Yes, had you forgotten it's Data Privacy Day tomorrow? See StaySafeOnline for events in the US and Canada. Not sure why it's a Saturday — maybe to give the weekend journalists a story they can prepare in advance, and then take the day off.

While there is a programme of events, data protection has been in the news this week following the publication on Wednesday of the European Union's proposed reform of data protection legislation, promoted under the banner of aiming:

There has been extensive documentation and justifications published to accompany the draft directive. There is of course plenty of coverage elsewhere, and I would recommend reading the following:

• Initial response from the ICO on the European Commission's proposal for a new general Data Protection Regulation, UK Information Commissioner's Office
• EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area European Data Protection Supervisor
• Pan-EU consistency in data protection reform welcome, but burden on business a problem, says expert, Out-Law.com

So, what does it mean? For now, these are just proposals, and what will eventually be made into law will be something very different. But it does indicate the way things are going, and is a reminder to website and application owners & developers of the need to take privacy considerations into their projects now, since the cost of changes later may be prohibitive. And, they should be doing this already, but there may be more obligations for those processing personal data in the future. There is potentially more complex functionality required for tracking consent, achieving data portability, handling withdrawal of consent and undertaking data removal.

And, there is the topic of mandatory notification of "serious" breaches.

Data Privacy Day might be a day of reading after all.

Last week, the European Network and Information Security Agency (ENISA) announced the publication of two guidance documents relating to Article 13a of the new telecommunications legislation (Directive 2009/140/EC) regarding security incidents and security controls.

I don't often quote legislation here, but I thought it was relatively short and provides the intent behind ENISA's guidance. ENISA has published two documents.

Technical Guideline on Incident Reporting provides guidance on the annual summary of significant issues and the notification of cross-border incidents. While most (all?) readers of this blog won't necessarily work in the telecommunications sector, I think the document is useful more widely for two aspects. It demonstrates the type of reporting which could be required if breach notification becomes a requirement for other sector or types of data (e.g. personal data)in the future. Also, the Section 5 on impact parameters and thresholds provides some insight into the continental and national viewpoint on the effects of security incidents.

The second document Technical Guideline on Minimum Security Measures defines the security controls national regulators need to consider when evaluating public communications networks. These are relatively high-level and are grouped into governance/risk management, human resources security, security of systems and facilities, operations management, incident management, business continuity management, and monitoring, auditing and testing. So a clear mapping to ISO27001/2/5 for information security and risk management, and BS 25999 for business continuity.

The UK's data protection agency Information Commissioner's Office (ICO) has updated the previous guidance on the use of cookies and similar tracking technologies, under the revised Privacy and Electronic Communications Regulations which came into force on 26th May this year.

In a press release today, organisations were warned they are not doing enough during the lead-in period to formal enforcement.

The updated Guidance on the Rules on use of Cookies and Similar Technologies provides concrete advice and practical guidance on the legal requirements, their interpretation and what are considered acceptable practices. The guidance was issued as a result of a review of progress to date which shows a lack of knowledge and action from web site owners. Of most concern are likely to be persistent cookies, cookies issued by third parties, cookies issued immediately a user visits a web site, are used for any sort of profiling or which span multiple website hostnames or multiple domains.

If you have any analytics, advertising, tracking or content provision by third party web sites, beware — you may just find the terms and conditions of service state you are responsible for obtaining and managing consent.

If you are a web site owner, take note and act now, if you have not already done so. From May 2012, the ICO will be accepting complaints from users, and will then contact web site owners to ask them to respond to the complaint and explain what steps they have taken to comply with the regulations. Therefore, document what you are doing and the decisions taken.

Last week the UK government's Cabinet Office published its new cyber security strategy.

The Cyber Security Strategy describes the government's commitment to this "tier 1" risk. In the objective to make the UK "more resilient to cyber attacks and better able to protect our interests in cyber space", I hope the "risk-based approach..." "...working in partnership" which includes "raising business awareness" includes helping organisations of all sorts acquire and develop software which is secure and fit-for-purpose.

