrime to destabilize the opponent, such as corporations and institutions, to gain a competitive advantage. For example, false propaganda, web page defacement, and so on.
Denial-Of-Service (DoS) attack or Distributed Denial-Of-Service (DDoS) attacks are cybercrimes where websites or corporate systems of the corporations or computer systems of any user, made inaccessible by way of multiple services, request to overload the web and application servers. Eventually, the servers stops responding to genuine requests. (Ro)botnets are increasingly used for such crimes. A botnet is an army of computers listening to a control center system for executing orders. Generally, computers in a bot network are compromised systems through security vulnerability exploitation.
Tip
More details about botnets are covered in Chapter 6, Day 6 – Security Engineering - Security Design, Practices, Models and Vulnerability Mitigation.
Making and digitally distributing child pornography is a cyber crime.
Digitally distributing and storing copyrighted materials of others without the copyright owner's explicit permission is a cyber crime.
Using e-mail communication to disrupt or send unsolicited commercial e-mails or induce the user to perform certain actions to steal information or money fall under cyber crime.
Following are examples of such crimes:
Sending Unsolicited Commercial Email (UCE) is called spamming. It is a cyber crime that clogs the networks and intrudes into the privacy of the user.
Phishing is a type of cyber crime wherein a user is lured to an attacker constructed illegitimate website that looks similar to actual website the user intended to visit. For example, online banking websites, e-mail login pages, and so on. A successful phishing attack would result in the capture of user credentials by the attacker.
Pharming is a type of cyber attack wherein a user is redirected to a malicious website constructed by the attacker. Generally, this type of redirection happens without user acceptance or knowledge.
SMiShing is a type of cyber attack using mobile networks. In this attack, Short Messaging Service (SMS) is used to lure the user to the attacker-constructed malicious websites. This is similar to phishing.
Harassment in the form of cyberstalking, cyberbullying, hate crime, online predating, and trolling are crimes that target specific individuals.
Many countries have import and export restrictions pertaining to the encryption of data. For example, encryption items specifically designed, developed, configured, adapted, or modified for military applications, command, control, and intelligence applications are generally controlled based on munitions lists.
The transfer of computerized data across national borders, states or political boundaries are termed as transborder data flow. Data can be personal, business, technical, and organizational. Legal issues that arise out of such data is related to ownership and the usage.
By definition, a data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. It can also be owing to unintentional information disclosure, data leak, or data spill.
Data breach can happen owing to hacking (unethical means), organized crimes, negligence in the disposal of media, and so on.
Data breach is a security incident, and hence, many jurisdictions have passed data breach notification laws.
In the United States, data breach-related laws are categorized as security breach laws. National Conference of State Legislatures in the United States defines the provisions of such laws as:
Security breach laws typically have provisions regarding who must comply with the law (e.g. businesses, data/ information brokers, government entities, and so on); definitions of "personal information" (e.g. name combined with SSN, drivers license or state ID, account numbers, and so on.); what constitutes a breach (e.g. unauthorized acquisition of data); requirements for notice (e.g. timing or method of notice, who must be notified); and exemptions (e.g. for encrypted information).
The information security profession is based on trust, as the professional may be handling sensitive or confidential information. Ethically sound and consistently applied code of professional ethics need to be adhered to by the professional.
These are based on the safety of the commonwealth, duty to principals, such as employers, contractors, people whom a professional works for, and to each other. It requires that professionals adhere, and be seen to adhere, to the highest ethical standards of behavior.
International Information System Security Certification Consortium (ISC)2 has a published code of professional ethics for its members provided as follows:
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
Policies, standards, procedures, and guidelines form a quartet of organizational mechanisms in protecting information:
Security policies are high-level statements that provide management intent and direction for information security. They describe the what of the description.
Security standards provide prescriptive statements, control objectives, and controls for enforcing security policies. In a way, they provide the how of the description. They can be internally developed by the organization and/or published by standard bodies, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), or country-specific standard bodies.
Security procedures are step-by-step instructions to implement the policies and standards.
Security guidelines provide the best practice methods to support security controls selection and implementation. They can be used in whole or part while implementing security standards.
For example, NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems provides procedures and guidelines for System security life cycle.
International Organization for Standardization (ISO) along with International Electro-Technical Commission (IEC) has published code of practice guidelines and a standard for Information Security Management System (ISMS). They are as follows:
ISO/IEC 27002: Code of practice for information security. This standard provides a list of best practices an organization could adopt for security management.
ISO/IEC 27001: This standard specifies the management framework required for Information Security and is a certifiable standard. Organizations can seek certification against this standard for their Information Security Management System (ISMS).
Personnel security policies concern people associated with the organization, such as employees, contractors, and consultants. These policies encompass the following:
Screening processes to validate security requirements
Understanding their security responsibilities
Understanding their suitability to security roles
Reducing the risk of theft, fraud, or the misuse of facilities
Background verification checks are primarily used in employment candidate screening processes. They may include the following:
Character references to evaluate the personal traits of the applicant. Best practice guidelines indicate character references from at least two entities, such as from business and personnel.
Completeness and accuracy of the applicant's curriculum vitae and the verification of claimed academic and professional qualifications are critical checks in the screening process.
Identity checks by verifying identification documents.
Checking criminal records as well as credit checks.
Besides general job roles, based on the business requirements, information security responsibilities that include information handling requirements should form part of the employment agreement and policies.
Employees should also be aware of organization's information security policies, and when they are given access to sensitive or confidential information, they need to additionally sign confidentiality and nondisclosure agreements.
Employee termination processes have to be in accordance with the established security policies and practices. The primary objective of the process is to ensure that employees, contractors, and third-party users exit or change employment as per established procedures without compromising security. The procedures may include termination of responsibilities, return of assets, removal of access rights, and so on.
Third-party users, such as vendors, consultants, and contractors, need access to the information and associated systems based on the job function. Information protection starts from screening process, confidentiality, and nondisclosure agreements.
This chapter has covered foundational concepts in Information Security. In a nutshell, assets such as physical, hardware, software, information and personnel require protection. Protection of assets is based on CIA requirements. CIA values are determined using risk assessment methods (covered in the next chapter). Information security is ensured through security governance and demonstrated through compliance.
Continued in the next chapter are topics, such as understanding and applying risk management concepts, threat modeling, and establishing business continuity requirements in this first domain.
Q1. Which one of the following statements about security standards reflect the most appropriate definition?
Security standards are step-by-step instructions to implement a security policy
Security standards contains prescriptive statements, control objectives, and controls for implementing security
Security standards document best practices
Security standards are technology specific blue print diagrams
Q2. Security breach laws typically have provisions regarding who must comply with the law and additional applicable provisions. Which one of the following may not be an applicable provision?
Definitions of personnel information
Exemptions
What constitutes a breach
Requirements for certification
Q3. Which statements, among the following are published by (ISC)2 in the Code of professional ethics (this is a drag and drop type of question. Here you can draw a line from the list of answers from the left to the empty box on the right-hand side)?
Q4. A security practitioner is evaluating a privacy breach scenario for an ecommerce order placement and process setup. Choose a location where a possible privacy security breach could happen due to insecure implementation (this is a hot spot type of question. Place a tick mark in the appropriate circle).
