Industry:Draft NIST SP 800-122

Return to Global Industry Committee

Submission Response
Latest first

Final version
TBC

Draft Text version 2
TBC

Draft Text version 1
TBC

Initial Comments
Possibly four areas where OWASP might comment - initial ideas below (no justifications provided yet).

In "3.2.5 Access to an Location of the PII", amend the sentence which ends "Another element is the scope of access to the PII, such as whether the PII needs to be accessed from teleworkers' systems and other systems outside the direct control of the organization." to "Another element is the scope of access to the PII, such as whether the PII needs to be STORED ON OR accessed from teleworkers' systems and other systems SUCH AS WEB APPLICATIONS outside the direct control of the organization.".

In "3.3.3 Example 3: Fraud, Waste, and Abuse Reporting Application", in the section "Access to and location of the PII: The database is only accessed by a few people who investigate fraud, waste, and abuse claims. All access to the database occurs only from the organization's own systems.", change this to be "Access to and location of the PII: THE DATA EXISTS TEMPORARILY ON A SERVER OUTSIDE THE ORGANIZATION'S NETWORK (THE ONLINE SYSTEM) AND ANY VULNERABILITIES IN THE ONLINE WEB APPLICATION COULD LEAD TO A BREACH OF THE PII.  ONCE TRANSFERRED INTERNALLY, the database is only accessed by a few people who investigate fraud, waste, and abuse claims MEANING access to the INTERNAL database occurs only from the organization's own systems.".

In "4.3 Security Controls", add at the end of the first paragraph (before the bulleted items), "SEE THE OPEN WEB APPLICATION SECURITY PROJECT APPLICATION SECURITY VERIFICATION STANDARD (ASVS) FOR ONLINE WEB SYSTEM SECURITY CONTROL VERIFICATION.". (footnote link http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)

In "Appendix A, Scenario 2: Protecting Survey Data" under the "additional questions for the scenario", add a new item between items 2 and 3 "HOW ARE THE DATA ELEMENTS COLLECTED, STORED AND USED SECURELY IN THE ONLINE SYSTEMS".

Return to Global Industry Committee