Security and Privacy Standards

Ed. Ross Woods, 2021

Application

These standards are designed for institutional software systems. They were originally designed for contractors providing services to schools, but have wider references and this version is intentionally international. The original version of the standards contained no express intention that an organization would meet all standards. Instead, it was used to assign an overall risk rating (high, medium, or low), although the procedure for doing so was not disclosed.

Implementation and auditing are quite different matters. For example, a statement The organization has a policy .... means that the policy is suited to the nature, purposes and size of the organization, it is effective in achieving its purpose, and that relevant personnel understand it and follow it consistently. If the standards say The organization ensures that ... then the question is really how it is done and whether it is done effectively and consistently.

Ed.

Section 1 – Product

  1. The in-scope product or service complies with the privacy provisions of the privacy laws, e.g. in the USA: FERPA, Australia.
  2. The organization maintains an Information Security Management System (ISMS).
  3. The organization appoints a person to the role of Information Security Manager within the organization.
  4. The organization appoints a person to the role of Data Privacy Officer/Manager within the organization.
  5. The organization maintains at least one of the following policies/standards: Privacy Policy, Computer Usage Policy, Security Policy, Copyright Policy, Access Control Policy, Data Management/Handling Standard, Data Classification Standard, ISO 9001, ISO 27001
  6. The organization maintains documentation and processes to support business resilience, e.g. Business Continuity Plan, Incident Management/Response Plan, Data Breach Plan
  7. If the organization has an overseas customer base or has customer data processed overseas, it complies with international privacy legislation (e.g. GDPR in the EU).
  8. The organization identifies the intended users of the product (e.g. If its services are targeted at school environments, they might be teachers, administrative staff, students, and/or parents).
  9. If the product targets minors, the associated policies, terms and conditions are written in a child-friendly format.

Section 2 – Software Architecture

  1. The organization describes the architecture used for hosting and delivery of its products or services.
  2. The organization identifies any other countries where it stores any data.
  3. The organization identifies the individuals, groups or roles who have have access to the physical environment where customer data is stored and processed (i.e. the actual physical devices such as servers, PCs, and data centre).
  4. The organization controls access to the physical environment where customer data is stored and processed (i.e. physical intrusion by a person into a facility or location. This question does not relate to cyber intrusion or hacking).
  5. The organization ensures that any third parties, suppliers, vendors or partners that handle or store personal information adhere to the legal Privacy Principles, e.g. US: FERPA; Australia: APP.
  6. The organization ensures the security of:
    1. backup data (e.g. encryption, device blocking, data anonymisation etc.).
    2. data stored on portabe media devices such as USB drives and laptops (e.g. encryption, device blocking, data anonymisation etc.).
    3. data in development and test environments (e.g. encryption, device blocking, data anonymisation etc.).
  7. If the software allows users to login and authenticate using an existing social media account (e.g. Facebook, Twitter, Instagram, Google etc.), it manages any sharing of content directly to a user's social media accounts.

Section 3 – Data Security and Privacy

  1. The organization identifies the types of personal data that is used and stored (e.g. name, email address, home address, telephone number, date of birth, produced work/content, attendance records, behavioural records, photos or videos, gender, medical or health information [including mental health], biometric data, geolocation data, educational grades or performance, financial or payment data, employment details, reference checks etc.).
  2. The organization has a data classification framework or policy. [For example: Public (not sensitive), Internal Use Only (can be viewed by anyone in your organization), Restricted (managed via access controls), Confidential (strictly controlled for information such as customer personal data)]
  3. The organization protects data at rest and in transit.
  4. The organization controls which employees have access to customer and user data. (E.g role based access control.)
  5. The organization governs and controls any administration functions outsourced to third parties who could have access to customer/user data.
  6. The organization protects the system administrator accounts of those who have access to systems that store and process sensitive data needs to be protected.
  7. The organization does background and police checks of employees, contractors or other third parties who may access data before and during employment.
  8. The organization has controls in place to prevent unauthorised access to data (i.e. technical controls and countermeasures to prevent malicious intrusion, hacking and disclosure of sensitive data to unauthorised parties).
  9. The organization has controls in place to prevent employees from copying or stealing data. (E.g. technical controls & monitoring.)
  10. The organization identifies all data (identifiable, de-identified or summarised) shared with or sold to any other entity and the purposes for doing so.
  11. The organization ensures that users, particularly minors, are not exposed to information, advertising or content that could be considered detrimental or offensive.
  12. If the organization collects geolocation or biometrics data as part of providing the service or product, this functionality turned OFF by default.
  13. The organization collects only the minimum possible data necessary to operate the service or product.
  14. The organization ensures 'Privacy by Design' such as enforcing high privacy settings by default (e.g. no unnecessary visibility of other users of the service, marketing and advertising disabled, links to unnecessary services disabled, geolocation and other tracking disabled).

Section 4 – Logging

  1. The organization systematically maintains logs of employee access to systems and data, and the activities performed.
  2. The organization controls access to these logs.
  3. The organization maintains logs of security incidents.
  4. The organization specifies how long security logs are retained.
  5. The organization controls access to security logs.
  6. The organization uses a SIEM or other monitoring and alerting system to triage and manage security events and incidents.

Section 5 – Access and Authentication

  1. Software users must authenticate their identities when using software.
  2. All users have unique usernames.
  3. The software validates that the user is legitimate and should be granted access, and not an imposter.
  4. The organization identifies persons and systems for managing the creation, provisioning, maintenance, and de-provisioning of user accounts.
  5. User credentials are secured within the software.
  6. The software supports role-based access.
  7. The software supports Multi Factor Authentication i.e. MFA, 2FA etc.
  8. The organization controls security if its software accesses other apps on the user's device (computer, smartphone etc.) to deliver supplemental functionality, for example, sending emails, updating a status, or sharing contacts on behalf of the user.
  9. The organization specifies and implements any age restrictions on the use of the service.
  10. The organization has a policy regarding parental consent rules, if applicable.
  11. If the creation of a user account creates a public facing or in-software browsable profile of that user, the organization maintains control of any non-public information.
  12. If a service is provided that requires users to authenticate (log in), are there minimum standards applied to the passwords used (i.e. password length, complexity, re-use etc).
  13. When software users must authenticate their identities, the organization has minimum standards for passwords (i.e. password length, complexity, re-use etc).

Section 6 – Security Assurance

  1. The organization performs:
    1. vulnerability assessment across its customer software and corporate environment.
    2. penetration testing across its customer software and corporate environment.
  2. The organization makes the results of security assessments available to consumers of its software.
  3. The organization has a policy on notifying users of data breaches.
  4. The organization responds promptly and effectively to data breaches.

Section 7 – Data Privacy and Access

  1. The organization identifies ownership of data uploaded or created within the product or service.
  2. The organization has a process for an individual user to request a copy of their data held by the organization.
  3. Users can request and obtain account closure and complete deletion of their profile and associated data.
  4. The organization has a policy for each of the following:
    1. the retention period of backups/archives of user and customer data. (Consider backup data only, not the original data. Backup data can be in the form of tapes, DVDs, drives, backup servers or other media.)
    2. the retention period of customer and user data retained after a user profile is deactivated/deleted.
    3. the use of user or customer data to to target the sale of additional services or products by the organization or a third party.
    4. providing evidence and assurance that particular personal data sets have been securely deleted.