Re: ISSUE-235 (Auditability requirement for security)

On Oct 22, 2014, at 11:34 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote:

> On 2014-10-22 17:15, Justin Brookman wrote:
>> Walter, I don’t think anyone objects to the idea of auditability in
>> theory, but I think there are questions about what that means in the
>> specification.  If a DPA has the legal authority to require certain
>> evidence or documentation from a data controller, then it does so —
>> this standard cannot grant or deprive any consumer protection
>> authority of those rights.
> 
> You are quite right that this standard cannot deprive any regulator of such rights (mind you, I object to framing all these issues as mere consumer protection issues). However, you are very wrong about the ability of this standard of granting any regulator rights. Whether by virtue of design or circumstance, the net result of this attempt at self-regulation is that it may grant the FTC an authority it never was granted through the legislative process in the USA and may give European regulators an unambiguous standard to establish consent for tracking (DNT:0).

Fair enough, my point was more that the standard can’t grant a regulatory authority a right to review or compel materials.

> 
>> What do you want this standard to require
>> — that companies prepare some sort of documentation in advance of a
>> request?  That they architect their systems in ways that can be
>> comprehended by a regulator?  I think there was agreement that a
>> general requirement of “auditability” was confusing and certainly not
>> testable, but if you have a more concrete suggestion in mind, I think
>> people would be open-minded.
> 
> I still object to applying the same testability criteria to the compliance spec as we do to the technical spec. They are worlds apart and it is inherent to any compliance spec that it will contain elements that are ultimately only testable in court. It is more of a contract than of a technical specification. When I draft a contract with audit clauses, I typically rely on what an EDP auditor would consider "auditable". That field has a long history to ascertain the extent to which an organisation has taken plausible safeguards against unauthorised access to and manipulation of transaction data. May I suggest the inclusion of similar, but non-normative, language to clarify that notion of "auditability”?

I do not have a general notion of what an auditor would consider to be auditable, so why don’t you propose specific text (doesn’t have to be in the next 20 minutes!) for the group to consider.

> 
> Regards,
> 
> Walter

Received on Wednesday, 22 October 2014 15:40:34 UTC