Security assessment template

This page is about the openIMIS applications, for the infrastructure security, please check this page: Infrastructure security

Here are a number of points that can be assessed in order to strengthen the system security. These are only a few basic indicators to get started, however, securing an online application will require constant updates and checks from the system admins to comply with the latest standards.

[Example of assessment grades: not implemented, implemented, partially implemented, in implementation, to be clarified]

1Technical ImplementationAuthorizationRole-based security is used in the web-application to differentiate users that can read data, users that can write data and users that can configure/administer the system.
2Technical ImplementationAuthenticationUsers are authenticated through username and password when accessing the software.
3Technical ImplementationAuthenticationUsernames are limited to the following characters: A-Z, a-z, 0-9
4Technical ImplementationAuthenticationThe application has login and logout functionalities.
5Technical ImplementationAuthenticationLogout functionality is available in all the pages of the web-application.
6Technical ImplementationAuthenticationApplication access passwords should have at least 8 characters long and at least one of the following character sets: space, A-Z, a-z, 0-9, !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
7Technical ImplementationAuthenticationApplication access passwords do not use dictionary words.
8Technical ImplementationAuthenticationApplication access passwords must be changed every 2 months, otherwise user access is blocked.
9Technical ImplementationAuthenticationAccounts that have not logged in for 2 months are blocked.
10Technical ImplementationAuthenticationAfter 3 wrong passwords are entered for a valid login within one day, the respective user account is blocked.
11Technical ImplementationAuthenticationAfter 10 minutes of innactivity the user is logged out.
12Technical ImplementationAuthentication‘Admin’ or ‘Administrator’ logins do not exist. An administrator (user that can access the application administration area) has a regular account name as any other user (e. g.: ‘gcastro’), the only difference being in the privileges that are granted.
13Technical ImplementationAuthenticationUser with administration role has to provide his login and password again when performing administration actions that imply the change or deletion of data.
14Technical ImplementationAuditingThe web-application has Audit Trail functionality that records WHO did WHAT (data entered/changed/deleted, configurations changed, logins, logouts) and WHEN (server timestamp). No debug messages are recorded. Only new information can be written and older records cannot be rewritten or delete. The Audit Trail is only accessed by administrators.
15Technical ImplementationAuthorizationOnly users with Administrator role can access the Audit trail.
16Technical ImplementationAuthorizationOnly system administrators can unblock an account.
17Technical ImplementationAuthorizationTo run the application or connect it to webserver or database the least privileged accounts possible are used.
18Technical ImplementationAuthorizationUser accounts are assigned just enough privileges to perform their tasks.
19Technical ImplementationAuthorizationUsers are not administrators or vice versa.
20Technical ImplementationEncryptionPatient identification data is transmitted encrypted.
21Technical ImplementationEncryptionPatient identification data is stored encrypted in the database.
22Technical ImplementationEncryptionUser credentials are transmitted encrypted.
23Technical ImplementationEncryptionUser credentials are stored encrypted in the configuration files and in the database. Files containing cryptographic keys have restrictive file perimissions.
24Technical ImplementationEncryptionData encryption is performed using proven cryptographic services provided by platform (e. g.: OpenSSL)
25Technical ImplementationClient-Server CommunicationThe web-application runs over HTTPS and each user has his own HTTPS certificate that authentifies him/her when interacting with the application server.
26Technical ImplementationClient-Server CommunicationHTTP POST is used instead of GET to submit forms.
27Technical ImplementationExceptionsExceptions thrown during application execution are handled and logged; and only generic, harmless error messages are returned to the user.
28Technical ImplementationValidationAll input available in the web-application (query strings, form fields, cookies) are validated for type, length, format and range in the different software layers.
29DocumentationManualsUser Manual (detailing how to use the system) exists.
30DocumentationManualsTechnical Manual (detailing system architecture, installation/configuration and maintenance) exists.
31Physical InfrastructureServer roomsThe servers in which the application is deployed are physically located in self-purpose server rooms.
