The Online Trust Alliance (OTA) is an Internet Society initiative that aims to enhance online trust, user empowerment, and innovation through convening multistakeholder initiatives and developing and promoting best practices, ethical privacy practices, and data stewardship. One of OTA’s major activities is the Online Trust Audit & Honor Roll, which promotes responsible online privacy and data security practices and recognizes leaders in the public and private sectors who have embraced them. This morning, we released the methodology we’ll use for this year’s audit.
The report will analyze more than 1,000 websites on consumer protection, site security, and responsible privacy practices. Based on a composite weighted analysis, sites that score 80 percent or better overall, without failing in any one category, will be recognized in the Honor Roll.
Building largely on past criteria, this year’s updates include GDPR compliance and other security and privacy standards and practices, as well as adding a healthcare sector. From the press release:
Key changes to this year’s Audit include:
•Consumer Protection (email authentication, domain security and anti-phishing technologies) – more granular assessment of Domain-based Message Authentication, Reporting and Conformance (DMARC) support, and increased weight for use of opportunistic Transport Layer Security (TLS), which encrypts email between servers
•Site Security (site configuration, TLS/SSL infrastructure, presence of site vulnerabilities, observed malware, and related security and data protection enhancing controls) – increased weight for “HTTPS-everywhere” and elements such as patching cadence, application and network security, as well as bonus points for Certificate Authority Authorization (CAA)
•Privacy (policies and practices including data retention, disclosures, user anonymity, third-party data sharing, opt-out mechanisms and observing sensitive data barriers) – increased weight for archived privacy policies, broader inclusion of settlements and breaches, and bonus points for support of General Data Protection Regulation (GDPR) language
The full 2018 Audit methodology is posted at https://otalliance.org/2018Methodology.
You can see last year’s Audit here, and many organizations may find Appendix E, the Best Practice Checklist, especially useful