2.9-LTS
Platform
Domains
Design System Academy Feedback

Security & Privacy Guidelines For Solution Implementing Agencies

  1. Secure Deployment

    • Follow Installation Guidelines: Adhere to the security best practices provided in the DIGIT installation scripts and documentation.

    • Environment Hardening: Ensure that the deployment environment is hardened against potential threats.

    • Key Management: Ensure encryption key lifecycle is managed properly. Appropriate key management tools provided by cloud providers or hardware key management solutions are deployed.

  2. Compliance

    • Privacy Policy: Ensure the deployment complies with relevant data protection and privacy regulations.

    • PII Identification: Identify all personally identifiable information (PII) and ensure these are stored as part of User and Individual Service only.

  3. Configuration

    • Role Configuration: Configure roles and access based on purpose—only roles that have a purpose should be able to access that data.

    • Minimal Access: Provide users/roles only the minimal access required to perform their activity.

  4. Secure Operations

    • Follow a robust security operations framework e.g. NIST to identify, protect, detect, respond and recover.

    • Intrusion Detection System (IDS): Deploy IDS to monitor network traffic for suspicious activities.

    • User Notification: Have procedures in place to notify users in the event of a data breach or security incident.

  5. Data Management:

    • Data Archiving: Archive and/or store data keeping in mind local laws, regulations, and domain requirements. Where possible, store aggregate or anonymized data rather than PII.

  6. Notice and Consent

    • Update and include a privacy policy (based on the product privacy policies), which details what information is collected, which roles have access to it, and the purpose of such access/usage.

    • If you have integrated with third-party service providers, such that any PII is going to be shared with them (e.g. SMS providers, email providers; other public and private agencies), this should be explicitly included in the privacy policy.

    • Publish a notice, with a link to the privacy policy, on the login page. Users should indicate that they have read and accepted these terms before they can log in.

PreviousSecurity & Privacy Guidelines For Product DevelopersNextSecurity & Privacy Guidelines For Program Owners

Last updated

All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.