move or merge 8.3.5 to V7

[elarlang]

Current 8.3.5:

#	Description	L1	L2	L3	CWE
8.3.5	Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required.		✓	✓	532

First there was proposal and agreement to move it to V7, as it talks about logging: #1444 (comment), #1444 (comment)

When prepared for PR, I stopped with the question: is it covered or can be merged to 7.2.2?

#	Description	L1	L2	L3	CWE
7.2.2	[MODIFIED] Verify that all access control decisions are logged including failed attempts.		✓	✓	285

ping @tghosth

[tghosth]

8.3.5 is talking about specifically logging access to sensitive data. E.g. in law enforcement or medical settings, an application would be expected to keep an audit trail of which user's access which people's personal files.

As such I disagree with merging but would suggest some modifications:

#	Description	L1	L2	L3	CWE
8.3.5	[MODIFIED] Verify that accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required by relevant data protection requirements.		✓	✓	532

[elarlang]

I think those can be merged, as functionality and information for (current) 8.3.5 is covered by 7.2.2 anyway.

If you think it is really important to have them separately, then let it be - coverage stays. The second part of the requirement forced me to read it 3 times ...

Maybe to the direction

Verify that accessing sensitive data is logged (without logging the sensitive data itself) if it is required by relevant data protection requirements.

[tghosth]

Opened #1962 with a proposal similar to the above