32Physical InfrastructureServer roomsThe server rooms are locked and only authorized personnel can access them.
33Physical InfrastructureServer roomsThe server rooms have a constant temperature around 20-21°C.
34Physical InfrastructureServer roomsThe server rooms have fire prevention systems (such as alarms or fire extinguishers).
35Physical InfrastructureServer roomsThe server rooms have cleared walking pathways for personnel, in order that these do not face the risk of tripping on cables or devices.
36Physical InfrastructureServer roomsPhysical access to devices interfaces and cables within the server rooms are possible without moving equipment.
37Physical InfrastructureServer roomsServer rooms are professionally cleaned at least once every three months.
38Physical InfrastructureEquipmentElectrical devices in the server rooms are protected against voltage spikes (e. g.: through a surge protector).
39Physical InfrastructureEquipmentIn the event of a power failure, power supply is still assured for the electrical equipment in the server rooms (through uninterruptible power supply (UPS) and/or a backup generator)
40Physical InfrastructureEquipmentCables are not stretched, tightly tied or bended.
41Physical InfrastructureEquipmentCables running in parallel are tied together.
42Physical InfrastructureEquipmentTechnical manuals are available for the devices present in server rooms.
43Physical InfrastructureIT InfrastructureServers heat dissipation exits are not blocked.
44Physical InfrastructureIT InfrastructureHardware firewalls are used at the "entry" of the clients and servers networks and are properly configured in order to analyse and filter data packets.
45Physical InfrastructureIT InfrastructureThe servers where the application is deployed use disk protection technology such as RAID.
46Infrastructure - NetworkConceptAn Intrusion Detection and Prevention System is operational within client and server networks in order to monitor network and/or system activities for malicious activities and policy violations.
47Infrastructure - NetworkConfigurationRouters at the networks at client and server sides are configured to restrict their responses to footprinting requests.
48Infrastructure - NetworkConfigurationOperating systems at client and server sides are configured to prevent footprinting by disabling unused protocols and services as well as unnecessary ports.
49Infrastructure - NetworkConfigurationRouters at the entry of the network at client and server levels filter incoming packets that appear to come from an internal IP address of the network.
50Infrastructure - NetworkConfigurationRouters at the entry of the network at client and server levels filter outgoing packets that appear to originate from an invalid local IP address.
51Infrastructure - HostRequired softwareRequired software to run the application (operating system, frameworks, etc.) is installed and configured.
52Infrastructure - HostRequired softwareAnti-malware & anti-virus software is installed at both server and client machines.
53Infrastructure - HostAuthenticationPasswords to access servers, client computers and supporting software (e. g.: database management system) must include at least 8 characters, including numbers, both upper and lower case letters, and specials characters.
54Infrastructure - HostAuthorizationSystem commands, files and utilities within the servers are locked down with restricted Access Control Lists.
55Infrastructure - HostConfigurationWeb server application rejects URLs with “../”.
56Infrastructure - HostConfigurationFunctionality that enables the user to ask the browser to remember his/her credentials (login, password) for application access is disabled.
57Infrastructure - HostConfigurationApplication configurations are not accessible to anyone besides system administrators and the application itself.
58ProcessesSOPsRelevant operational SOPs are available (for Backup and Restore procedures, Disaster Recovery, Incident Management, Operational Change & Configuration Management, Performance Monitoring, Security Management, System Administration, User Support) and are followed.
59ProcessesBackupsData backups are automatically performed every night on the ‘production’ data (including application data, configurations and audit trail records) and stored in more than one geographical location.
60ProcessesRequired softwareRequired software to run the application (operating system, frameworks, etc.) on the server and on the client machines is not updated automatically, and is tested before deployment.
61ProcessesPrivilegesUsers receive a security role within the application that uniquely allows them to perform their work and nothing more.
62ProcessesConfigurationSecurity related configuration settings for software and hardware devices is reviewed for adequacy at installation and at least twice per year.
63ProcessesAuthenticationApplication logins are unique for each user. There are no shared logins.
64ProcessesUser BehaviourLogout: user is recommended to close session and clear any cookies left on the browser