diff --git a/xCOMPASS/xCOMPASS.md b/xCOMPASS/xCOMPASS.md index 05ee5cc..a965dcb 100644 --- a/xCOMPASS/xCOMPASS.md +++ b/xCOMPASS/xCOMPASS.md @@ -23,6 +23,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -30,6 +31,7 @@ The questions are categorized by Inside Aggressive,
Non-compliance


Are changes to application code attributed and logged?
Answer "Yes" if the updates and changes to the source code of the app are attributed/logged. The source code can be stored on GitHub, AWS, Databricks, or any other platform. + Non-compliance with privacy standards and best practices (Nc.4) Privacy Logging and Reporting @@ -37,14 +39,17 @@ The questions are categorized by Is access to any personal information across your application logged?
Answer "Yes" if there is any logging for any access to personal information, e.g., developer's accessing the collected names of customers. + Involved parties (DD.4.1) Inside Neutral,
Non-compliance Is there a way to download data out of the application?
Answer "Yes" if the app has a feature for the user to download data containing personal information, e.g., a feature to download the collected data locally to a laptop or mobile device.

If yes, do we have logs to track the same?
Answer "Yes" if the app logs and tracks the data download activity (e.g., every download attempt/occurence is recorded/logged). + Propagation (DD.3.2) Outside Neutral,
Identifiability Can we track who is viewing any personal information on your application's interface?
Answer "Yes" if app tracks every time someone accesses and views any personal information on the app's UI (e.g., developer's viewing the collected names of customers through the UI). + Involved parties (DD.4.1) @@ -56,6 +61,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -63,15 +69,18 @@ The questions are categorized by Inside Neutral,
Detectability Does your application combine customer data across different platforms (mobile, television, laptop, etc.)?
Answer "Yes" if the app collects and combines data across different platforms (e.g., data collected from the mobile app are stored together/combined with data collected from the PC app). + Propagation (DD.3.2) Data Separation Inside Neutral,
Non-compliance Do you check the quality of personal data used by your application (for errors, mistakes, incomplete information, etc.)?
Answer "Yes" if the app checks the quality of personal information collected (e.g., checking the correctness through input validation and error checking). + Improper personal data management (Nc.2) Transparency and Disclosure, Consumer Control, Data Separation Does your application make inferences about a customer that can result in a negative impact, such as denial of service?
Answer "Yes" if the app makes inferences about a customer and it affects the customer negatively. For example, your application makes inferences that can deny a user access to a service or negatively impact their experience with a service. + Through profiling, derivation, or inference (L.2.2) @@ -83,6 +92,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -90,6 +100,7 @@ The questions are categorized by Outside Neutral,
Detectability Does your application collect location data or other proxies for location that can be linked to a user/group in any way?
Answer "Yes" if your app collects location data/proxies. Such location data collected from a user can be used (or even misused) to identify the same user. + Quasi-identifier combining data of a single individual (L.2.1.1) Data De-identification @@ -106,6 +117,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -113,11 +125,13 @@ The questions are categorized by Outside Neutral,
Non-compliance Is your application collecting only the minimum data necessary for the app to function?
Answer "Yes" if your app collects only the minimum amount of data necessary for app to deliver the core functionalities and services.

If not, have you documented the reason for collecting additional information?
Answer "Yes" if you have documented the reason for collection additional data (e.g., you should have a valid reason to collect additional data, and this has to be properly documented).

Is data disposal done for data that is no longer required by the application?
Answer "Yes" if data disposal is done for data no longer required by the app or the retention time has reached. + Violation of data minimization principle (Nc.1.1.2), Duration/retention (DD.3.4) Data Reduction Outside Neutral,
Identifiability If the application is customer-facing, is the information that a customer can view provided on a need to know basis?
Answer "Yes" if your app is customer-facing and there is access control in place for customers when viewing personal information (e.g., a customer should not have access to other customers' data). + Involved parties (DD.4.1) Data Separation, Privacy Logging and Reporting @@ -128,6 +142,7 @@ The questions are categorized by Inside Neutral,
Identifiability Does any component in your application contain links?
Answer "Yes" if your app or any of its components contains links (e.g., URL).

Do these links redirect to any personal information without requiring authentication?
Answer "Yes" if there is no authentication before the redirection occurs (e.g., user does not have to sign in before getting redirected). + Insufficient cybersecurity risk management (Nc.3) Data De-identification, (Access Control) @@ -139,6 +154,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -146,11 +162,13 @@ The questions are categorized by Inside Neutral,
Unawareness Can a user request a copy of their data for download?
Answer "Yes" if your app allows a user to download a copy of their data (e.g., user can download the data collected by the app locally to their laptop or mobile device).

