Re: ISSUE-235 (Auditability requirement for security) from Shane M Wiley on 2014-11-19 (public-tracking@w3.org from November 2014)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Wed, 19 Nov 2014 17:12:33 +0000 (UTC)
To: Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <1976654005.1719531.1416417153807.JavaMail.yahoo@jws10057.mail.ne1.yahoo.com>

Walter,
The IAB guidelines are specific to a financial audit process and therefore are necessary by law and have very strict boundaries and well known and understood accounting quality measures.  Your approach is open ended and not tied to anything specific and therefore is unhelpful/useless.

I don't believe anyone disagrees with the concept of auditability but rather we have issue with the non-specific approach you're taking that could unintentionally cause confusion and uncertainty among implementors.

- Shane Shane Wiley
VP, Privacy & Data Governance
Yahoo
      From: Walter van Holst <walter.van.holst@xs4all.nl>
 To: public-tracking@w3.org 
 Sent: Wednesday, November 19, 2014 7:06 AM
 Subject: Re: ISSUE-235 (Auditability requirement for security)

On 2014-11-19 01:57, Nicholas Doty wrote:
> Separate as to whether this auditing requirement is a good idea for
> the recommendation, I'd propose a couple small, friendly amendments to
> the language, as per below.
> 
>> For the purposes of this recommendation, auditable is understood as 
>> having sufficient records of access and use of data retained such that 
>> an independent auditor would have a reasonable level of confidence 
>> that the data retained is exclusively used for the permitted uses or 
>> that breaches of this can be detected ex-post. For example, an auditor 
>> might use a similar level of confidence to that required for the 
>> organization's financial records.
> 
> 
> (Use independent instead of third-party, as the document has a
> separate definition for third-party. Use "recommendation". "Example"
> rather than "yardstick".)

I'm reasonably comfortable with this amendment.

For the purpose of the conversation on the necessity of all this, I'd 
like to point at this document: 
http://www.iab.net/media/file/Global_meas_guidelines.pdf

For audience measurement purposes industry groups are perfectly happy 
with process audit requirements (see paragraph 4, sub 2) for ad 
measurement, which reads as:

4. Auditing Guidelines
General
–
Third-party independent auditing is encouraged for all ad-serving 
applications used in the buying and selling process. This auditing is 
recommended to include both counting methods and processing/controls as 
follows:
1. Counting Methods: Independent verification of activity for a defined 
period. Counting method procedures generally include a basic process 
review and risk analysis to under-
stand the measurement methods, analytical review, transaction 
authentication, validation of filtration procedures and measurement 
recalculations. Activity audits can be executed at
the campaign level, verifying the activity associated with a specific ad 
creative being delivered for performance measurement purposes.
2. Processes/Controls: Examination of the internal controls surrounding 
the ad delivery, recording and measurement process. Process auditing 
includes examination of the adequacy of site or ad-server applied 
filtration techniques.

Strangely enough, in this group all of a sudden none appears to 
understand the meaning of auditable in the context of DNT:1 data 
retained for purposes exempted under this standard? What I am asking for 
is not substantially different and definitely not more burdensome then 
what IAB suggests for ad measurement. We're simply talking about an 
analog to the process/controls audits mentioned above.

Regards,

  Walter

Received on Wednesday, 19 November 2014 17:15:21 UTC