These mostly sound like policies similar to those in Payment Card
Industry guidelines, but with a little more teeth for smaller
organizations (since PCI tends to be pretty lax for smaller companies,
and audits are just a form to fill out), and more general threats of
eventual violence that are typical of government organizations.
Massachusetts has been one of the more authoritarian states for quite
some time now. It's not too surprising that this sort of thing would
start there, and not too surprising that larger companies are getting
their way and making things tougher for smaller organizations.
Whatever the case, OFBiz has been through a number of PCI audits and
as long as you follow the non-software policies (like no shared
accounts, restricted physical access to servers, various other
deployment things, etc). A fairly detailed audit of an actual
deployment of OFBiz would need to be done in order to ensure things
are all kosher, but what exists by default should be pretty close, and
and gaps should be easy to fill.
-David
On Sep 1, 2009, at 11:39 AM, John D. Hays wrote:
The data model needs to be updated to comply with the protection of
personal information as outlined in new laws coming on the books in
some states, a podcast and link to the Massachusetts law can be
found at http://searchcompliance.techtarget.com/generic/0,295582,sid195_gci1348710,00.html
Current OFBiz demos provide screens that show to much PI and to my
knowledge do not provide record encryption of key data (e.g. credit
cards) in the database.
Could the community look at ways to bring this compliance into the
OFBiz framework?
John D. Hays
VP Information Technology
Direct Line: 425-967-4226
Toll Free: 800-537-8816
Fax: 425-771-7166
120 West Dayton Street
Edmonds, WA 98020-4180
Use of this Electronic Communication...