Are organizational retention policies followed for storing user data?
Answer "Yes" if your app follows organization policies on data retention (e.g., data have to be deleted at the end of the retention period). + Access (U.2.2), Rectification/erasure (U.2.3) Consumer Control Outside Neutral,
Unawareness Do you provide markers/indicators when collecting user data?
Answer "Yes" if your app provides indicators when collecting data. These can be in the form of LED lights, cookie banners, pop-ups, etc. that is relevant for your application. + Unawareness as data subject (U.1.1) Transparency and Disclosure, Consumer Control @@ -167,6 +185,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -174,15 +193,17 @@ The questions are categorized by Inside Aggressive,
Non-compliance Are personal information records backed up in case of accidental deletion?
Answer "Yes" if your app backs up personal information records. This can be in the form of a secondary backup database/storage. + Improper personal data management (Nc.2) Privacy Logging and Reporting (Backup) Outside Neutral,
Identifiability Can the customer add a second factor to allow for stronger authentication on their account?
Answer "Yes" if your app allows users to configure multi-factor authentication. Internal systems that allow access to personal information must have multi-factor authentication in place by default to meet this condition. + Insufficient cybersecurity risk management (Nc.3) Data Separation, Privacy Logging and Reporting - Does you application have any defenses to prevent brute force attacks to retrieve personal information?
Answer "Yes" if your app defends against brute force attacks to retrieve personal information (e.g., you may lock a customer's account after three incorrect attempts). + Does your application have any defenses to prevent brute force attacks to retrieve personal information?
Answer "Yes" if your app defends against brute force attacks to retrieve personal information (e.g., you may lock a customer's account after three incorrect attempts). Does the customer need to provide additional authentication to change sensitive data on the account?
Answer "Yes" if your app authenticates users that want to change sensitive data on the account (e.g., users have to provide their credentials/sign in again before being allowed to change sensitive data). @@ -191,7 +212,7 @@ The questions are categorized by Does the customer need to provide additional authentication to access sensitive data on the account?
Answer "Yes" if your app authenticates users that want to access sensitive data on the account (e.g., users have to provide their credentials/sign in again before being allowed to access sensitive data). - Does you application notify the customer if there is any unusual behavior (like after a certain number of incorrect logins, logging in from an unusual location,etc.)?
Answer "Yes" if your app notifies users of suspicious behaviors (e.g., the customer may receive a text message when three or more unsuccessful login attempts are made). + Does your application notify the customer if there is any unusual behavior (like after a certain number of incorrect logins, logging in from an unusual location,etc.)?
Answer "Yes" if your app notifies users of suspicious behaviors (e.g., the customer may receive a text message when three or more unsuccessful login attempts are made). Inside Aggressive,
Identifiability @@ -211,6 +232,7 @@ The questions are categorized by Outside Neutral,
Unanticipated Revelation If the application is customer-facing, can it be authenticated using information that is publicly available?
Answer "Yes" if the app is customer-facing and it authenticates using publicly available information (e.g., social media, public records, etc.). + Preferences (U.2.1) Data Separation @@ -222,6 +244,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -229,16 +252,19 @@ The questions are categorized by Outside Neutral,
Non-compliance Is personal information provided used for a secondary purpose by the application?
Answer "Yes" if collected personal information is used for a secondary purpose (e.g., data might have been collected to provide services, but is now also used for advertising purposes).

Have customers consented to this secondary usage?
Answer "Yes" if your app asks for user consent and they indicate consent before the app uses the PI for secondary usage (i.e., the app asks for consent twice, namely before collecting the data and when it is going to use the data for secondary usage).

Can they opt-out of secondary usage of their data?
Answer "Yes" if your app allows users to opt out of secondary usage (i.e., user can refuse to consent when asked about the secondary usage for their data).

If a customer has opted out, do you ensure that such customer data is filtered out from secondary usage?
Answer "Yes" if your app filters user data from secondary usage if they have opted out (i.e., user data are excluded completely from secondary usage). + Preferences (U.2.1) Data Reduction, Transparency and Disclosure Outside Neutral,
Unanticipated Revelation Would the data from your application be otherwise made available publicly?
Answer "Yes" if your app makes the collected data available publicly. + Availability/accessibility (DD.4.2) Data Separation Outside Neutral,
Unawareness Do individuals who have provided personal information know about its usage by this application?
Answer "Yes" if your app collects data from users and they are informed about the purpose. Apps that process user data should provide information to users about this usage and purpose. + Unawareness as data subject (U.1.1) Transparency and Disclosure @@ -251,6 +277,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -258,6 +285,7 @@ The questions are categorized by Outside Neutral,
Unawareness Is there a way for individuals to opt out of the collection/processing of their data?
Answer "Yes" if your app allows users to opt out of data collection/processing. This requirement is fully satisfied only if the language to opt out must be easy to understand and the opt out request is fully implemented by restricting processing of the specified data. Opt out should not be harder than opt in. If this is out of scope for your application, please indicate the dataset and the team responsible in the comments. + Preferences (U.2.1) Consumer Control @@ -270,6 +298,7 @@ The questions are categorized by Outside Neutral,
Non-compliance Does your application automatically pull information from the user or their device without consent?
Answer "Yes" if your app automatically collects data from users without asking for consent. Note that for "full informed consent", it should be (a) clearly indicated by a user by performing an action, like checking a box or clicking a button, (b) have specific details on what is being collected and who will be receiving the information, and (b) be freely given without coercion.

