This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Industry:Draft NIST SP 800-122
Return to Global Industry Committee
ACTIVITY IDENTIFICATION | |||
---|---|---|---|
Activity Name | Draft NIST SP 800-122 | ||
Short Description | Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" | ||
Related Projects | None | ||
Email Contacts & Roles | Primary TBC |
Secondary TBC |
Mailing list Please use the Industry Committee list |
ACTIVITY SPECIFICS | |||
---|---|---|---|
Objectives |
| ||
Deadlines |
| ||
Status |
| ||
Resources | Call for responses, 13 Jan 2009
Submit comments to 800-122comments(at)nist.gov with "Comments SP 800-122" in the subject line. |
Submission Response
Latest first
Final version
TBC
Draft Text version 2
TBC
Draft Text version 1
TBC
Initial Comments
Possibly four areas where OWASP might comment - initial ideas below (no justifications provided yet).
In "3.2.5 Access to an Location of the PII", amend the sentence which ends "Another element is the scope of access to the PII, such as whether the PII needs to be accessed from teleworkers' systems and other systems outside the direct control of the organization." to "Another element is the scope of access to the PII, such as whether the PII needs to be STORED ON OR accessed from teleworkers' systems and other systems SUCH AS WEB APPLICATIONS outside the direct control of the organization.".
In "3.3.3 Example 3: Fraud, Waste, and Abuse Reporting Application", in the section "Access to and location of the PII: The database is only accessed by a few people who investigate fraud, waste, and abuse claims. All access to the database occurs only from the organization's own systems.", change this to be "Access to and location of the PII: THE DATA EXISTS TEMPORARILY ON A SERVER OUTSIDE THE ORGANIZATION'S NETWORK (THE ONLINE SYSTEM) AND ANY VULNERABILITIES IN THE ONLINE WEB APPLICATION COULD LEAD TO A BREACH OF THE PII. ONCE TRANSFERRED INTERNALLY, the database is only accessed by a few people who investigate fraud, waste, and abuse claims MEANING access to the INTERNAL database occurs only from the organization's own systems.".
In "4.3 Security Controls", add at the end of the first paragraph (before the bulleted items), "SEE THE OPEN WEB APPLICATION SECURITY PROJECT APPLICATION SECURITY VERIFICATION STANDARD (ASVS) FOR ONLINE WEB SYSTEM SECURITY CONTROL VERIFICATION.". (footnote link http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)
In "Appendix A, Scenario 2: Protecting Survey Data" under the "additional questions for the scenario", add a new item between items 2 and 3 "HOW ARE THE DATA ELEMENTS COLLECTED, STORED AND USED SECURELY IN THE ONLINE SYSTEMS".
Return to Global Industry Committee