[WEB SECURITY] Data retention

["Colin Watson" <colin@xxxxxxxxxxxxxx>]

Dear all

Sometimes security professionals have difficulty convincing system owners of the importance of fixing vulnerabilities in web applications.  Even if an exploit can be demonstrated, the response may be that the potential impact is very low.

Websites and web applications can be the primary repository for some types of information and therefore the organisation is obliged to maintain the data appropriately and dispose of it safely at the end of its life.  If a vulnerability could lead to data loss or poisoning, the organisation could be contravening its legal or regulatory requirements.  Therefore, if you had a system to record staff time, holiday and sickness and it was enabled for access by remote workers, this would be a good example where the data falls under numerous laws and regulations.  Intranets are another area where accidental or malicious use could cause the organisation to be in breach of its legal requirements.  

We've created a summary of the United Kingdom's requirements for some business sectors at:

http://www.watsonhall.com/dataretention

that redirects to the longer:

http://www.watsonhall.com/resources/downloads/paper-uk-data-retention-requirements.pdf

Another aspect of this is that web applications and their hosting systems must do their own logging.  ISPs only have to retain web activity (content and traffic) data for 4 days.  So if you have a possible security breach, don't rely on anyone else's data being available for investigation.

Does anyone know of similar charts or tables for other countries?

Regards

Colin Watson
Technical Director
Watson Hall Ltd
http://www.watsonhall.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]