Security questions Accessibility Insights - Windows
RababGomaa opened this issue · 6 comments
accessibility-insights - Desktop
Your question here
The security team needs to complete an assessment before they accept to install the desktop version on the machines of the accessibility team. Here are a few questions that I need answers for. Thanks!
Q1 - Identification and authentication
Is there a way to uniquely identifi and authenticate users prior to access the tool.
Q2 - Encryption:
- Is data encrypted using Advanced Encryption Standard Algorithm (AES-256) while at rest.
- Provide the encryption levels being used for your proposed product both in motion and at rest.
Q3 - Data collection
Please indicate the data collected by Microsoft via the Accessibility Insight.
Make sure to provide enough context. If you have spoken to a team member please mention them here.
Add any items (screenshots etc) that will help.
Q4 - Security recommendations
Microsoft security recommendations to apply them if you follow the aforementioned requirements.
Q5 - Common Vulnerabilities and Exposures (CVE)
The common Vulnerabilities and Exposures (CVE) system https://cve.mitre.org/cve/ provides a reference method for publicly known information-security vulnerabilities and exposures. Using the CVE list, add all CVE names and descriptions that have not been mitigated.
I got answer on Q3 - thanks https://privacy.microsoft.com/en-us/privacystatement
Hi, @RababGomaa. Our telemetry contains usage data only, with no user-identifiable data or personal data. You can find specific details about collected telemetry at https://github.com/microsoft/accessibility-insights-windows/blob/main/docs/TelemetryOverview.md. That provides actual samples of the data that we collect via telemetry, as well as how domain admins can completely disable telemetry within an organization. That said, here's an attempt at your questions:
Q1: I think the answer here is no. The only ID that we have for a given user/device combination is a randomly generated identifier that is regenerated on a monthly basis.
Q2: Please see the link above
Q4: We have no specific security guidance. If you're concerned about telemetry, use the domain admin control that is described at the link above
Q5: We routinely monitor for CVE's. As of right now, all known CVE's have been addressed in the product.
Please close this issue at your convenience. Thanks!
The team requires additional author feedback; please review their replies and update this issue accordingly. Thank you for contributing to Accessibility Insights!
This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for contributing to Accessibility Insights!
This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for contributing to Accessibility Insights!
This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for contributing to Accessibility Insights!
Pls do update.