Versions Compared

Version Old Version 1 New Version 2
Changes made by

Rodolfo Melia

Rodolfo Melia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[draft awaiting comments - Oct 2023]

Purpose

This policy establishes the security requirements for web applications servers running any application that PSI supports under its Platform 2.0 technology stack. The goal of this policy is to protect web applications servers from unauthorised access, use, disclosure, disruption, modification, or destruction.

...

If IAM is used - please refer to the IAM configuration recommendations here. [confluence] Keycloak Realm Configuration Guidelines

If user accounts and passwords are to be set at the web application level (e.g. IAM is not being used)

...

  • All systems must generate logs that capture a sufficient level of detail to support the purposes listed above.

  • Logs must be collected and stored in a secure location. They should be on a tamper-proof format.

  • Logs must be retained for a period of time that is appropriate for the application in question. This is normally between 30 and 90 days.

  • Access to logs must be restricted to authorised personnel, normally only system administrators.

  • Ideally they should be transmitted to the centralised log management system using a secure protocol.

  • Logs must be part of the backed strategy (see above, $x Backyp 4. Backups).

  • Logs must be regularly reviewed and analysed to identify potential security incidents and system problems.

  • Security incidents and system problems identified in the logs must be investigated and resolved promptly.

...