Privacy
The
security
quality subfactor,
privacy, is the degree to which sensitive
identifications, data, and communications is kept secret from
unauthorized individuals, organizations, and applications.
Privacy can be subtyped into:
The following guidelines have been found to be useful when
producing privacy requirements:
- Privacy is typically maintained because disclosure could
result in physical or financial harm, embarrassment,
inconvenience, or unfairness to some individual or
organization.
- Privacy are related to, but go beyond, authorization
because people and applications should have access only to
the data and communications for which they are
authorized.
- Privacy must be consistent with any associated
privacy statement.
- Privacy may involve certain legal constraints such as
laws that require certain data (e.g., credit card
information, health care information) to be kept
private.
- Privacy must be consistent with
auditability,
identification, and
nonrepudiation, which
require users to be identified and information about their
interactions to be stored.
For example, consider a privacy-oriented eMarketplace
application that acts as an intermediary between buyers,
merchants, and a credit card authorization processing
gateway. The buyers may not want to provide private personal
information (e.g., their name, billing address, credit card
number and expiration date) to merchants who do not really
need it if they are not going to be the ones to obtain
purchase authorizations from the credit card authorization
processors. Note that electronic wallets undermine privacy
because they make it easy for buyers to supply private
information to merchants. Instead, the eMarketplace strongly
supports privacy by:
- Hiding private customer personal information from
merchants.
- Authorizing the credit card purchase for the buyer
(which is why the merchant wants the private
information).
- Only suppling the merchant with the non-private
information (e.g., delivery address and credit payment
information such as credit approval).
- Strongly encrypting all communications and storage of
private information.