In particular, I hope the Cyber Security Hub will be able to promote secure software development lifecycles.

The W3C's Tracking protection Working Group has published two working draft proposals for implementing "Do Not Track" online.

The proposals will allow users to define whether or not data about them can be collected for tracking purposes. Thus the proposals include information on how consumers express their tracking preference, and also how the websites and related systems (e.g. affiliates) will acknowledge those preferences.

Tracking Preference Expression (DNT) (W3C Working Draft 14 November 2011) describes how users express their preference and how websites indicate whether they honour such preferences. The proposal is to utilise a new HTTP request header "DNT", a machine-readable web-accessible file defining the site's tracking policy and an HTTP response header for the site to communicate its compliance with tracking preferences.

Tracking Compliance and Scope (W3C Working Draft 14 November 2011) defines the meaning of a "do not track" preference and will set out practices for websites to comply with this preference.

These are very early drafts, with many unresolved issues. W3C hopes to have adopted standards by June 2012, but in the meantime is inviting review and comment. For websites hoping to adopt and promote compliance with this proposal, now is a good time to start defining a project with a view to firming up the requirements in April 2012 when a candidate recommendation will be published. The broad requirements can be seen from the current documentation.

Do you remember Lush Cosmetics' rather public payment card data and personal data loss announced in January 2011? After 4 months of being compromised, the problem was recognised, customers were notified and the web site was shutdown.

Lush had allowed people's data to be stolen via its own web site. We still await to hear what the fines and other penalties will be levied under the Payment Card Industry Security Standards Council (PCI SSC) Data Security Standard (DSS) if they are found to have been non-compliant at the time. However the UK's Information Commissioner's Office (ICO) became involved due to the related loss of 5,000 individual's personal data and confirmed in a press release on Wednesday this week that Lush Cosmetics had also breached the Data Protection Act 1998. Formed in 1994-1995, Lush Cosmetics has been a registered data controller (No. Z8189523) since late 2003.

As expected, no enforcement notice or monetary penalty has been issued, but Lush Cosmetics Limited's Managing Director, Mark Constantine, has signed an undertaking to ensure that personal data are processed in accordance with the seventh data protection principle concerning security, and in particular take the following measures to improve the protection of personal, and cardholder data:

1. Appropriate technical and organisational measures are employed, and maintained, to prevent the unlawful processing of customer data, particularly within web based systems;
2. Only the minimum amount of customer personal data is stored and that this is retained only for as long as a relevant business need exists;
3. Computer systems storing customer personal data must be subject of regular penetration testing , with activity logs retained for an appropriate period of time and frequently interrogated for evidence of malicious attack;
4. The processing of customer credit card data is conducted by a PCI compliant external service provider;
5. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

...as long as the Data Protection Act, or succeeding legislation are in force. So correctly a focus on Lush's web systems, including penetration testing of systems holding personal data. But also other appropriate security measures as necessary. Let's hope Lush aren't left thinking penetration testing is the answer — security needs to be considered at all stages of acquisition, development, deployment and operation.

And yes, that's right, the ICO is insisting on compliance with PCI DSS. The ICO made it clear in the press release of its expectations for PCI DSS compliance by other online retailers, that will otherwise risk enforcement action by the ICO.

This seems to be a valid approach, since fines, investigation costs, etc may still be levied for lack of PCI DSS compliance too. But I have some concerns with how Lush are portraying their squeaky-clean new status in the web site's terms and conditions:

I'm not entirely sure that moving all cardholder data off-site to a PCI DSS compliant third party processor necessarily means much about the security of other data on the Lush web site and elsewhere at Lush, or much about systems outside the cardholder data environment. Is this just meaningless bubbly rhetoric to provide false assurance, or maybe Lush still does not understand what they are doing? Complying with regulatory and contractual mandates isn't the same as believing in "filling the world with perfume and in the right to make mistakes, lose everything and start again". Some of that "honest meaning" mentioned by Lush would be welcome here too.

