GDPR Support (Later)
(UXPROD-1641)
|
|
| Status: | Open |
| Project: | UX Product |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None | Parent: | GDPR Support (Later) |
| Type: | New Feature | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | gdpr | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Epic Link: | GDPR Support (Later) | ||||||||
| Development Team: | None | ||||||||
| Kiwi Planning Points (DO NOT CHANGE): | 12 | ||||||||
| Rank: Chalmers (Impl Aut 2019): | R1 | ||||||||
| Rank: Chicago (MVP Sum 2020): | R4 | ||||||||
| Rank: Cornell (Full Sum 2021): | R4 | ||||||||
| Rank: GBV (MVP Sum 2020): | R1 | ||||||||
| Rank: U of AL (MVP Oct 2020): | R4 | ||||||||
| Description |
|
GDPR Article 32 (Security of processing) requires: Taking into account
the controller and the processor shall implement appropriate
to ensure a level of security appropriate to the risk. Details
|
| Comments |
| Comment by Björn Muschall [ 08/Sep/21 ] | ||||||||||||||||||||||||||||||
|
I think that with this requirement it is advisable to separate the different levels of responsibility for implementing the "appropriate measures". There is of course, the level of software code and also organizational measures that play a role in the FOLIO development life cycle. But there is also the level of hosting, organizational measures in the library itself and the operation of the software, on which the FOLIO project has no influence. During a security workshop at our library, we came across OWASP Application Security Verification Standard (ASVS) and OWASP Software Assurance Maturity Model (SAMM), which may be good frameworks (metric and guideance) for "technical and organisational measures" as mentioned in the ticket description. One approach could be to first break down the responsibilities, whereby the mentioned frameworks might help. In my opinion, this requirement also applies not only to the processing of personal data, but is also a prerequisite for any financial transaction. It would therefore be highly desirable to self-assess or have FOLIO assessed in a standardized manner according to these security aspects. | ||||||||||||||||||||||||||||||
| Comment by Björn Muschall [ 03/Nov/21 ] | ||||||||||||||||||||||||||||||
|
The OWASP Software Assurance Maturity Model (SAMM) also provides a comprehensive Toolbox spreadsheet for self-assessment. This might me a possible way to document the status of FOLIO's security activities, including calculation of maturity score for different areas (see below). As described above, some parts are probably the responsibility of the individual operating institution, others can be seen as the responsibility of the FOLIO project. Just as an idea how to process and document this requirement in a reasonably standardized way. I think that would suit most data protection officers in this regard. Areas considered in this model:
| ||||||||||||||||||||||||||||||
| Comment by Julian Ladisch [ 13/Apr/23 ] | ||||||||||||||||||||||||||||||
|
TeleTrust Guideline "State of the Art": https://www.teletrust.de/en/publikationen/broschueren/state-of-the-art-in-it-security/ |