move or merge 8.3.5 to V7
elarlang opened this issue · comments
Current 8.3.5:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 8.3.5 | Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required. | ✓ | ✓ | 532 |
First there was proposal and agreement to move it to V7, as it talks about logging: #1444 (comment), #1444 (comment)
When prepared for PR, I stopped with the question: is it covered or can be merged to 7.2.2?
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 7.2.2 | [MODIFIED] Verify that all access control decisions are logged including failed attempts. | ✓ | ✓ | 285 |
ping @tghosth
8.3.5 is talking about specifically logging access to sensitive data. E.g. in law enforcement or medical settings, an application would be expected to keep an audit trail of which user's access which people's personal files.
As such I disagree with merging but would suggest some modifications:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 8.3.5 | [MODIFIED] Verify that accessing sensitive data is audited (without logging the sensitive data itself), |
✓ | ✓ |
I think those can be merged, as functionality and information for (current) 8.3.5 is covered by 7.2.2 anyway.
If you think it is really important to have them separately, then let it be - coverage stays. The second part of the requirement forced me to read it 3 times ...
Maybe to the direction
Verify that accessing sensitive data is logged (without logging the sensitive data itself) if it is required by relevant data protection requirements.
Opened #1962 with a proposal similar to the above