Privacy and Security
5 views
Skip to first unread message
Nuwan Waidyanatha
Feb 1, 2016, 3:29:25 AM2/1/16
to Sahana Software Foundation, Devin Balkind
Greetings Sahana SIC members,
Have we addressed or do we need to address the topic of "privacy and
security" in relation to our code/solutions?
If we do then what kind of frameworks do we adopt? Example, is their
any technology / standard that we use in Eden that ensures this?
Should we be following some standard(s)? something like this:
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123
Reason being, ITU is forcing Governments to commit to cyber security:
http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx
As we move into deploying systems, people will be raising these
questions. They did raise this question in Nepal and Maldives. I need
to add some language, in our wiki standards page, a paragraph or so
that we can point/refer to, when this question is brought up by users
(prospective users).
Mark - reviewed/worked-on a legal document for IFRC? Are there any
lessons we can borrow from there?
Chamindra - perhaps Virtusa has expertise in this area that we can learn from?
Other members - any thoughts or research leads would be helpful.
Best wishes
Nuwan
Have we addressed or do we need to address the topic of "privacy and
security" in relation to our code/solutions?
If we do then what kind of frameworks do we adopt? Example, is their
any technology / standard that we use in Eden that ensures this?
Should we be following some standard(s)? something like this:
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123
Reason being, ITU is forcing Governments to commit to cyber security:
http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx
As we move into deploying systems, people will be raising these
questions. They did raise this question in Nepal and Maldives. I need
to add some language, in our wiki standards page, a paragraph or so
that we can point/refer to, when this question is brought up by users
(prospective users).
Mark - reviewed/worked-on a legal document for IFRC? Are there any
lessons we can borrow from there?
Chamindra - perhaps Virtusa has expertise in this area that we can learn from?
Other members - any thoughts or research leads would be helpful.
Best wishes
Nuwan
Fran Boon
Feb 1, 2016, 5:21:20 AM2/1/16
to Nuwan Waidyanatha, Sahana Software Foundation, Devin Balkind
On 1 February 2016 at 08:29, Nuwan Waidyanatha <waidy...@gmail.com> wrote:
> Have we addressed or do we need to address the topic of "privacy and
> security" in relation to our code/solutions?
> If we do then what kind of frameworks do we adopt? Example, is their
> any technology / standard that we use in Eden that ensures this?
No, unfortunately not.
> Have we addressed or do we need to address the topic of "privacy and
> security" in relation to our code/solutions?
> If we do then what kind of frameworks do we adopt? Example, is their
> any technology / standard that we use in Eden that ensures this?
> Should we be following some standard(s)? something like this:
> http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123
I'm not sure if this can be a 'framework', other than the existing
RBAC, but we could probably make use of a simplified set of
guidelines.
We almost certainly do most, if not all, anyway, but making this
clearer/explicit would be good idea.
Am not sure how hard it is to create such a simplified guide.
> Reason being, ITU is forcing Governments to commit to cyber security:
> http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx
> As we move into deploying systems, people will be raising these
> questions. They did raise this question in Nepal and Maldives. I need
> to add some language, in our wiki standards page, a paragraph or so
> that we can point/refer to, when this question is brought up by users
> (prospective users).
actively bear this in mind, so the simplified guide would be helpful
here too to point potential users too.
Potentially in future this could be an actual certification, although
that would really have to be a specific template and likely paid for
by the main user of the template.
> Chamindra - perhaps Virtusa has expertise in this area that we can learn from?
F
Louiqa Raschid
Feb 1, 2016, 8:08:10 PM2/1/16
to Nuwan Waidyanatha, Sahana Software Foundation, Devin Balkind
Nuwan - This is an important issue. Keep in mind that we are delivering
individual pieces of software that must fit within the IT framework of
an organization. We cannot provide any guarantees that exceed the
capabilities of the organization. On the other hand, we want to be sure
that we are not introduing any vulnerabilities.
It definitely makes sense to ask someone from Virtusa or similar company
to provide us with some guidance on our use of additional frameworks and
standards, protocols, vulnerabilities, etc. Chamindra - can you take
the lead on this?
> You received this message because you are subscribed to the Google Groups "standards" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to standards+...@sahanafoundation.org.
>
>
Nuwan Waidyanatha
Feb 3, 2016, 2:41:43 AM2/3/16
to Dominic König, Sahana Software Foundation, Devin Balkind
Dominic,
I'm sharing your recommendations with the group. Thanks a lot for your
suggestions and it has given me enough material to start documenting.
We don't want to publish any of this publicly, of cause.
