Versions Compared

Version Old Version 3 New Version Current
Changes made by

Rodolfo Melia

Rodolfo Melia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[draft awaiting comments - Oct 2023]

Purpose

This Standard of Practice establishes the security requirements for web applications servers running any application that PSI supports under its Platform 2.0 technology stack. The goal of this Standard of Practice is to protect web applications servers application and its underlying server infrastructure from unauthorised access, use, disclosure, disruption, modification, or destruction.

...

These Standard of Practice apply to all web applications servers operated by PSI or maintained by PSI Digital Health Management department. It is also to be followed for installations done in infractures infrastructure for other organisations as part of PSI’s contracted services. The Standard of Practice covers the following areas:

  1. ArchitectureInfrastructure: - private/ publichow the underlying on-site or cloud infrastructure is setup for ensuring security.

  2. Authentication: how users and clients are verified and granted access to the web application server.

  3. AuthorizationAuthorisation: how permissions and roles are assigned and enforced for different users and clients.

  4. Encryption: how data is encrypted in transit and at rest to prevent interception or tampering.

  5. Backup: how data is backed up and restored in case of loss or corruption.

  6. Disaster recovery: how the web application server is prepared and recovered from natural or man-made disasters.

  7. Logging: how activities and events are recorded and monitored on the web application server.

  8. Auditing: how security incidents and violations are detected and reported on the web application server.

This Standard of Practice applies to both, on-premise installations as well as cloud-based systems.

1

...

what’s exposed/ not xposed.. Private IPs. Firewall. Denial attacks

bastion host

2 different internet connections

...

. Infrastructure

Infrastructure refers to the the collection of hardware and software elements needed to enable the basic computing and network resources for the application servers to run. It involves one or more computing devices running varios applications to guarantee the network security.

The on-premise or cloud-based infrastructure must be setup in such a way that must external traffic is restricted, and only the necessary resources are exposed to the open internet.

  • Segment the network to isolate servers from other devices and systems.

  • Use firewalls and intrusion detection systems to protect servers from unauthorised network access.

  • Use a bastion host to control the access from the public internet into your private network.

  • Keep all software up to date, including the operating system, security software, and server applications.

2. Authentication

Authentication protects the web application server from unauthorised access. The mechanisms that are used to authorise users to access the servers vs the web application are, and considered individually. 

...

  • preferably use tokens specific for the integration

  • if you need to use username/password, ensure that it is transmitted over a secure channel

  • xxxx

  • Under no circumstances the tokenEnsure that access tokens, usernames or password must be on the main code - instead they should be on private .env file are not uploaded into code repositories

Sharing of password with external vendors or users.

They shuold never be shared in plain text via email or chat applications. They should be shared as a one-time secret

...

never be shared via email or chat application

Onboarding and Offboarding of users

  • write about this

2. Authorization

An authorization .

On-boarding and Off-boarding of users

Onboarding

  • Approval: The request should be approved by the user's manager or another authorised individual.

  • Expiration date: if the user is to be contracted for a limited period, and the software has an expiration date feature, this should be used.

  • New user training: New users should be provided with training on how to use the network or system securely and effectively.

Offboarding

  • Notification: the HR department or relevant party should notify the system administrator of the user’s departure date.

  • Account deactivation: The departing user's account should be deactivated on their departure date. The account should be removed from the network or system and all access privileges should be revoked.

3. Authorization

An authorisation Standard of Practice for a web application server is a set of rules that determine which users and groups are allowed to access which resources or processes on the web application. Authorization Authorisation policies can be based on a variety of factors, such as the user's role and user group membership. You will need to consider the security needs of your application and the types of users who will be accessing it. You should also make sure that your authorization authorisation Standard of Practice is aligned with your business policies and procedures.

In general, you should use the principle of least privilege: only grant users the permissions they need to perform their job duties.

You should review your authorization authorisation policies regularly to make sure they are still up-to-date and align with your security needs. This is particularly important during the application updates, which may introduce new authorizationsauthorisations/ user roles.

Responsibilities:

Review of the roles should be performed by

...

4. Encryption 

Encryption is used to ensure that all data transmitted to and from the web application server to the client’s application (normally a web browser or a mobile app) is protected from unauthorised access if the transmission is eavesdropped. Additionally, data at rest is encrypted, so if access to the storage is gained by an unauthorised party, the data is illegible. All application servers are expected to:

...

  • All encryption keys must be stored securely.

  • Encryption keys must be rotated on a regular basis.

  • Access to encryption keys must be restricted to authorised personnel.

...

5. Backup Standard of Practice

Web application servers must be backed up on a daily basis. Backups must be stored on at least two different media or services, one of which must be stored off-site. Backups should be encrypted to protect them from unauthorised access.

...

Testing of the backups should be performed by the designated party.

...

6. Disaster recovery

Disaster recovery is the process of restoring systems and data to a working state after a disaster. A disaster can be a natural event, such as a flood or earthquake, or a man-made event, such as a cyberattack.

...

The origin of the attack must be determined with certainty and the necessary patches must be applied before restoration of the service is attempted. Normally the review of the logs before the attack will provide invaluable information to diagnose the source and cause of the attack (see 6. Logging)

...

7. Logging

The purpose of logging is to collect and store information about system events and activities in order to detect and respond to security incidents, as well as to facilitate the investigation and troubleshooting of system problems (performance or bugs).

  • All systems must generate logs that capture a sufficient level of detail to support the purposes listed above.

  • Logs must be collected and stored in a secure location. They should be on a tamper-proof format.

  • Logs must be retained for a period of time that is appropriate for the application in question. This is normally between 30 and 90 days.

  • Access to logs must be restricted to authorised personnel, normally only system administrators.

  • Ideally they should be transmitted to the centralised log management system using a secure protocol.

  • Logs must be part of the backed strategy (see above, 4. Backups).

  • Logs must be regularly reviewed and analysed to identify potential security incidents and system problems.

  • Security incidents and system problems identified in the logs must be investigated and resolved promptly.

...

8. Auditing

Web application auditing is the process of examining a web application to identify security vulnerabilities and compliance risks.

break this into 2 levels

...

Server

...

  • All web applications must be audited on a regular basis. The frequency of audits will depend on the criticality of the web application and the risks associated with it.

  • Web application audits must be performed using a variety of tools and techniques, including automated tools, manual code review, and penetration testing.

  • Web application audits must cover the following areas:

    • Security vulnerabilities: The audit should identify any security vulnerabilities in the web application, such as SQL injection, cross-site scripting, and broken authentication.

    • Compliance risks: The audit should identify any compliance risks associated with the web application, such as violations of PCI DSS or HIPAA requirements.

  • The findings of the web application audit must be documented and classified according to their severity.

  • Remediation plans must be developed and implemented to address any security vulnerabilities or compliance risks identified in the web application audit.

...