Certified Secure Website Privacy Protected Checklist About Scope by vwp15099


                                                                                           Tel.: 070 - 310.13.40
                                                                                          Fax: 070 – 310.13.41
                                                                                       Joseph Ledelstraat 92
                                                                                          2518 KM Den Haag

          Certified Secure Website Privacy Protected Checklist

This checklist is made freely available by Certified Secure. For Certified Specialists an annotated
version is available in the Portal. Certified Secure also provides training and certification based on this
checklist, visit www.certifiedsecure.nl or contact info@certifiedsecure.nl for more information.

This checklist is a subset of the Certified Secure Website Privacy Guaranteed Checklist and should be
used as a guideline when quickly assessing the privacy protection offered by a website. When this
checklist is completed without incident, the Website Privacy Guaranteed Checklist can be used to
perform a more thorough test.


This checklist is not a replacement for creativity; it is recommended that, after completing the
checklist, some time is spent looking for unlisted or application-specific vulnerabilities and
configuration problems.

Every test on the checklist should be performed or explicitly marked as being not applicable. Once a
test is completed the checklist should be updated with the appropriate result icon and an optional
document cross reference. The filled-in checklist should not be delivered stand-alone but should be
incorporated in a document specifying at least the results, scope and context of the performed tests.

This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 Netherlands
License. The complete license text can be found online at http://creativecommons.org/licenses/by-
nd/3.0/nl/. Contact Certified Secure if you want to receive a printed copy.

Version Information

 Version           Released                                     Comment(s)

    1.1           2007-11-11                                 Initial public version

Result Icon Legend

   Icon                                              Explanation

              Test was performed and results are okay

              Test was performed and results require attention

              Test was not applicable
                                                     Document:         CS Website Privacy Protected Checklist
                                                     Version:                                            1.1
                                                     Released:                                   2007-11-11
                                                     Page:                                            2 of 2

Term      Definition

 PII      Personal Identifying Information; any information that can be, directly or indirectly,
          correlated to a person. For example: IP addresses, Session identifiers, Names, Addresses,
          Zip codes

#                 Certified Secure Website Privacy Protected Checklist                       Result     Ref

1.0    Documentation

1.1    All stored PII must be classified and documented

1.2    The purpose for storing the PII must be documented

1.3    The location of all stored PII must be documented

1.4    The retention period for all stored PII must be documented

2.0    Information Storage

       PII must only be stored when explicitly required by law or when required by
2.1    the business model of the collector; PII should not be stored without a clearly
       defined reason.

2.2    All PII must be deleted within 7 days unless longer retention is required by law

3.0    Security

3.1    Inter-system communications containing PII must use SSL/TLS or IP-SEC

4.0    Privacy Policy

4.1    A privacy policy must be clearly presented on the website

4.2    The privacy policy must state which PII is collected

4.3    The privacy policy must state the retention time for the PII collected

4.4    The privacy policy must state the scope of the privacy policy

4.5    The privacy policy must state which PII is shard with 3rd parties

4.6    The privacy policy must state how PII is shared with 3rd parties

To top