Personally I think the PCI SSC should be a bit more strict about how their name can be used to endorse systems. Hey, clerkendweller.com meets PCI DSS compliance criteria too! There's no cardholder data to begin with...

In 2005, the US Federal Financial Institutions Examination Council (FFIEC) published Authentication in an Internet Banking Environment building on their earlier work on electronic banking. A supplement to the 2005 guidance has now been published.

The 2005 guidance recommended periodic risk assessments so that control mechanisms can be adjusted to respond to changing internal and external threats. The guidance stated that authentication techniques should be appropriate to the risks associated with the product or service, but that single-factor authentication is inadequate. It also recommended building customer awareness, and minimum supervisory expectations for authentication controls relating to high-risk online transactions involving customer information and the movement of funds to other parties.

On 28th June 2011, the FFIEC announced its Supplemental Guidance on Internet Banking Authentication to reinforce the guidance's risk management framework and update the expectations for authentication, layered security and other controls in an increasingly hostile environment.

The supplementary guidance reiterates the need for risk assessments and authentication for higher-risk transactions. It also recommends a layered security approach "since virtually every authentication technique can be compromised". Its recommendations for layered security controls include fraud detection & monitoring, dual device authentication, out-of-band verification, positive pay & debit blocks, transactional limits, activity limits, geo-location IP address reputation monitoring, policies & processes for handling compromised devices and malicious users, monitoring of account maintenance activities and customer education.

So, useful information, and not just for internet banking. The guidance is a good reference source for anyone considering authentication controls for access to more sensitive information.

Thank you to Alexis Fitzgerald for bringing this document to my attention.

As a volunteer to the open and free knowledge created and distributed by the Open Web Application Security Project (OWASP), I have contributed time to a number of projects and am a member of its Global Industry Committee. But until this month I haven't been an actual project leader.

But now I have become project leader of the OWASP Codes of Conduct Project. This is intended to be the home for a series of documents that define a small number of minimal requirements for other types of organisation, specifying what are the most effective ways they could support OWASP's mission (to make application security visible, so that people and organizations can make informed decisions about true application security risks).

Three initial documents were drafted during the working session on Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies at the OWASP Summit 2011 which was led by Jeff Williams, Dave Wichers and Dinis Cruz. Although I did not attend this session due to clashing objective, I subsequently contributed to the draft documents and created a document aimed at a fourth type of organisation. The documents were labelled "codes of conduct" to imply they define normative standards, representing a minimum baseline, which should not be difficult to achieve.

During the summit, two other working sessions (Outreach to Educational Institutions and Certification) defined another code of conduct, for application security skill certifying bodies. The primary contributors were Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle.

OWASP wanted to formalize, complete and create release-quality documents, and therefore I offered to start a project and become its leader. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year.

I have already standardised the formatting and content of the five codes of conduct, and raised some questions for the community to discuss. The version 1.1 (draft) documents are available from the OWASP web site as follows:

• The OWASP Application Security Code of Conduct for Government Bodies (The OWASP Green Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Educational Institutions (The OWASP Blue Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Standards Groups (The OWASP Yellow Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Trade Organizations (The OWASP Purple Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Certifying Bodies (The OWASP Red Book)
  • English version PDF
  • English version MS Word

If enough organisations can undertake these minimal requirements, we see this having a significant contribution to better application security. My plan is to gather feedback on these in the next month so that we can create peer-reviewed release-quality documents by the end of September. There is some further information on the OWASP Blog.

If you have any comments, views or ideas for these, or have skills or contacts to assist with their promotion, please let me know. The project has its own mailing list.

The European Commission has reinforced its commitment to self-regulatory guidance for social networking sites used by children and young people.

The recent survey Social Networking, Age and Privacy from EUKidsOnline has highlighted the current status of protection of children and young people on social networking sites. The report was funded by the EC and highlights the need for organisations to adopt the principles in Safer Social Networking Principles, first agreed and published in 2009.

