New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feedback on version 0.1 of Information Security Profile draft #45

Open
lukepopp opened this Issue Dec 20, 2018 · 5 comments

Comments

5 participants
@lukepopp
Copy link
Contributor

lukepopp commented Dec 20, 2018

This thread is for feedback on the full 20/12 December working draft. Overarching feedback on the draft can be made here, and complete responses to the draft in .doc format can also be uploaded.

@lukepopp lukepopp added the feedback label Dec 20, 2018

@lukepopp lukepopp added this to Backlog in Information Security Profile 0.1 Draft via automation Dec 20, 2018

@ConsumerDataStandardsAustralia ConsumerDataStandardsAustralia locked and limited conversation to collaborators Dec 20, 2018

@lukepopp lukepopp changed the title Feedback of version 0.1 of Information Security Profile draft Feedback on version 0.1 of Information Security Profile draft Dec 20, 2018

@ConsumerDataStandardsAustralia ConsumerDataStandardsAustralia unlocked this conversation Dec 21, 2018

@lukepopp

This comment has been minimized.

Copy link
Contributor Author

lukepopp commented Jan 6, 2019

Commonwealth Bank's response:

20181219 CommBank Standards Submission.pdf

@AmexAUopenbanking

This comment has been minimized.

Copy link

AmexAUopenbanking commented Jan 18, 2019

Feedback on version 0.1 of Information Security Profile draft #45

  • American Express would support secure app deep linking in the consent journey between the data recipient’s app/website to the data holder’s app (if installed) for the best customer experience e.g. using existing biometric sign-on/authentication with the data holder’s app

  • From the ACCC Rules Outline published on 21 December 2019 - “7.26. Accredited data recipients must remind consumers every 90 days that an ongoing data sharing arrangement is in place.“ – Flexibility should be given to accredited recipients on how best to display this reminder as to avoid onerous user interface requirements.

@NationalAustraliaBank

This comment has been minimized.

@anzbankau

This comment has been minimized.

Copy link

anzbankau commented Jan 18, 2019

ANZ's Feedback on Info Sec profile 0.1.1:
ANZ's Feedback on InfoSec profile 0.0.1 -Date 18012019.pdf

@ghost

This comment has been minimized.

Copy link

ghost commented Jan 18, 2019

Secure Logic feedback on Information Security Profile draft version 0.1:

Section 3.3 – Registry
Given the important role of ACCC as the appointed Certificate Authority in the scheme, Secure Logic recommends that a comprehensive Certification Practice Statement (CPS) documentation is produced and distributed on the public domain. It should clearly include the information on certification and registration authorities, acceptable usage, availability, access control, initial identity validation as well as certificate application, acceptance, issuance, renewal, modification, revocation, suspension and status checking services at a minimum.

It is also recommended that Common Criteria certification is considered in the development of the ACCC Certificate Authority solution.

Section 14 – Consent
In alignment with the Bill and Rules Framework, we would like to underline the concept of time-limited consent. The Standards should articulate the requirement to check for consent expiration which may manifest in form of an access token time-based validity for short-lived, session-bound consent or a more permanent datafield for longer term use.

The process of automatic clean-up, deletion or de-identification of data which consent has expired should occur on a regular interval and documented in the Standards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment