PDAT-05

Do you capture device information (e.g., IP address, MAC address)?

Explanation

This question is asking whether your organization or service collects identifying information about the devices that connect to your systems. Device information primarily includes IP addresses (which identify a device on a network) and MAC addresses (a hardware identifier unique to a network interface). This is being asked in a security assessment for several important reasons: 1. Privacy implications: Device information can be considered personally identifiable information (PII) in many jurisdictions, as it can be used to identify or track individuals. 2. Regulatory compliance: Many privacy regulations (like GDPR in Europe) require disclosure and proper handling of any collected device information. 3. Data retention policies: Organizations need to have clear policies about how long they store this information and how it's protected. 4. Purpose limitation: The assessor wants to understand why you're collecting this data and ensure it's being used only for legitimate purposes. When answering this question, you should: - Be transparent about what device information you collect - Explain why you collect it (security monitoring, fraud prevention, etc.) - Mention how long you retain this information - Describe any anonymization or pseudonymization techniques you use - Reference your privacy policy or terms of service that disclose this collection Even if the collection seems routine or necessary for operations, it's important to be explicit about your practices.

Guidance

Device information can be captured for a variety of reasons, from analytics to marketing to network management and security. It is important to know the details in order to be clear on the privacy implications.

Example Responses

Example Response 1

Yes, our application captures and logs IP addresses as part of our standard security practices We collect this information for several purposes: (1) to detect and prevent fraudulent access attempts, (2) to troubleshoot connectivity issues, and (3) to comply with legal requirements for audit trails We do not collect MAC addresses IP addresses are stored in encrypted log files for 90 days, after which they are automatically purged This collection is disclosed in our privacy policy, and we have implemented access controls to ensure only authorized security personnel can view this information We do not use IP addresses for marketing purposes or share them with third parties except when legally required.

Example Response 2

Yes, we capture both IP addresses and MAC addresses for devices connecting to our service IP addresses are collected for all users and stored for 12 months for security monitoring and fraud prevention MAC addresses are only collected for corporate-owned devices as part of our mobile device management (MDM) solution to ensure only authorized devices can access sensitive corporate resources All device information is stored in our encrypted database with strict access controls Users are informed about this collection in our privacy notice, and they can request information about their stored data through our privacy portal We implement data minimization principles and only use this information for the stated security purposes.

Example Response 3

No, our application does not currently capture or store device information such as IP addresses or MAC addresses While this might limit some security capabilities like detecting suspicious login patterns or enforcing location-based access controls, we've made this design choice to enhance user privacy Instead, we rely on other security mechanisms such as strong authentication requirements, behavior analytics that don't depend on device identifiers, and encrypted session tokens We recognize this creates some security trade-offs, but we've implemented compensating controls to address the risks If we need to investigate specific security incidents, we may temporarily enable IP logging with appropriate approvals and notifications to users.

Context

Tab
Privacy
Category
Privacy of Sensitive Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron