Embedded Application Security Best Practices
  • Embedded Application Security Best Practices
  • What are Embedded Systems?
  • Buffer and Stack Overflow Protection
  • Injection Prevention
  • Firmware Updates and Cryptographic Signatures
  • Securing Sensitive Information
  • Identity Management
  • Embedded Framework and C-Based Toolchain Hardening
  • Usage of Debugging Code and Interfaces
  • Transport Layer Security
  • Usage of Data Collection and Storage - Privacy
  • Third Party Code and Components
  • Threat Modeling
  • About OWASP
Powered by GitBook
On this page

Was this helpful?

Usage of Data Collection and Storage - Privacy

PreviousTransport Layer SecurityNextThird Party Code and Components

Last updated 1 year ago

Was this helpful?

It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.

Considerations (Disclaimer: The List below is non-exhaustive):

  • Determine which PII/SPI is critical for device operation and if storage of the information required for business and/or operational purpose.

  • Limit the duration of storage time to the shortest amount of time needed for device operation.

  • Ensure the information is stored securely - i.e. in Secure Environment, or protected using strong cryptography.

  • Provide transparency for customers by including details about what information is being collected, stored, and distributed via privacy policies.

  • Provide a mechanism to allow the device owner to perform a factory reset to remove their personal data before transfer to another user or destruction.

  • Consider GDPR for devices that store data in the EU.

    • "."

Additional References

.covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on.
Privacy-by-design
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
https://blog.varonis.com/privacy-design-cheat-sheet/
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf