Secure Deployment
Follow Installation Guidelines: Adhere to the security best practices provided in the DIGIT installation scripts and documentation.
Environment Hardening: Ensure that the deployment environment is hardened against potential threats.
Key Management: Ensure encryption key lifecycle is managed properly. Appropriate key management tools provided by cloud providers or hardware key management solutions are deployed.
Compliance
Privacy Policy: Ensure the deployment complies with relevant data protection and privacy regulations.
PII Identification: Identify all personally identifiable information (PII) and ensure these are stored as part of User and Individual Service only.
Configuration
Role Configuration: Configure roles and access based on purpose—only roles that have a purpose should be able to access that data.
Minimal Access: Provide users/roles only the minimal access required to perform their activity.
Secure Operations
Follow a robust security operations framework e.g. NIST to identify, protect, detect, respond and recover.
Intrusion Detection System (IDS): Deploy IDS to monitor network traffic for suspicious activities.
User Notification: Have procedures in place to notify users in the event of a data breach or security incident.
Data Management:
Data Archiving: Archive and/or store data keeping in mind local laws, regulations, and domain requirements. Where possible, store aggregate or anonymized data rather than PII.
Notice and Consent
Update and include a privacy policy (based on the product privacy policies), which details what information is collected, which roles have access to it, and the purpose of such access/usage.
If you have integrated with third-party service providers, such that any PII is going to be shared with them (e.g. SMS providers, email providers; other public and private agencies), this should be explicitly included in the privacy policy.
Publish a notice, with a link to the privacy policy, on the login page. Users should indicate that they have read and accepted these terms before they can log in.