Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest small change to 6.1.1 #1658

Open
jmanico opened this issue Jun 9, 2023 · 3 comments
Open

Suggest small change to 6.1.1 #1658

jmanico opened this issue Jun 9, 2023 · 3 comments
Assignees
@jmanico
Labels
4b Major-rework These issues need to be part of a full chapter rework V1 V6 V8 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@jmanico
Copy link
Member

jmanico commented Jun 9, 2023

I would like to suggest that we augment 6.1.1 to mention one other privacy law.

From:

6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.   311

To:

6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR or California's CCPA. |   | ✓ | ✓ | 311
@elarlang
Copy link
Collaborator

elarlang commented Jul 5, 2023

I prefer to go kind of opposite way - to not mention local regulations at all.

We have "documentation requirements" to cover all the local regulation parts:

V1.8 Data Protection and Privacy Architecture

# Description L1 L2 L3 CWE
1.8.1 [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. 213
1.8.2 Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture.

Current 6.1. requirements:

# Description L1 L2 L3 CWE
6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. 311
6.1.2 Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. 311
6.1.3 Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. 311

One options is to merge 6.1.1, 6.1.2 and 6.1.3 to one requirement and kind of reference to documented requirements 1.8.1 + 1.8.2.

@elarlang elarlang added the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Jul 5, 2023
@tghosth tghosth added _5.0 - prep This needs to be addressed to prepare 5.0 4b Major-rework These issues need to be part of a full chapter rework V1 v6/v8/v9 and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Jul 10, 2023
@jmanico
Copy link
Member Author

jmanico commented Sep 22, 2023

I still want to add CCPA to 6.1.1

@tghosth tghosth added V6 V8 and removed V6/V8/V9 labels Mar 15, 2024
@tghosth
Copy link
Collaborator

tghosth commented Mar 15, 2024

I am going to tag this as both v6 and v8. Whether this gets added or not, I think we need to add it to V8 and not V6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

Labels
4b Major-rework These issues need to be part of a full chapter rework V1 V6 V8 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @tghosth @elarlang