Is it possible that this automatic collection may include data that is not needed for the functionality of your application?
Answer "Yes" if your app also automatically collect data other than for functionality. Note that for "full informed consent", it should be (a) clearly indicated by a user by performing an action, like checking a box or clicking a button, (b) have specific details on what is being collected and who will be receiving the information, and (b) be freely given without coercion. + Rectification/erasure (U.2.3), Preferences (U.2.1) Data Reduction, Transparency and Disclosure @@ -281,6 +310,7 @@ The questions are categorized by Threat Persona Control Questions + LINDDUN Categories Privacy Design Strategies for Mitigation @@ -288,27 +318,34 @@ The questions are categorized by Inside Neutral,
Non-compliance If the application sends data to third parties, do you have a data loss prevention (DLP) control mechanism in place?
Answer "Yes" if your app sends data to third parties and it deploys a DLP mechanism. A DLP mechanism, like an email filter for example, prevents unexpected and uncontrolled loss of internal data. + Predetermined set of parties (DD.4.1.1), Improper personal data management (Nc.2) Privacy Logging and Reporting Inside Neutral,
Unawareness If the application sends data to third parties, do customers know about this in their privacy policy?
Answer "Yes" if your app collects data from users and sends them to third parties, and its privacy policy informs the users appropriately. To satisfy "customer knowledge", clarify the (a) type of third-party (which industry category), (b) clear purpose of transfer, and (c) frequency of transfer, (d) all personal information categories transferred either to or from a third-party, and (e) general source of the personal information obtained. Privacy Policy must be presented as a conspicuous link.

Have they consented to this extended use?
Answer "Yes" if your app asks for user consent for the extended use. To satisfy "customer knowledge", clarify the (a) type of third-party (which industry category), (b) clear purpose of transfer, and (c) frequency of transfer, (d) all personal information categories transferred either to or from a third-party, and (e) general source of the personal information obtained. Privacy Policy must be presented as a conspicuous link. + Unawareness as data subject (U.1.1) Transparency and Disclosure, Consumer Control Can customers limit their data from being shared by vendors to other applications?
Answer "Yes" if your app allows users to limit the sharing of their collected data (e.g., the app has a feature that allows users to refuse data sharing). + Preferences (U.2.1) Are customers able to access/modify their data that is sent to vendors?
Answer "Yes" if your app allows users to access/modify their collected data that are sent to vendors. There should be a clear description of how to request a deletion or modification. + Access (U.2.2) Does your application share data with third parties?
Answer "Yes" if your app shares data with third parties. Customers cannot be refused service by organization if they restrict names and addresses from being used by third-parties for mailing list subscriptions.

Have they been approved through a third party security assessment?
Answer "Yes" if your app shares data with third parties that have gone through a third-party security assessment.

Have they gone through the de-identification process?
Answer "Yes" if your app shares data with third parties that have gone through de-identification process (i.e., you have consulted with a de-identification expert and completed the de-identification process).

If not, do they have measures in place to handle PI according to stipulated retention policies?
Answer "Yes" if your app shares data with third parties that have measures to handle personal information based on organization retention policies (e.g., PI-related data are deleted at the end of the retention period, also by the third parties). + Involved parties (DD.4.1), Insufficient cybersecurity risk management (Nc.3), Improper personal data management (Nc.2), Identifier (I.2.1.1) Is all of the shared data required for the third party to provide the required functionality?
Answer "Yes" if your app shares data with third parties and the data are used to provide the required functionality. Unnecessary data can also include user data who are no longer customers. Such data should not be collected.

If not, do you remove unnecessary data elements before sending them to the third-party?
Answer "Yes" if your app shares data (to provide other functionality) with third parties and unnecessary data elements have been removed prior to sending the data. Unnecessary data can also include user data who are no longer customers. Such data should not be collected. + Data type sensitivity (DD.1.1), Data type granularity (DD.1.2) Does this application use personal data from third parties?
Answer "Yes" if your app uses personal information from third parties (e.g., you obtain users' PI from a third party).

Do owners of the personal data (all users, including employees) know about the source of the data?
Answer "Yes" if your app informs users of the source of the data (i.e., the third party involved).

Do you validate the correctness of the data received from the third party?
Answer "Yes" if your app validates the correctness of the data (i.e., specifically checks for errors/mistakes in the data) received from the third party. + Unawareness as data subject (U.1.1), Rectification/erasure (U.2.3)