beef up the infosec portion of our risk program

[chadwhitacre]

Now that we're planning to store national identification numbers (gratipay/gratipay.com#3289 (comment)) as well as bank account numbers (#3377 downstream of #3366), we need a stronger infosec risk management program.

[chadwhitacre]

Europe has stronger data privacy laws. What are they?

https://www.mywot.com/wiki/Personally_Identifiable_Information_(PII)

[chadwhitacre]

#222 will be part of this.

[chadwhitacre]

As will #214.

[chadwhitacre]

Germany: http://perspecsys.com/how-we-help/cloud-privacy/german-data-privacy-law/.

[chadwhitacre]

Europe generally: http://ec.europa.eu/justice/data-protection/.

[chadwhitacre]

The people or bodies that collect and manage personal data are called "data controllers". They must respect EU law when handling the data entrusted to them.

Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities. This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.

Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data. The Data Protection Directive lays down a series of rights and duties in relation to personal data when it is collected and processed.

Data controllers

The Directive refers to the persons or entities which collect and process personal data as "data controllers". For instance, a medical practitioner is usually the controller of his patients' data; a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data.

Data controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors.

Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must:

• collect and process personal data only when this is legally permitted;
• respect certain obligations regarding the processing of personal data;
• respond to complaints regarding breaches of data protection rules;
• collaborate with national data protection supervisory authorities.

http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm

[chadwhitacre]

What do we have to do here? We need to start storing bank accounts and identity numbers. We should look at the information we store and the risk associated with each, and adopt policies according to risk level. I'm thinking of three tiers:

risk level	information	risk	policy
high	bank account numbers	financial theft	vault + PCI DSS
medium	PII, including identity numbers	identity theft	vault
low	non-PII	indeterminate	regular database

[chadwhitacre]

At this point my hope is that we can:

• build a vault (probably using Vault, Consul, and AWS)
• segment the vault from the rest of our application so that the vault is the only thing within PCI scope
• write high- and medium-risk data to the vault directly from the browser (how will we do authentication?)
• never read high-risk data from the web app; only read it from payday
• read medium-risk data from both the web app and payday

[chadwhitacre]

With gratipay/gratipay.com#3504 (comment), I'm bumping this from the "Bring Back Payroll" milestone.