Personally Information were detected on the system
Personally Information were detected on the system
Description
Personally Identifiable Information (PII) is, according to NIST Special Publication 800-122, a collective term for any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Recommendation
- Securely delete PII when there is no longer a business need for its retention on the device
- Do not cache sensitive data
- Minimize the frequency of asking for user credentials.
- Minimize the use of APIs that access sensitive or personal user data
- Consider a logical way to hash the user data
- Some jurisdictions may require you to provide a privacy policy for accessing personal information.
Links
- Practices for Protecting Electronic Restricted Data: A Quick Reference
- CWE-200: Information Exposure
- CWE-359: Exposure of Private Information ("Privacy Violation")
Standards
- OWASP_MASVS_L1:
- MSTG_ARCH_12
- OWASP_MASVS_L2:
- MSTG_ARCH_12