Hey folks,
I read the thread started by Obie about certifying the maturity of a
Rails business' process maturity.
I'm not particularly interested in that, but I am curious about
various kinds of "audits" of Rails apps and Rails business' processes.
Something like the Massachusetts data privacy law comes to mind.
http://www.informationweek.com/blog/main/archives/2009/02/as_an_informati.html
Wouldn't it be cool if the Rails community was known as championing
personal data privacy? As a Massachusetts resident, I'm kind of proud
of my legislators for pushing this law through.
My understanding is an auditor would basically have to:
* Determine where the Rails app's User's first+last name's information
goes throughout the system.
* Determine if at any point that data is associated with a credit card
number, SSN, or driver's license.
* Determine if those integration points are secure.
That doesn't seem unreasonable to me.
The maximum penalty "per incident" is $50,000. That's potentially
expensive. Not all businesses can pay for an auditor for this kind of
thing, but being certified would say to your customers: "your personal
information is personal. keeping it private is important to us. we are
diligent about treating you right."
Thoughts?
Dan Croak
http://thoughtbot.com