Difference between revisions of "Technical Guidance"

From Cybersec Standards
Jump to: navigation, search
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
This is a guide for implementing technical security controls in order to achieve compliance with data protection and privacy laws.
+
This is a collection of external resources for implementing security controls in compliance with data protection and privacy laws.
 +
 
 +
== Technical Security Controls: ==
 +
=== Access Control ===
 +
Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks.
  
=== Technical Security Controls: ===
 
==== Access Control ====
 
* If state data must be stored on the client, use encryption and integrity checking on the server side to catch state tampering
 
*[https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html OWASP Cryptographic Storage Cheat Sheet]
 
 
* [https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html OWASP Access Control Cheat Sheet]
 
* [https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html OWASP Access Control Cheat Sheet]
  
==== Data Integrity ====
+
=== Data Integrity ===
* Securely implement transaction authorization to protect the transaction integrity
+
Data records must be protected from unauthorized modification to ensure data quality and integrity.
  
==== Data Protection ====
+
=== Data Protection ===
* Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks
+
Data records, especially sensitive data, must be protected from unauthorized access.
  
==== Mobile App Security ====
+
*[https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html OWASP Cryptographic Storage Cheat Sheet]
 +
 
 +
=== Code Security ===
 +
* [https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/migrated_content OWASP Secure Coding Practices Quick Reference Guide]
 +
 
 +
=== Mobile App Security ===
 +
* [https://github.com/OWASP/owasp-mstg/tree/master/Checklists OWASP Mobile App Security Checklist]
 
* [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide (MSTG)]
 
* [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide (MSTG)]
 
* [https://github.com/OWASP/owasp-masvs OWASP Mobile Application Security Verification Standard]
 
* [https://github.com/OWASP/owasp-masvs OWASP Mobile Application Security Verification Standard]
* [https://github.com/OWASP/owasp-mstg/tree/master/Checklists OWASP Mobile App Security Checklist]
 
 
* [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html Apple Security Development Checklists]
 
* [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html Apple Security Development Checklists]
=== UK Information Commissioner’s Office-Recommended Security Controls: ===
+
 
 +
== Healthcare Industry Security ==
 +
*[https://www.fda.gov/medical-devices/digital-health/cybersecurity FDA's guidance on cybersecurity for medical devices]
 +
* [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html HIPAA Guidance Materials at U.S. Department of Health & Human Services website]
 +
 
 +
=== Privacy Compliance: ===
 
==== Data Protection Impact Assessment (DPIA) ====
 
==== Data Protection Impact Assessment (DPIA) ====
* [https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf Data Protection Impact Assessment Template]
+
* [https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf Data Protection Impact Assessment Template, as recommended by the UK Information Commissioner’s Office]
 +
==== Privacy and Anonymity ====
 +
* [https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html OWASP User Privacy Protection Cheat Sheet]

Latest revision as of 01:07, 26 July 2020

This is a collection of external resources for implementing security controls in compliance with data protection and privacy laws.

Technical Security Controls:

Access Control

Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks.

Data Integrity

Data records must be protected from unauthorized modification to ensure data quality and integrity.

Data Protection

Data records, especially sensitive data, must be protected from unauthorized access.

Code Security

Mobile App Security

Healthcare Industry Security

Privacy Compliance:

Data Protection Impact Assessment (DPIA)

Privacy and Anonymity