The seven principles are:

1. Raise awareness of safety education messages and acceptable use policies to users, parents, teachers and carers in a prominent, clear and age-appropriate manner
2. Work towards ensuring that services are age-appropriate for the intended audience
3. Empower users through tools and technology
4. Provide easy-to-use mechanisms to report conduct or content that violates the Terms of Service
5. Respond to notifications of illegal content or conduct
6. Enable and encourage users to employ a safe approach to personal information and privacy
7. Assess the means for reviewing illegal or prohibited content/conduct

The survey found rather mixed results when testing these principles on 14 web sites; further sites are to be tested later this year.

PAS 124:2011 (Defining, Implementing and Managing Website Policies and Standards) has been updated, superseding PAS 124:2008 which has been withdrawn. It was issued by BSI in March.

Publicly Available Specifications (PAS) are industry-led initiatives, are not full British Standards and generally not free. They can be withdrawn and replaced at any time. However, the topic is relevant enough to make it worth mentioning here. This PAS was originally commissioned by Magus, but members of the steering group also included the Cabinet Office, LBi, Olswang LLP, SDL Tridion, Shell International B.V. and Unilever plc.

So what does this document concern itself with? PAS 124 describes how to define, implement and manage web site policies and standards, and provides suggested areas they should cover, and example governance policy and further sources of information.

The scope says whilst PAS 124 can be used for "all types of website including: static websites, dynamic websites, web portals, mobile websites, e-commerce websites and content published by organizations on external sites such as social media sites", it does not cover "web-based services and applications: software-as-a-service (SAAS)/cloud computing services, virtual learning environments and internet enabled widgets and applications (e.g. mobile applications)". That's quite odd, because dynamic web sites and e-commerce web sites are applications.

Some of the benefits in taking the approach suggested by PAS 124:2011 are "protection of brand and company reputation by ensuring a consistent high quality user experience", "minimization of online risk through compliance with legal requirements" and "securement of appropriate protection of intellectual property" and "increased user confidence through a consistent, high quality user experience". I agree with those.

And what areas does it consider should be included to "govern the content, function and appearance of websites" to acheive these benefits? These ten key areas are listed:

• Accessibility
• Brand and template
• Co-branding
• Domain name and URL structure
• Editorial and copywriting
• Legal
• Search engine optimization (SEO)
• Social media
• Usability
• Website governance policy

Now, PAS 124 does state "this list... is not exhaustive...". True. There is no mention of affiliates, advertisers, wider marketing (not just SEO), testing, analytics, optimisation, performance monitoring, supply chain management, intellectual property, disaster recovery, business continuity, and use of multiple channels.

But how are aspects like information privacy and security, and the protection of assets belonging to the company, other organisations and individuals governed? "Data protection and privacy" are mentioned briefly as an example legal issue that "might" need to be considered.

Also, the PAS explains it does not cover "the following types of technical standards: infrastructure standards (e.g. connectivity, performance and availability), security standards, code standards, or the use of semantic web technologies."

I am disappointed. Technology requires governance too. And security is not just about technical controls — the administrative and physical aspects are just as important for preventative, detective and corrective actions necessary to achieve the benefits listed in PAS 124. In Appendix C (Useful Sources of Information) under the heading "security" is states "This is an area where there are a lot of standards. Visit the BSI website to review the range of available standards", but I'm not sure that really does the area justice. No mention of untechnical aspects? Also, surely there are some technical aspects in the listed key issues of accessibility, templating, domain name and URL structure, legal and usability? I can think of quite a few.

There really is more to governing a web product today than what is listed here. PAS 124 seems to reflect the thoughts of a somewhat silo-style organisation which does not have a connected overall viewpoint. It feels like the old-fashioned web manager in the corner office; someone disassociated from the business and out-of-touch with supporting legal, marketing & information systems services. What it covers is good, but its vision is too constrained.

So, I think the PAS has set too narrow a focus for its scope — PAS 124 is more 2001 than 2011.