These mostly sound like policies similar to those in Payment Card
Industry guidelines, but with a little more teeth for smaller
organizations (since PCI tends to be pretty lax for smaller companies,
and audits are just a form to fill out), and more general threats of
eventual violence that are typical of government organizations.
Massachusetts has been one of the more authoritarian states for quite
some time now. It's not too surprising that this sort of thing would
start there, and not too surprising that larger companies are getting
their way and making things tougher for smaller organizations.
Whatever the case, OFBiz has been through a number of PCI audits and
as long as you follow the non-software policies (like no shared
accounts, restricted physical access to servers, various other
deployment things, etc). A fairly detailed audit of an actual
deployment of OFBiz would need to be done in order to ensure things
are all kosher, but what exists by default should be pretty close, and
and gaps should be easy to fill.
-David
On Sep 1, 2009, at 11:39 AM, John D. Hays wrote:
> The data model needs to be updated to comply with the protection of
> personal information as outlined in new laws coming on the books in
> some states, a podcast and link to the Massachusetts law can be
> found at
http://searchcompliance.techtarget.com/generic/0,295582,sid195_gci1348710,00.html>
> Current OFBiz demos provide screens that show to much PI and to my
> knowledge do not provide record encryption of key data (e.g. credit
> cards) in the database.
>
> Could the community look at ways to bring this compliance into the
> OFBiz framework?
>
>
> John D. Hays
> VP Information Technology
>
> Direct Line: 425-967-4226
> Toll Free: 800-537-8816
> Fax: 425-771-7166
>
> 120 West Dayton Street
> Edmonds, WA 98020-4180
>
> Use of this Electronic Communication...
>
>
Locked
