PII Risk Assessment - seceng

[dongately]

Discussion for building risk assessment for holding PII. I'd like to focus on distilling this towards a format similar to:

Please be creative, threat analyze to your heart's content.

Project Decisions about PII, technical or non-technical - i.e. PDAP will do this approach to PII

• This action: ....
• Creates this risk: ....
• This risk has this effect on the project: .....
• General idea on how to hedge the risk it: ...
• This is how we best hedge it: ....
• This is how we decently hedge: .....
• This is worst case hedge: ....
• ELI5, the risk and the fix:

Ex:

• This action: architecture decisions lead to automated ingestion of raw data from scrapers
• Creates this risk: data enters our core infra w/ various levels of verifiable safety
• This risk has this effect on the project: malicious data enters designated secure areas, and ....
• General Idea: we want to validate the safety of the data entering our pipeline. Safety means it comes from a known or verifiable source, etc....

Thanks!

• DG

[tthelin]

This is the previous writup I did on PII handling principles that I posted in Slack https://docs.google.com/document/d/15g1zVyyJYLHLoCesaCuRD-Uvaa19KoFm5Sc_Y1ezr58/edit

It's not in your desired format, but we could probably reframe it into your desired format