<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Fri Feb 09 00:27:33 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[UXPROD-2871] GDPR Security of processing</title>
                <link>https://folio-org.atlassian.net/browse/UXPROD-2871</link>
                <project id="10000" key="UXPROD">UX Product</project>
                    <description>&lt;p&gt;&lt;b&gt;GDPR Article 32 (Security of processing) requires:&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Taking into account&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;the state of the art,&lt;/li&gt;
	&lt;li&gt;the costs of implementation and&lt;/li&gt;
	&lt;li&gt;the nature, scope, context and purposes of processing as well as&lt;/li&gt;
	&lt;li&gt;the risk of varying likelihood and severity for the rights and freedoms of natural persons,&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;the controller and the processor shall implement appropriate&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;technical and&lt;/li&gt;
	&lt;li&gt;organisational measures&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;to ensure a level of security appropriate to the risk.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Details&lt;/b&gt;&lt;br/&gt;
See &lt;a href=&quot;https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/&lt;/a&gt; for details, ico.org.uk wrote this before Brexit and it reflects European Union GDPR requirements. Topics:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;What does the UK GDPR say about security?&lt;/li&gt;
	&lt;li&gt;Why should we worry about information security?&lt;/li&gt;
	&lt;li&gt;What do we need to protect with our security measures?&lt;/li&gt;
	&lt;li&gt;What level of security is required?&lt;/li&gt;
	&lt;li&gt;What organisational measures do we need to consider?&lt;/li&gt;
	&lt;li&gt;What technical measures do we need to consider?&lt;/li&gt;
	&lt;li&gt;What if we operate in a sector that has its own security requirements?&lt;/li&gt;
	&lt;li&gt;What do we do when a data processor is involved?&lt;/li&gt;
	&lt;li&gt;Should we use pseudonymisation and encryption?&lt;/li&gt;
	&lt;li&gt;What are &#8216;confidentiality, integrity, availability&#8217; and &#8216;resilience&#8217;?&lt;/li&gt;
	&lt;li&gt;What are the requirements for restoring availability and access to personal data?&lt;/li&gt;
	&lt;li&gt;Are we required to ensure our security measures are effective?&lt;/li&gt;
	&lt;li&gt;What about codes of conduct and certification?&lt;/li&gt;
	&lt;li&gt;What about our staff?&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;See also &lt;a href=&quot;https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/&lt;/a&gt; :&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;What are we required to do?&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;creating (and improving) security features.&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;Who is responsible for complying with data protection by design and by default?&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;your senior management, eg developing a culture of &#8216;privacy awareness&#8217; and ensuring you develop policies and procedures with data protection in mind;&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;your software engineers, system architects and application developers, &#8211;eg those who design systems, products and services should take account of data protection requirements and assist you in complying with your obligations; and&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;your business practices, eg you should ensure that you embed data protection by design in all your internal processes and procedures.&lt;/p&gt;&lt;/blockquote&gt;</description>
                <environment></environment>
        <key id="11816">UXPROD-2871</key>
            <summary>GDPR Security of processing</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                            <parent id="10228">UXPROD-1641</parent>
                                    <priority id="10005" iconUrl="https://dev.folio.org/assets/jira-priority/tbd.svg">TBD</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>gdpr</label>
                    </labels>
                <created>Tue, 19 Jan 2021 12:35:28 +0000</created>
                <updated>Thu, 13 Apr 2023 13:10:44 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                <comments>
                                                            <comment id="16099" author="712020:56d00f8b-0951-4897-ba61-10c9f41739d5" created="Wed, 8 Sep 2021 13:35:31 +0000"  >&lt;p&gt;I think that with this requirement it is advisable to separate the different levels of responsibility for implementing the &quot;appropriate measures&quot;. There is of course, the level of software code and also organizational measures that play a role in the FOLIO development life cycle. But there is also the level of hosting, organizational measures in the library itself and the operation of the software, on which the FOLIO project has no influence.&lt;/p&gt;

&lt;p&gt;During a security workshop at our library, we came across &lt;a href=&quot;https://owasp.org/www-project-application-security-verification-standard/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Application Security Verification Standard (ASVS)&lt;/a&gt; and &lt;a href=&quot;https://owaspsamm.org/model/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Software Assurance Maturity Model (SAMM)&lt;/a&gt;, which may be good frameworks (metric and guideance) for &quot;technical and&#160;organisational measures&quot; as mentioned in the ticket description. One approach could be to first break down the responsibilities, whereby the mentioned frameworks might help.&#160;In my opinion, this requirement also applies not only to the processing of personal data, but is also a prerequisite for any financial transaction.&#160;It would therefore be highly desirable to self-assess or have FOLIO assessed in a standardized manner according to these security aspects.&#160;&lt;/p&gt;</comment>
                                                            <comment id="16102" author="712020:56d00f8b-0951-4897-ba61-10c9f41739d5" created="Wed, 3 Nov 2021 08:22:07 +0000"  >&lt;p&gt;The&#160;&lt;a href=&quot;https://owaspsamm.org/model/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Software Assurance Maturity Model (SAMM)&lt;/a&gt;&#160;also provides a&#160;comprehensive&#160;&lt;a href=&quot;https://github.com/OWASP/samm/tree/master/Supporting%20Resources/v2.0/toolbox&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;Toolbox spreadsheet&lt;/a&gt;&#160;for self-assessment. This might me a possible way to document the status of FOLIO&apos;s security activities, including calculation of maturity score for different areas (see below).&#160;As described above, some parts are probably the responsibility of the individual operating institution, others can be seen as the responsibility of the FOLIO project. Just as an idea how to process and document this requirement in a reasonably standardized way.&#160;I think that would suit most data protection officers in this regard.&lt;/p&gt;

&lt;p&gt;Areas considered in this model:&lt;/p&gt;
&lt;div class=&apos;table-wrap&apos;&gt;
&lt;table class=&apos;confluenceTable&apos;&gt;&lt;tbody&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Governance&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Strategy &amp;amp; Metrics&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Governance&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Policy &amp;amp; Compliance&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Governance&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Education &amp;amp; Guidance&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Design&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Threat Assessment&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Design&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Security Requirements&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Design&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Secure Architecture&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Implementation&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Secure Build&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Implementation&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Secure Deployment&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Implementation&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Defect Management&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Verification&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Architecture Assessment&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Verification&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Requirements Testing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Verification&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Security Testing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Operations&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Incident Management&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Operations&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Environment Management&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Operations&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;Operational Management&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;/div&gt;
</comment>
                                                            <comment id="16105" author="5ee89462f7aa140abd82d11d" created="Thu, 13 Apr 2023 13:10:44 +0000"  >&lt;p&gt;TeleTrust Guideline &quot;State of the Art&quot;: &lt;a href=&quot;https://www.teletrust.de/en/publikationen/broschueren/state-of-the-art-in-it-security/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.teletrust.de/en/publikationen/broschueren/state-of-the-art-in-it-security/&lt;/a&gt; &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="11858">UXPROD-2642</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10014" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue key="$xmlutils.escape($text)">GDPR Support (Later)</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10062" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Kiwi Planning Points (DO NOT CHANGE)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>12.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i028ov:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10067" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Chalmers (Impl Aut 2019)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10203"><![CDATA[R1]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10068" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Chicago (MVP Sum 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10211"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10069" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: Cornell (Full Sum 2021)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10216"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10074" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: GBV (MVP Sum 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10238"><![CDATA[R1]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10091" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Rank: U of AL (MVP Oct 2020)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10327"><![CDATA[R4]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 8 Sep 2021 13:35:31 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>