From 5b150416a07217a95157b71bd0862974f37d55ec Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Fri, 10 Jan 2025 18:52:43 +0200 Subject: [PATCH] tag update for 8.3.7 / 1.8.2 --- 5.0/en/0x16-V8-Data-Protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x16-V8-Data-Protection.md b/5.0/en/0x16-V8-Data-Protection.md index 783cbebb67..c63a77fb20 100644 --- a/5.0/en/0x16-V8-Data-Protection.md +++ b/5.0/en/0x16-V8-Data-Protection.md @@ -13,7 +13,7 @@ This chapter includes requirements related to defining what data needs to be pro | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **1.8.1** | [MODIFIED, MERGED FROM 8.3.4, 6.1.1, 6.1.2, COVERS 6.1.3] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. Note that this includes sensitive data that is being encoded in a recoverable form such as Base64 and JWT. Protection levels need to take into account any data protection and privacy regulations and standards which the application is required to comply with. | | ✓ | ✓ | 213 | -| **1.8.2** | [MODIFIED, SPLIT TO 8.1.9] Verify that all protection levels have a documented set of protection requirements. This should include (but not be limited to) requirements related to general encryption, integrity verification, retention, how the data should be logged, access controls around sensitive data in logs, database-level encryption, privacy and privacy-enhancing technologies to be used, and other confidentiality requirements. | | ✓ | ✓ | | +| **1.8.2** | [MODIFIED, SPLIT TO 8.1.9, COVERS 8.3.7] Verify that all protection levels have a documented set of protection requirements. This should include (but not be limited to) requirements related to general encryption, integrity verification, retention, how the data should be logged, access controls around sensitive data in logs, database-level encryption, privacy and privacy-enhancing technologies to be used, and other confidentiality requirements. | | ✓ | ✓ | | ## V8.1 General Data Protection @@ -54,7 +54,7 @@ Note: Privacy regulations and laws, such as the Australian Privacy Principles AP | **8.3.4** | [DELETED, MERGED TO 1.8.1] | | | | | | **8.3.5** | [MOVED TO 7.2.7] | | | | | | **8.3.6** | [DELETED, NOT PRACTICAL] | | | | | -| **8.3.7** | [DELETED, DUPLICATE OF 1.8.2] | | | | | +| **8.3.7** | [DELETED, COVERED BY 1.8.2] | | | | | | **8.3.8** | [LEVEL L2 > L3] Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires. | | | ✓ | | | **8.3.9** | [ADDED] Verify that sensitive information is removed from the metadata of user-submitted files unless storage is consented to by the user. | | ✓ | ✓ | 212 |