1 of 1

Security & Privacy Guidelines For Solution Implementing Agencies

Secure Deployment
- Follow Installation Guidelines: Adhere to the security best practices provided in the DIGIT installation scripts and documentation.
- Environment Hardening: Ensure that the deployment environment is hardened against potential threats.
- Key Management: Ensure encryption key lifecycle is managed properly. Appropriate key management tools provided by cloud providers or hardware key management solutions are deployed.
Compliance
- Privacy Policy: Ensure the deployment complies with relevant data protection and privacy regulations.
- PII Identification: Identify all personally identifiable information (PII) and ensure these are stored as part of User and Individual Service only.
Configuration
- Role Configuration: Configure roles and access based on purpose—only roles that have a purpose should be able to access that data.
- Minimal Access: Provide users/roles only the minimal access required to perform their activity.
Secure Operations
- Follow a robust security operations framework e.g. NIST to identify, protect, detect, respond and recover.
- Intrusion Detection System (IDS): Deploy IDS to monitor network traffic for suspicious activities.
- User Notification: Have procedures in place to notify users in the event of a data breach or security incident.
Data Management:
- Data Archiving: Archive and/or store data keeping in mind local laws, regulations, and domain requirements. Where possible, store aggregate or anonymized data rather than PII.
Notice and Consent
- Update and include a privacy policy (based on the product privacy policies), which details what information is collected, which roles have access to it, and the purpose of such access/usage.
- If you have integrated with third-party service providers, such that any PII is going to be shared with them (e.g. SMS providers, email providers; other public and private agencies), this should be explicitly included in the privacy policy.
- Publish a notice, with a link to the privacy policy, on the login page. Users should indicate that they have read and accepted these terms before they can log in.

Security & Privacy Guidelines For Solution Implementing Agencies

Secure Deployment
- Follow Installation Guidelines: Adhere to the security best practices provided in the DIGIT installation scripts and documentation.
- Environment Hardening: Ensure that the deployment environment is hardened against potential threats.
- Key Management: Ensure encryption key lifecycle is managed properly. Appropriate key management tools provided by cloud providers or hardware key management solutions are deployed.
Compliance
- Privacy Policy: Ensure the deployment complies with relevant data protection and privacy regulations.
- PII Identification: Identify all personally identifiable information (PII) and ensure these are stored as part of User and Individual Service only.
Configuration
- Role Configuration: Configure roles and access based on purpose—only roles that have a purpose should be able to access that data.
- Minimal Access: Provide users/roles only the minimal access required to perform their activity.
Secure Operations
- Follow a robust security operations framework e.g. NIST to identify, protect, detect, respond and recover.
- Intrusion Detection System (IDS): Deploy IDS to monitor network traffic for suspicious activities.
- User Notification: Have procedures in place to notify users in the event of a data breach or security incident.
Data Management:
- Data Archiving: Archive and/or store data keeping in mind local laws, regulations, and domain requirements. Where possible, store aggregate or anonymized data rather than PII.
Notice and Consent
- Update and include a privacy policy (based on the product privacy policies), which details what information is collected, which roles have access to it, and the purpose of such access/usage.
- If you have integrated with third-party service providers, such that any PII is going to be shared with them (e.g. SMS providers, email providers; other public and private agencies), this should be explicitly included in the privacy policy.
- Publish a notice, with a link to the privacy policy, on the login page. Users should indicate that they have read and accepted these terms before they can log in.