Nuwan
On Wed, Feb 3, 2016 at 4:49 AM, Dominic König <dom...@nursix.org> wrote:
> Okay,
>
> as far as I have understood, this discussion is sufficiently covered by Fran,
> and he will escalate to me if/when my input is necessary.
>
> Just as a little food for thought:
>
> In Sahana, we currently have three areas where we have insufficient frameworks
> in view of security/privacy:
>
> 1) authorized misuse
> 2) data lifecycle and ownership management
> 3) intrusion detection
>
> For (1) there are two classic solutions:
> a) a non-editable change log
> b) general reversibility of changes
>
> ...which both require a delta-store (Git is an excellent example), and
> comprise a fundamental framework change.
>
> For (2), we have three sub-problem areas:
> a) Change of ownership
> b) End of ownership
> c) Unmaintained data that become irrelevant/invalid (record expiry)
>
> We have no real solutions or even appropriate recommendations for either of
> these.
>
> For (3), we have no frameworks or tools whatsoever - examples are what both
> Google and Facebook do (notifying people about unusual access patterns to
> their accounts), or what GitHub provides ("security events" log).
>
> As I've learned, all of these are very relevant especially for government
> agencies, and in particular in Europe (but also generally for handling
> sensitive information, like in case management, which is what I was looking
> into specifically) - and all of these problems are more critical than 8-tier
> access authorization (which we're really good at).
>
> And a general problem with Sahana is that it tends to produce too many live
> data, which is not only a security problem (=irrelevant for the situation, but
> otherwise sensitive information), but also counter-productive for emergency
> response (too much information is one of the fundamental problems).
>
> ===
>
> So, there's really a lot of work that needs to be done - we're lagging behind
> security-wise. Research and standards recommendations will be appreciated, but
> first there needs to be some recognition of the problems - very little can be
> done if these problems are denied by the decision makers and solutions not
> being invested in.
>
> One investment may just come our way, though ;) got in a long list of
> requirements from Germany today, working on an effort estimate now.
>
> Dominic
>
I'm sharing your recommendations with the group. Thanks a lot for your
suggestions and it has given me enough material to start documenting.
We don't want to publish any of this publicly, of cause.
Nuwan
On Wed, Feb 3, 2016 at 4:49 AM, Dominic König <dom...@nursix.org> wrote:
> Okay,
>
> as far as I have understood, this discussion is sufficiently covered by Fran,
> and he will escalate to me if/when my input is necessary.
>
> Just as a little food for thought:
>
> In Sahana, we currently have three areas where we have insufficient frameworks
> in view of security/privacy:
>
> 1) authorized misuse
> 2) data lifecycle and ownership management
> 3) intrusion detection
>
> For (1) there are two classic solutions:
> a) a non-editable change log
> b) general reversibility of changes
>
> ...which both require a delta-store (Git is an excellent example), and
> comprise a fundamental framework change.
>
> For (2), we have three sub-problem areas:
> a) Change of ownership
> b) End of ownership
> c) Unmaintained data that become irrelevant/invalid (record expiry)
>
> We have no real solutions or even appropriate recommendations for either of
> these.
>
> For (3), we have no frameworks or tools whatsoever - examples are what both
> Google and Facebook do (notifying people about unusual access patterns to
> their accounts), or what GitHub provides ("security events" log).
>
> As I've learned, all of these are very relevant especially for government
> agencies, and in particular in Europe (but also generally for handling
> sensitive information, like in case management, which is what I was looking
> into specifically) - and all of these problems are more critical than 8-tier
> access authorization (which we're really good at).
>
> And a general problem with Sahana is that it tends to produce too many live
> data, which is not only a security problem (=irrelevant for the situation, but
> otherwise sensitive information), but also counter-productive for emergency
> response (too much information is one of the fundamental problems).
>
> ===
>
> So, there's really a lot of work that needs to be done - we're lagging behind
> security-wise. Research and standards recommendations will be appreciated, but
> first there needs to be some recognition of the problems - very little can be
> done if these problems are denied by the decision makers and solutions not
> being invested in.
>
> One investment may just come our way, though ;) got in a long list of
> requirements from Germany today, working on an effort estimate now.
>
> Dominic
>
Nuwan Waidyanatha
Feb 3, 2016, 3:12:08 AM2/3/16
to Dominic König, Sahana Software Foundation, Devin Balkind
Forgot to share the link to the working document:
https://docs.google.com/document/d/18IaTJaBJy6yNDoMB7gwdlbqIoyaxxjtTBnruPP6v_Vc/edit?usp=sharing
https://docs.google.com/document/d/18IaTJaBJy6yNDoMB7gwdlbqIoyaxxjtTBnruPP6v_Vc/edit?usp=sharing
Reply all
Reply to author
Forward
0 new messages