Compliance & Security

Compliance & Security

On this page information is provided concerning the Survey Project webapplication and its compliance to (international) rules and regulations (law) and the security/ accessibility measures applied.

Main reason to start documenting the information is to assist 'Data Controlers' and 'Data Processors' to comply with:

General Data Protection Regulation (May 25th 2018)

New EU regulation (law) concerning the use and processing of personal data that will become (formally) active as of May 2018.




Sources on GDPA
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
http://ec.europa.eu/justice/data-protection/
http://www.eugdpr.org/

- Information Commissioners Office (UK)
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- GDPR Summit Series (YouTube videos)
https://www.youtube.com/channel/UCwlTq3gRfiKtSsK787gMtMQ/featured

The GDPR rules apply inside and outside the EU (in case of processing personal data of EU citizens).

OWASP - Application Security Verification Standard

The Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) v. 3.0.1 is used to review and audit compliance of the SP webapplication with (international) security standards.

Results will be published in detail separately. The overall and summarized results will be presented as follows:

 

Code Section Level 1 Opportunistic Level 2 Standard Level 3 Advanced Achieved
    C NC PC MET C NC PC MET C NC PC MET level
V1. Architecture, design and threat modelling                          
V2. Authentication                          
V3. Session management                          
V4. Access control                          
V5. Malicious input handling                          
V7. Cryptography at rest                          
V8. Error handling and logging                          
V9. Data protection                          
V10. Communications                          
V11. HTTP security configuration                          
V13. Malicious controls                          
V15. Business logic                          
V16. File and resources                          
V17. Mobile                          
V18. Web services (NEW for 3.0)                          
V19. Configuration (NEW for 3.0)                          
                             


Legend
C= Compliant (yes/ no)
NC = Not Compliant (yes/ no)
PC = Partial Complaint (%)
MET = +, -, !
Achieved = overall level

More soon....