Facebook数据保护评估 之 阻止开放平台数据存储在组织和个人的设备中

你在上面提到，会阻止开放平台数据存储在组织和个人的设备中。请详细说说你是如何实施这项保护措施的。

我的第一次回答，谈到了通过权限管理、开发环境和正式环境隔离、代码审查等，显然Facebook审查员觉得证据不足，收到了需要更多信息的回复：

this question relates to platform data saved on organizational and personal devices of employees. To reduce the risk of unauthorized Platform Data access, Developers must have either technical controls (preferred) or administrative controls (not preferred, but acceptable) relevant to Platform Data on organizational devices (e.g., laptops) and removable media. Please provide evidence of one of the following:

Technical controls – examples of technical controls include:
1) Allowing only managed devices to connect to the corporate network,
2) enforcing full disk encryption on managed devices (e.g., BitLocker),
3) Blocking removable media (e.g., USB drives) from being connected to managed devices,
4) using Data Loss Prevention (DLP) technology on managed devices.

Administrative controls – examples of administrative controls include written policy documentation and annual training about acceptable ways to handle Platform Data on organizational and personal devices.

Please see FAQ here: https://developers.facebook.com/docs/devel

意思是说，证据不足，需要以下任一项的证据：

一、技术控制-技术控制的例子包括:
1)只允许被管理的设备接入企业网络;
2)在管理设备上强制全磁盘加密(例如，BitLocker);
3)阻止可移动媒体(如USB驱动器)连接到管理设备;
4)在被管理设备上使用数据丢失预防(DLP)技术。

二、管理控制——管理控制的例子包括书面政策文档和关于在组织和个人设备上处理平台数据的可接受方式的年度培训。

第二次回复，我选择了管理控制方面的，上传了一份关于规范数据存储和使用的政策文档，等了2个多月的审核，以为就这样混过去了，谁知道3个月以后，收到以下回复：

Thank you for your response, however, provided evidence is not sufficient. we need more information to determine whether you have implemented these protections in a way that meets our requirements. Please read the reviewer notes and the text below for instructions on what to do next. If we don’t receive a satisfactory response to this follow up, you will be in violation of this required protection.
Reviewer notes
1) Policy/procedure evidence was insufficient, and
2) Implementation evidence was missing Policy/procedure evidence Our review determined that your policy/procedure evidence was either missing or insufficient.
You must respond with a written description of how you prevent Platform Data from being stored on organizational and personal devices. Your response must clearly explain how your approach relates to our requirements (https://developers.facebook.com/docs/development/maintaining-data-access/data-protection-assessment/data-security#req-org-devices). If you have enacted technical protections, such as blocking personal devices from having network access and requiring Data Loss Prevention (DLP) software on your organization’s laptops, you should describe the tools and configuration you have applied. If you are relying on administrative protections (i.e., rules or policies): 1) tell us what that policy says, 2) iIf the policy refers to data classification levels (e.g., public data vs confidential data), explain what category Platform Data belongs to in your classification. Note: it is NOT an acceptable approach for this protection to answer that no such policies or rules exist but that only a small number of people (e.g., administrators) have access to the data. Implementation evidence Our review determined that your implementation evidence was either missing or insufficient. You must respond with one or more pieces of implementation evidence that illustrates how you have enacted these protections. It may help you to refer to examples of acceptable evidence (https://developers.facebook.com/docs/development/maintaining-data-access/data-protection-assessment/data-security#evidence-org-devices) that we have included in our documentation. If you have enacted technical protections to prevent Platform Data from being stored on organizational and personal devices, include evidence from the relevant tool(s) or configuration(s) that enforce the protection. If you are relying on administrative protections (i.e., rules or policies), your implementation evidence should demonstrate how people in your organization have been made aware of the policies, e.g., an email announcement or an audit log of employees that have signed an agreement on acceptable use of data. Remember to redact sensitive details from your evidence (https://developers.facebook.com/docs/development/maintaining-data-access/data-protection-assessment/data-security#redact-evidence) before uploading it to us.

审查员说政策证据和执行证据都不足够，如果您依赖于行政保护(例如，规则或政策)，您的实施证据应证明您组织中的人员如何了解这些政策，例如，电子邮件公告或已签署可接受数据使用协议的员工的审计日志。

可能我给的政策文档对这方面的说明不够，补充了很多，然后再次提交，等了一个月不到，审查员回复：

Q10.b – Thanks for your response. The policy is sufficient. However, we require a implementation evidence. Please provide it. Screenshot evidence that you are informing all of your employees that storage of platform data on organizational devices is forbidden. This can come in the form of an annual training on the relevant controls, message reminders to all employees, or a contractual agreement as a condition of employment (NDAs is not typically sufficient). Please note that if you provide a contractual agreement, the agreement should specifically cover restrictions on storage of platform data to be considered for this requirement. If you do store platform data on organizational devices or have any other questions, please consult our FAQ on this requirement: (https://developers.facebook.com/docs/development/maintaining-data-access/data-protection-assessment/data-security#req-org-devices). Remember to redact sensitive details from your evidence (https://developers.facebook.com/docs/development/maintaining-data-access/data-protection-assessment/data-security#redact-evidence) before uploading it to us.

政策是足够的。然而，我们需要一个实现证据。请提供。截图证明你正在通知所有员工禁止在组织设备上存储平台数据。这可以以相关控制的年度培训、对所有员工的信息提醒或作为雇佣条件的合同协议的形式出现(保密协议通常是不够的)。请注意，如果您提供了合同协议，该协议应特别涵盖为此要求考虑的平台数据存储限制。

说明上面的政策规范文档是通过了，执行证据参考审查员的回复，构造了一份年度培训PPT、以及年度培训记录，扫描成PDF，上传，然后大约等了一个礼拜，收到邮件说数据保护已完成。

大功告成！

联系邮箱： keysolutions@foxmail.com