Open jmanico opened 1 year ago
I prefer to go kind of opposite way - to not mention local regulations at all.
We have "documentation requirements" to cover all the local regulation parts:
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
1.8.1 | [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. | ✓ | ✓ | ✓ | 213 |
1.8.2 | Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. | ✓ | ✓ |
Current 6.1. requirements:
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. | ✓ | ✓ | 311 | |
6.1.2 | Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. | ✓ | ✓ | 311 | |
6.1.3 | Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. | ✓ | ✓ | 311 |
One options is to merge 6.1.1, 6.1.2 and 6.1.3 to one requirement and kind of reference to documented requirements 1.8.1 + 1.8.2.
I still want to add CCPA to 6.1.1
I am going to tag this as both v6 and v8. Whether this gets added or not, I think we need to add it to V8 and not V6.
I would like to suggest that we augment 6.1.1 to mention one other privacy law.
From:
To:
6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR or California's CCPA. | | ✓ | ✓ | 311