search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.72k stars 664 forks source link

Suggest small change to 6.1.1 #1658

Open jmanico opened 1 year ago

jmanico commented 1 year ago

I would like to suggest that we augment 6.1.1 to mention one other privacy law.

From:

6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.   311

To:

6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR or California's CCPA. |   | ✓ | ✓ | 311

elarlang commented 1 year ago

I prefer to go kind of opposite way - to not mention local regulations at all.

We have "documentation requirements" to cover all the local regulation parts:

V1.8 Data Protection and Privacy Architecture

# Description L1 L2 L3 CWE
1.8.1 [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. 213
1.8.2 Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture.

Current 6.1. requirements:

# Description L1 L2 L3 CWE
6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. 311
6.1.2 Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. 311
6.1.3 Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. 311

One options is to merge 6.1.1, 6.1.2 and 6.1.3 to one requirement and kind of reference to documented requirements 1.8.1 + 1.8.2.

jmanico commented 1 year ago

I still want to add CCPA to 6.1.1

tghosth commented 6 months ago

I am going to tag this as both v6 and v8. Whether this gets added or not, I think we need to add it to V8 and not V6.