To learn more, please visit xCOMPASS questionnaire page. In this repository, you can also find an Excel spreadsheet (xCOMPASS Spreadsheet v1.0.xlsx) containing xCOMPASS questionnaire that you can use to identify privacy engineering requirements for your application. It uses simple Excel spreadsheet formulas to automatically evaluate your answers. Please watch the following 42-second video for a demo of the spreadsheet.
xCOMPASS.Quickstart.mp4
It is key to identify privacy engineering requirements as early as possible in the software development lifecycle (SDL) of an application, preferrably when the application is being designed to incorporate privacy into its designed, namely privacy-by-design strategy. Unfortunately, identifying such requirements is challenging, mostly due to the following factors:
- It mostly involves human experts (i.e., threat modelers) with much manual effort.
- It is usually performed later in the SDL process, during which much development work has been finished.
- App developers are usually not familiar with privacy principles (e.g., privacy laws) that can guide the development process.
To address these limitations, we created xCOMPASS, an open-sourced framework that presents a solution that does not require much expertise/training in privacy domain to identify privacy engineering requirements during PTM.
- xCOMPASS presents a lightweight questionnaire (i.e., yes-no questions).
- It identifies privacy requirements based on the answers.
- It maps the requirements to privacy principles (e.g., privacy laws) and mitigation strategies (e.g., de-identification).
We designed xCOMPASS for people who are not privacy experts. It can benefit people in the following roles:
- Application developers
- Product designers
- Managers and organization leaders
Meanwhile, it certainly can also benefit privacy experts, such as:
- Security and privacy engineers
- Data protection engineers
- Data governance engineers
and others that work with an application and would like to identify privacy engineering requirements for the application.
xCOMPASS can be used in (but not limited to) the following use cases:
- A developer or a team of developers that create a new application that collects personal information.
- A developer or a team of developers that maintains applications that collect and store personal information.
- A privacy engineer that analyzes and maintains privacy engineering requirements for systems and applications.
- A data protection/governance engineer that works on protocols for data collection and usage in an organization.
We welcome all kinds of contributions to this repository! Please have a look at CONTRIBUTING.md for further information and guidelines.
The list of maintainers of this GitHub repository is available in MAINTAINERS.md. Please consider becoming a maintainer! 😃
Roadmap information is available in ROADMAP.md.
Jayati Dev, Bahman Rashidi, Vaibhav Garg. Models of Applied Privacy (MAP): A Persona Based Approach to Threat Modeling. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (CHI '23).
- Rahmadi Trimananda. The Golden xCOMPASS: The Compass You Need to Navigate through the App-Privacy Universe! USENIX SOUPS 2024 Lightning Talks.
- Rahmadi Trimananda. The Golden xCOMPASS: The Compass You Need to Navigate through the App-Privacy Universe! IEEE Digital Privacy Workshop 2024.
- Rahmadi Trimananda. The Golden xCOMPASS: The Compass You Need to Navigate through the App-Privacy Universe! OWASP LASCON 2024.
xCOMPASS has been proudly listed as an open-sourced privacy engineering requirements identification tool on various websites, including:
- NIST Privacy Risk Assessment Tools
- CISA Free Cybersecurity Services and Tools
- OWASP Free for Open Source Application Security Tools
Licensed under Apache 2.0.