- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Fri, 3 Nov 2023 17:31:17 +0000
- To: Georg Philip Krog <georg@signatu.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Thank you Georg/Signatu. This is an excellent resource and I agree we should include it in DPV's TOMs concepts. I have created a new issue to track this work: https://github.com/w3c/dpv/issues/123 Observations and questions: 1) Sec.2.4 required protection objectives: Should we also organise DPV's TOMs under broader concepts of addressing Availability, Integrity, Confidentiality, and Authenticity. - IMO yes. Each section (e.g. 3.2.2) list which of these the measure addresses. This is useful in assessments to know which measures are present for a threat (e.g. data breach) under one of these categories. I'm not sure how other concepts of Transparency, Unlinkability, and Intervenability can be organised in to taxonomies. 2) Sec.3.1 "state of the art" methods: Technical: - Multi-factor authentication - Mutual authentication - Encryption of communication during transport - Data encryption (e.g. during storage) - Protection of the private key against unauthorised copying - Use of secure boot processes - Secure software administration including patch management - Secure user administration with active locking option - Secure mapping of network zones for additional protection at the network level - Secure data communication between different network areas - Secure internet browsing - Realization of the minimal approach (including hardening) - Realization of logging, monitoring, reporting and response management systems - Realization of malware protection - Use of secure backup systems for preventing loss of data - Multiple system layouts for implementing high availability, etc. Organisational: - Realization of the need-to-know principle More methods are described in this section, including use of standards, best practices, etc. 3) Sec 3.2.2 strong passwords: This section, as an example, also lists the 'security threats' this measure is useful against e.g. Unauthorised access to user accounts. Should we model this in DPV? - IMO yes IF yes, where should we model this? - IMO risk extension, so DPV contains TOMS and RISK will contain threats and links to mitigations. 4) Sec 3.3.6 Management of information security risks Contains a description of risk management/assessment process, including specific terms and the stages they are used in. This should be used to complete the risk management set of concepts in RISK extension. 5) Sec 3.3.7 Personal certification Should we add these 'certifications' to DPV with the intention that having them acts to inform existence of TOMs? IMO - yes. IF yes, where should we add them? IMO - standards extension, along with the specific TOMs the standard and certification focuses on. 6) Sec 3.3.8 Dealing with providers Provides specific processes/guidance on supply chain security. This is relevant to NIS2 requirements. I propose these be added to Organisational measures (e.g. Request For Proposal (RFP) with security requirements). P.S. Incidentally, I'm teaching RFP this semester in Project Management! Regards, Harsh On 03/11/2023 13:03, Georg Philip Krog wrote: > Dear all, > > I propose we assess to include ENISA tech and org measures in dpv. > See attachment. > > Best regards > > -- > Georg Philip Krog > > signatu <https://signatu.com> -- --- Harshvardhan J. Pandit, Ph.D Assistant Professor ADAPT Centre, Dublin City University https://harshp.com/
Received on Friday, 3 November 2023 17:31:26 UTC