Comments (2)
I prefer to go kind of opposite way - to not mention local regulations at all.
We have "documentation requirements" to cover all the local regulation parts:
V1.8 Data Protection and Privacy Architecture
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
1.8.1 | [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. | ✓ | ✓ | ✓ | 213 |
1.8.2 | Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. | ✓ | ✓ |
Current 6.1. requirements:
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. | ✓ | ✓ | 311 | |
6.1.2 | Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. | ✓ | ✓ | 311 | |
6.1.3 | Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. | ✓ | ✓ | 311 |
One options is to merge 6.1.1, 6.1.2 and 6.1.3 to one requirement and kind of reference to documented requirements 1.8.1 + 1.8.2.
from asvs.
I still want to add CCPA to 6.1.1
from asvs.
Related Issues (20)
- 2.7.5 is a security problem and weakness HOT 8
- 2.7.6 and 2.7.7 are in conflict HOT 6
- discussion/proposal: disallow user-autologin to an application using SSO sessions HOT 3
- Inclusion of Cypher Injection Prevention for Neo4j in ASVS 5.3.4 HOT 2
- Add requirement about usage of claims other than subject and issuer as an identifier for OpenID Connect HOT 21
- [ASVS 5.0] Fix typos, punctuation, grammar, and standardize spelling to US English HOT 3
- Fingerprinting devices/matching sessions to a device. HOT 9
- `tlmgr` sometimes fails to update
- Most recent artifacts HOT 3
- Warnings on github actions HOT 3
- `install-unx.sh` intermittent failure
- 1.2.2 "User Account" is troubling HOT 3
- 1.2.5 HOT 1
- 2.2.11 HOT 1
- 2.3.1 seems weak HOT 1
- 13.4.2 seems too broad and not testable HOT 22
- 13.5.3 rate limiting should apply to all APIs HOT 8
- client should not send longer request headers than server can accept HOT 6
- new V5 section for architecture requirements HOT 2
- Requesting Clarifying Definition in the Business Logic Section Header HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.