question

Alexandre Chimeno Bort avatar image
Alexandre Chimeno Bort asked

Facebook Data Protection Assessment - Privacy Policies and Data Security

Has anyone dealt with that? I am lost.

Do you currently have an Information Security Framework in place? An Information Security Framework (ISF) or Cybersecurity Framework (CSF) is a comprehensive plan for designing, enacting and operating effective security for your organization.

Data Protection Assessment BotDo you have a SOC2, ISO27001, or ISO27018 certificate that is currently valid? If yes, then please note that those are considered an Information Security Framework. Please revise your answer here and upload a copy of your certificate.

If you do not have a certificate, do you take any of the following steps to protect the security of Platform Data? If yes, please list all items that apply

- [A] Enforce encryption at rest for all Platform Data storage (e.g., all database files, backups, object storage buckets)
- [B] Enforce TLS 1.2 encryption or greater for all network connections where Platform Data is transmitted
- [C] Test your app and systems for vulnerabilities and security issues at least every 12 months
- [D] Protect sensitive data like credentials and access tokens
- [E] Test your incident response systems and processes at least every 12 months
- [F] Require multi-factor authentication for remote access
- [H] Have a system for maintaining accounts (assigning, revoking, reviewing access and privileges)
- [I] Have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software
- [J] Have a system in place for logging access to Platform Data and tracing where Platform Data was sent and stored
- [K] Monitor transfers of Platform Data and key points where Platform Data can leave the system (e.g., third parties, public endpoints)
- [L] Have an automated system for monitoring logs and other security events, and to generate alerts for abnormal or security-related events

data
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

7 Answers

·
Sarah Zhang avatar image
Sarah Zhang answered

It's the answer that the team provided.

- [A] Enforce encryption at rest for all Platform Data storage (e.g., all database files, backups, object storage buckets) – The majority of data is encrypted at rest

- [B] Enforce TLS 1.2 encryption or greater for all network connections where Platform Data is transmitted – Yes

- [C] Test your app and systems for vulnerabilities and security issues at least every 12 months – Yes

- [D] Protect sensitive data like credentials and access tokens – Yes

- [E] Test your incident response systems and processes at least every 12 months – No – Although we practice our response systems

- [F] Require multi-factor authentication for remote access – Yes- [H] Have a system for maintaining accounts (assigning, revoking, reviewing access and privileges) – Yes

- [I] Have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software – Yes

- [J] Have a system in place for logging access to Platform Data and tracing where Platform Data was sent and stored – Platform Scope: Azure – Yes, PlayFab Scope – No

- [K] Monitor transfers of Platform Data and key points where Platform Data can leave the system (e.g., third parties, public endpoints) – Yes

- [L] Have an automated system for monitoring logs and other security events, and to generate alerts for abnormal or security-related events – Yes

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

Reviewing the responses below, I think a minor clarification to the above may help:

a) 100% of player data is encrypted at rest. There's some data unrelated to any players that isn't, and doesn't need to be. So, the only data Facebook presumably is concerned about is encrypted, yes.

e) Our incident response systems and processes are exercised at least once a week, since we have both extensive alerting built into the system that notifies us of any issues, and we have an Emergency ticket system for developers in the Premium and Enterprise tiers that pipe into that system incident system. Whenever any incident is created, the on-call engineers are alerted and the incident is processed. So, "testing" the system is redundant since it's already being exercised on a regular basis. If the question can be interpreted as "do you exercise your incident response systems and processes at least every 12 months", which seems like a logical way to interpret this, the answer is yes.

0 Likes 0 ·
dan avatar image
dan answered

Thanks - this info is super handy! <3

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dan avatar image
dan answered

Hmmm. Putting these answers in has failed my Facebook Security test. Not good. :(
Most likely question E. Any suggestions or further info? How did it go for you @Sarah Zhang

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dan avatar image
dan answered

So... these answers resulted in my app failing the Facebook security test, either on ...

- [A] Enforce encryption at rest for all Platform Data storage (e.g., all database files, backups, object storage buckets) – The majority of data is encrypted at rest

...or...

- [E] Test your incident response systems and processes at least every 12 months – No – Although we practice our response systems

...the information I was given by Facebook was vague to say the least.


Any suggestions as to next steps?


This could cause problems for the games I have on Oculus, as they could well get pulled from the store. :(

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Alexandre Chimeno Bort avatar image
Alexandre Chimeno Bort answered

My game failed

Facebook email:

Hi,

In working to create a great Platform experience for everyone, we ask developers to ensure the apps they build comply with our Platform Terms and Developer Policies. Your app Zodi Bingo free (AppId: 755941257900972) doesn't comply with the following:

Platform Terms 6.a.i.1: You must always have in effect and maintain administrative, physical, and technical safeguards that do the following: Meet or exceed industry standards given the sensitivity of the Platform Data

For more information, visit:

- Developer Policies: https://developers.facebook.com/devpolicy

- Platform Terms: https://developers.facebook.com/terms

Please make the requested changes by 2021-11-19 at 12:00 PST.

Any suggestions?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Alexandre Chimeno Bort avatar image
Alexandre Chimeno Bort answered

I received a new email with the requirements. I replied with the answers of @Sarah Zhang (thanks)

Facebook email i2:

Hi,

1. Require multi-factor authentication for remote access

2. Have a system for maintaining accounts (assigning, revoking, reviewing access and privileges)

3. Enforce encryption at rest for all Platform Data storage (e.g., all database files, backups, object storage buckets)

4. Test your incident response systems and processes at least every 12 months

5. Protect sensitive data like credentials and access tokens

6. Have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software

7. Have a system in place for logging access to Platform Data and tracing where Platform Data was sent and stored 8. Monitor transfers of Platform Data and key points where Platform Data can leave the system (e.g., third parties, public endpoints)

9. Do you take any of the below steps to protect the security of Platform Data? Please note and explain all that are applicable:

10. Enforce TLS 1.2 encryption or greater for all network connections where Platform Data is transmitted

11. Have an automated system for monitoring logs and other security events, and to generate alerts for abnormal or security-related events

12. Test your app and systems for vulnerabilities and security issues at least every 12 months

Thanks,

Anna Ms

Facebook

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rob-1 avatar image
rob-1 answered

Did you pass now with those answers ?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.