New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

beef up the infosec portion of our risk program #223

Closed
chadwhitacre opened this Issue May 31, 2015 · 9 comments

Comments

Projects
None yet
1 participant
@chadwhitacre
Contributor

chadwhitacre commented May 31, 2015

Now that we're planning to store national identification numbers (gratipay/gratipay.com#3289 (comment)) as well as bank account numbers (#3377 downstream of #3366), we need a stronger infosec risk management program.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 31, 2015

Contributor

Europe has stronger data privacy laws. What are they?

https://www.mywot.com/wiki/Personally_Identifiable_Information_(PII)

Contributor

chadwhitacre commented May 31, 2015

Europe has stronger data privacy laws. What are they?

https://www.mywot.com/wiki/Personally_Identifiable_Information_(PII)

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 31, 2015

Contributor

#222 will be part of this.

Contributor

chadwhitacre commented May 31, 2015

#222 will be part of this.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre May 31, 2015

Contributor

As will #214.

Contributor

chadwhitacre commented May 31, 2015

As will #214.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
Contributor

chadwhitacre commented Jun 1, 2015

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 1, 2015

Contributor

The people or bodies that collect and manage personal data are called "data controllers". They must respect EU law when handling the data entrusted to them.

Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities. This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.

Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data. The Data Protection Directive lays down a series of rights and duties in relation to personal data when it is collected and processed.

Data controllers

The Directive refers to the persons or entities which collect and process personal data as "data controllers". For instance, a medical practitioner is usually the controller of his patients' data; a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data.

Data controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors.

Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must:

http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm

Contributor

chadwhitacre commented Jun 1, 2015

The people or bodies that collect and manage personal data are called "data controllers". They must respect EU law when handling the data entrusted to them.

Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities. This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.

Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data. The Data Protection Directive lays down a series of rights and duties in relation to personal data when it is collected and processed.

Data controllers

The Directive refers to the persons or entities which collect and process personal data as "data controllers". For instance, a medical practitioner is usually the controller of his patients' data; a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data.

Data controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors.

Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must:

http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 3, 2015

Contributor

What do we have to do here? We need to start storing bank accounts and identity numbers. We should look at the information we store and the risk associated with each, and adopt policies according to risk level. I'm thinking of three tiers:

risk level information risk policy
high bank account numbers financial theft vault + PCI DSS
medium PII, including identity numbers identity theft vault
low non-PII indeterminate regular database
Contributor

chadwhitacre commented Jun 3, 2015

What do we have to do here? We need to start storing bank accounts and identity numbers. We should look at the information we store and the risk associated with each, and adopt policies according to risk level. I'm thinking of three tiers:

risk level information risk policy
high bank account numbers financial theft vault + PCI DSS
medium PII, including identity numbers identity theft vault
low non-PII indeterminate regular database
@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Jun 4, 2015

Contributor

At this point my hope is that we can:

  • build a vault (probably using Vault, Consul, and AWS)
  • segment the vault from the rest of our application so that the vault is the only thing within PCI scope
  • write high- and medium-risk data to the vault directly from the browser (how will we do authentication?)
  • never read high-risk data from the web app; only read it from payday
  • read medium-risk data from both the web app and payday
Contributor

chadwhitacre commented Jun 4, 2015

At this point my hope is that we can:

  • build a vault (probably using Vault, Consul, and AWS)
  • segment the vault from the rest of our application so that the vault is the only thing within PCI scope
  • write high- and medium-risk data to the vault directly from the browser (how will we do authentication?)
  • never read high-risk data from the web app; only read it from payday
  • read medium-risk data from both the web app and payday

@chadwhitacre chadwhitacre added this to the Payroll milestone Mar 11, 2016

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Apr 14, 2016

Contributor

With gratipay/gratipay.com#3504 (comment), I'm bumping this from the "Bring Back Payroll" milestone.

Contributor

chadwhitacre commented Apr 14, 2016

With gratipay/gratipay.com#3504 (comment), I'm bumping this from the "Bring Back Payroll" milestone.

@chadwhitacre chadwhitacre removed this from the Bring Back Payroll milestone Apr 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment