 |
xCOMPASS is a questionnaire developed from MAP personas so that threat modelers can ask specific and targeted questions covering a range of privacy threats. Each question is linked to a persona. Before diving into privacy threats, the following scoping questions might be helpful during a threat modeling session. This is because the existence of personal information must be known, even if it is managed and is not an active threat. Team must ensure that these are properly handled when they exist, and reviews are done for special categories of such information. |
| Scoping Questions |
|---|
| Does the application code contain personal information? |
| Do any databases used by the application contain personal information? If the application has personal information, has it been de-deidentified? |
| Do any application logs contain personal information? |
The following categories of information often come with special legislative protections.
| Special categories of Personal Information |
|---|
| Biometric data: Does the application collect biometric data? |
| Children data: Does the application collect data from youth under 16? |
| CPNI: Does the application contain CPNI data? CPNI or Customer Proprietary Network Information, is the data collected by telecommunications companies about subscribers. |
| Voice and Video: Does the application collect voice or video data? |
The categories defined in xCOMPASS are the following:
- Accountability and Auditing
- Data Quality and Integrity
- Use Limitation
- Data Minimization
- Transparency
- Security
- Purpose Specification
- Individual Participation
- Third-party Sharing
The full questionnaire is available here. Each question has a persona linked - if you would like to see an example persona for each combination listed here, use this link.