继续讨论第七类威胁:Non-compliance 不合规,Nc.2。
Non-compliance 不合规
见前文。
Nc.2 Improper personal data management 个人数据管理不当
This characteristic groups a number of data management risks that may have privacy outcomes or vice versa, privacy threats that may lead to overarching data management problems. The management of personal data falls short, data management risks may include lack of holistic approaches or frameworks or more specifically, incomplete treatment of the data life-cycle (e.g. no automated deletion after a retention period).
这一特征归纳了一些可能会产生隐私后果的数据管理风险,以及可能会导致总体数据管理问题的隐私威胁。个人数据管理不足,数据管理风险可能包括缺乏整体方法或框架,或更具体地说,数据生命周期处理不完整(例如,保留期过后没有自动删除)。
Criteria 辨识要素
-
Data lifecycle management policy
数据生命周期管理策略:- Is there a data lifecycle management policy defined for the data processed within the system?
是否为系统内处理的数据定义了数据生命周期管理策略?
- Is there a data lifecycle management policy defined for the data processed within the system?
-
Clear data management principles for each lifecycle phase
每个生命周期阶段的明确数据管理原则- Does the policy outline clear principles for each phase of the data lifecycle (creation, storage, sharing and usage, archival, and destruction)?
该政策是否概述了数据生命周期每个阶段(创建、存储、共享和使用、归档和销毁)的明确原则?
- Does the policy outline clear principles for each phase of the data lifecycle (creation, storage, sharing and usage, archival, and destruction)?
Examples 示例
-
No principles for data retention
没有数据保留原则- There is no clear policy or mechanism to enforce deletion of data that is no longer needed.
没有明确的策略或机制来强制删除不再需要的数据。 - There is no policy or mechanism to define rules for data retention, archival and deletion within the system. This can lead to the system keeping data for longer than allowed, which poses a number of threats in the Data Disclosure threat type.
没有政策或机制来确定系统内数据保留、归档和删除的规则。这可能会导致系统保存数据的时间超过允许的时间,从而在数据泄露威胁类型中造成许多威胁。
- There is no clear policy or mechanism to enforce deletion of data that is no longer needed.
-
No roles and responsibilities for data management defined
没有定义数据管理的角色和职责- The organizational roles and responsibilities surrounding data management in the system are not sufficiently defined.
没有充分定义系统中围绕数据管理的组织角色和职责。 - The organizational roles and responsibilities surrounding data management in the system are not sufficiently defined.
系统中围绕数据管理的组织角色和职责没有得到充分界定。
- The organizational roles and responsibilities surrounding data management in the system are not sufficiently defined.
Impact 影响
- Unmanaged data leading to privacy, security or availability issues: Inadequate or nonexistent data lifecycle management can result in a loss of overview of the data within the system and its maintenance, posing concerns not only for privacy and data protection but also security and availability.
未受管理的数据会导致隐私、安全性或可用性问题:数据生命周期管理不足或不存在会导致系统内数据概览及其维护丢失,这不仅会带来隐私和数据保护方面的问题,还会带来安全性和可用性方面的问题。
Additional information 额外信息
-
Continuous review of the data lifecycle management
数据生命周期管理的持续审查- Data lifecycle management is a continuous process that must be consistently carried out as long as the system is designed, developed, and used.
数据生命周期管理是一个持续的过程,只要系统被设计、开发和使用,就必须持续进行。
- Data lifecycle management is a continuous process that must be consistently carried out as long as the system is designed, developed, and used.