This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Industry:Draft NIST SP 800-122"

From OWASP
Jump to: navigation, search
m
m (Colin added as primary contact)
Line 16: Line 16:
 
  |-
 
  |-
 
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
 
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
  | style="width:25%; background:#cccccc" align="center"|'''Primary'''<br>[mailto:name(at)owasp.org '''TBC''']  
+
  | style="width:25%; background:#cccccc" align="center"|'''Primary'''<br>[mailto:colin.watson(at)owasp.org '''Colin Watson''']
 
  | style="width:25%; background:#cccccc" align="center"|'''Secondary'''<br>[mailto:name(at)owasp.org '''TBC''']
 
  | style="width:25%; background:#cccccc" align="center"|'''Secondary'''<br>[mailto:name(at)owasp.org '''TBC''']
 
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>Please use the [http://lists.owasp.org/mailman/listinfo/global_industry_committee Industry Committee list]
 
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>Please use the [http://lists.owasp.org/mailman/listinfo/global_industry_committee Industry Committee list]

Revision as of 14:43, 11 February 2009


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name Draft NIST SP 800-122
Short Description Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
Related Projects None
Email Contacts & Roles Primary
Colin Watson
Secondary
TBC
Mailing list
Please use the Industry Committee list
ACTIVITY SPECIFICS
Objectives
  • Review Draft SP - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • TBC - Produce initial draft response
  • TBC - Circulate to OWASP lists for comment
  • TBC - Deadline for comments from OWASP lists
  • TBC - Complete final draft response
  • TBC - Submit for approval by Global Industry Committee
  • 13 Mar 2009 - Submit to NIST
Status
  • Started
  • 1st draft in discussion
Resources Call for responses, 13 Jan 2009

Full draft SOP text

Submit comments to 800-122comments(at)nist.gov with "Comments SP 800-122" in the subject line.


Submission Response

Latest first

Final version

TBC

Draft Text version 2

TBC

Draft Text version 1

TBC

Initial Comments

Possibly four areas where OWASP might comment - initial ideas below (no justifications provided yet).

In "3.2.5 Access to an Location of the PII", amend the sentence which ends "Another element is the scope of access to the PII, such as whether the PII needs to be accessed from teleworkers' systems and other systems outside the direct control of the organization." to "Another element is the scope of access to the PII, such as whether the PII needs to be STORED ON OR accessed from teleworkers' systems and other systems SUCH AS WEB APPLICATIONS outside the direct control of the organization.".

In "3.3.3 Example 3: Fraud, Waste, and Abuse Reporting Application", in the section "Access to and location of the PII: The database is only accessed by a few people who investigate fraud, waste, and abuse claims. All access to the database occurs only from the organization's own systems.", change this to be "Access to and location of the PII: THE DATA EXISTS TEMPORARILY ON A SERVER OUTSIDE THE ORGANIZATION'S NETWORK (THE ONLINE SYSTEM) AND ANY VULNERABILITIES IN THE ONLINE WEB APPLICATION COULD LEAD TO A BREACH OF THE PII. ONCE TRANSFERRED INTERNALLY, the database is only accessed by a few people who investigate fraud, waste, and abuse claims MEANING access to the INTERNAL database occurs only from the organization's own systems.".

In "4.3 Security Controls", add at the end of the first paragraph (before the bulleted items), "SEE THE OPEN WEB APPLICATION SECURITY PROJECT APPLICATION SECURITY VERIFICATION STANDARD (ASVS) FOR ONLINE WEB SYSTEM SECURITY CONTROL VERIFICATION.". (footnote link http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)

In "Appendix A, Scenario 2: Protecting Survey Data" under the "additional questions for the scenario", add a new item between items 2 and 3 "HOW ARE THE DATA ELEMENTS COLLECTED, STORED AND USED SECURELY IN THE ONLINE SYSTEMS".


Return to Global Industry Committee