Open j-br0 opened 6 years ago
blackswanburst
commented
6 years ago I concur, and want include this, but I will bring a QA question: How can we empirically verify that it is a minimum unless their business model is transparent for our comparison? Is there another way we can phrase, frame, or capture "minimum" without opening ourselves up to this critique? Is there a default "minimum" in a security framework?
KatieMcInnis
commented
5 years ago @blackswanburst--I think we would most likely base that assessment off of a combination of a technical review of what we can see the app or service attempting to access + a review of the corresponding documents (i.e., the privacy policy). Even if that assessment is incomplete, it will still help the user understand what the company is likely doing with respect to the amount of data they are vacuuming up. Paging @secretrobotron to correct anything I might have said in error here though!
@j-br0--where do you recommend this Data Minimization aspect to go? Unless we make it a Test in of itself, maybe we could add it as a criteria (or perhaps indicator) under...Security Oversight?
secretrobotron
commented
5 years ago We could try giving credit for implementation of any reduction/mitigation/retention policy. Perhaps, in Security over time or Security Oversight, we could add an indicator for routine audits. We already have The company has an internal security team that conducts security audits on the company's products and services which is fairly abstract. For example:
The company routinely audits its data sets and data collection procedures
to minimize the amount of risk to which it exposes its users.
We should consider expressly adding data minimization as an element of data security. We already consider it as an element in privacy, but it's relevant to security as well. If a company doesn't have data, it's less of a risk to consumers. Today, if a company had a zero retention policy, it wouldn't be considered in an evaluation of that company's security, and that seems wrong: a company with zero retention poses less of a data security threat to consumers!
If the Digital Standard is just being as a whole, maybe this matters less, but if just the security elements are being used to evaluate security specifically, this seems like an omission.