[Owasp-intra-governmental-affairs] Two New Draft Personally Identifiable Information Standards
colin.watson at owasp.org
Fri Jan 16 13:18:10 EST 2009
> You know what ?- they are the perfect ones for us to shoot for.
I've emailed BSI to ask if they have a full version, rather than the
snippets in the response system.
While I was on the train this morning I read through the NIST one...
and have identified four areas where OWASP might comment. To save
time, I'll list initial ideas below (no justifications provided yet).
The main area I think we could comment is in the security controls
section (4.3), but some of the earlier text could be improved.
In "3.2.5 Access to an Location of the PII", amend the sentence which
ends "Another element is the scope of access to the PII, such as
whether the PII needs to be accessed from teleworkers' systems and
other systems outside the direct control of the organization." to
"Another element is the scope of access to the PII, such as whether
the PII needs to be STORED ON OR accessed from teleworkers' systems
and other systems SUCH AS WEB APPLICATIONS outside the direct control
of the organization.".
In "3.3.3 Example 3: Fraud, Waste, and Abuse Reporting Application",
in the section "Access to and location of the PII: The database is
only accessed by a few people who investigate fraud, waste, and abuse
claims. All access to the database occurs only from the
organization's own systems.", change this to be "Access to and
location of the PII: THE DATA EXISTS TEMPORARILY ON A SERVER OUTSIDE
THE ORGANIZATION'S NETWORK (THE ONLINE SYSTEM) AND ANY VULNERABILITIES
IN THE ONLINE WEB APPLICATION COULD LEAD TO A BREACH OF THE PII. ONCE
TRANSFERRED INTERNALLY, the database is only accessed by a few people
who investigate fraud, waste, and abuse claims MEANING access to the
INTERNAL database occurs only from the organization's own systems.".
In "4.3 Security Controls", add at the end of the first paragraph
(before the bulleted items), "SEE THE OPEN WEB APPLICATION SECURITY
PROJECT APPLICATION SECURITY VERIFICATION STANDARD (ASVS) FOR ONLINE
WEB SYSTEM SECURITY CONTROL VERIFICATION.". (footnote link
In "Appendix A, Scenario 2: Protecting Survey Data" under the
"additional questions for the scenario", add a new item between items
2 and 3 "HOW ARE THE DATA ELEMENTS COLLECTED, STORED AND USED SECURELY
IN THE ONLINE SYSTEMS".
More information about the Owasp-intra-governmental-affairs