LHDI Countermeasures - Requirements Priority 7

[lmorris3]

Some of these may require design to complete (Allow users to review and update their personal information, Allow access for users to remove their personal information from the system, Provide users with a notification of personal information processing)

• [ ] CT294: Authorizing Official (AO) Approval prior to Production Release (7)
• [ ] CT8: Cryptographic Protection (7)
• [ ] CT73: Maintaining a system inventory (7)
• [ ] T4: Use configurable password policies (7)
• [ ] T5: Use minimum standards for passwords (7)
• [ ] T6: Implement account lockout or authentication throttling (7)
• [ ] T49: Disable and remove debug capabilities and code/data, and prepare application for release (7)
• [ ] T151: Use cryptographically secure random numbers (7)
• [ ] T177: Allow users to review and update their personal information (7)
• [ ] T179: Allow access for users to remove their personal information from the system (7)
• [ ] T295: Avoid storing unencrypted confidential data without access control mechanisms (7)
• [ ] T313: Identify and classify categories of personal information (7)
• [ ] T338: Control access to resources through user authentication and authorization (7)
• [ ] T371: Provide unified and manageable interfaces for security settings and configuration parameters (7)
• [ ] T517: Protect user registration and account modification pages against user enumeration (7)
• [ ] T742: Implement technical measures to ensure the accuracy of personal information (7)
• [ ] T750: Limit personal information collection and processing to the specified purpose (7)
• [ ] T751: Provide users with a notification of personal information processing (7)

[lmorris3]

@SophiaPhilipMO note that I called out several of these that may require design work to complete.