Skip to content

Commit dfc5900

Browse files
david-a-wheelerdavid-a-wheeler
committed
Implement CSF Skill B32
Implement Cybersecurity Skill Framework B32: "Develop awareness of cybersecurity laws and regulations relevant to your industry, such as GDPR for data protection. Begin by conducting simple compliance checks and documenting data handling procedures." Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
1 parent c8db0d8 commit dfc5900

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

docs/lfd121.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -618,6 +618,17 @@ Telemetry data is especially fraught with privacy and confidentiality issues. En
618618

619619
The Linux Foundation’s [*“Telemetry Data Collection and Usage Policy”*](https://www.linuxfoundation.org/telemetry-data-policy/) presents a brief discussion of some of the issues that should be considered before implementing telemetry data collection, as well as discussing the Foundation’s approach to managing use of telemetry by its open source project communities. This may be useful to you in other contexts.
620620

621+
#### Data handling procedures and reviews for sensitive information
622+
623+
If your software is designed to handle sensitive information, you must also record your "data handling procedures" to show how you adhere to cybersecurity laws and regulations. This record shows how your software collects, stores, uses, and eventually destroys sensitive data. This helps you verify and demonstrate that you meet legal obligations and organizational security policies. This record would include:
624+
625+
* Data Inventory: What sensitive data (such as PII) is being collected?
626+
* Legal Basis: For each piece of data, what is the lawful basis for processing (e.g., consent or legal obligation)?
627+
* Access Control: Who is authorized to access the data, and how is that access mediated?
628+
* Retention and Disposal: How long is the data kept, and how is it destroyed when no longer needed?
629+
630+
Routinely review this record to conduct simple compliance checks to ensure all your legal requirements are met. For example, verify that your requirements and procedures properly support the Right of Access, Right to Erasure, and Data Minimization.
631+
621632
#### Quiz 1.3: Privacy Requirements
622633

623634
\>\>Which of the following privacy-related statements is true?||Check all of the options below that are true, and do NOT check them otherwise.<<

0 commit comments

Comments
 (0)