-
-
Notifications
You must be signed in to change notification settings - Fork 675
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh ISO 27001 Multisession Control Statement. #1610
Comments
So I think that given we no longer mandate this anyway, I am not super worried about an updated reference. In general, I think figuring out how to comply with other regulation is not really in scope for ASVS and certainly not a key goal for 5.0. |
In 5.0, I am expecting we will need to trim down this text as much as possible anyway. |
Closing as I don't think we will take action on this |
Can @tghosth provide the context of this decision as it can fixed with a Pull Request? |
Highly likely that this sentence will be removed in 5.0 anyway |
Remove Unknown ISO 27001 Multisession Control
I am reopening this and marking it to be considered when we create the actual 5.0 draft. |
"1.6 Compliance" of MVSP mandates
* Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18
.The parent of all MVSP issues is #1151.
V3.7 Defenses Against Session Management Exploits states "Previously, based on ISO 27002 requirements, the ASVS has required blocking multiple simultaneous sessions. Blocking simultaneous sessions is no longer appropriate, ...".
ISO 27002 was updated during 2022 and therefore this statement in ASVS should reflect the latest release of ISO 27002.
I don't know if this is reflect in the latest ISO 27002 or not as I don't have it at hand at the moment.
This issue should also reconsidered when undertaking QA of each future release of ASVS.
The text was updated successfully, but these errors were encountered: