5 primary parts to a digital platform
1. Software selection
2. Content planning
3. Content modules
1. Where is my CMS or platform built? (In house, open source, vendor provided, etc.)
2. Does it provide:
c. Auditing logs?
d. Staging sites?
3. Are there patches or new revisions?
4. Have I reviewed all content for security risks?
5. Am I attentive to “easy access for employees”?
6. Is content indexable for search engines?
7. Have I ensured third party content is secure?
8. If possible, did I encrypt the data feed?
Basic Security Measures
1. Always consider HIPAA, PCI and PII
2. Verify third party (authorize.net, Paypal, etc.) compliance
3. Consider encrypting data where it’s stored
4. Store the minimum data needed
5. Place modules under SSL
6. Examine downstream processes for how data is handled
Mobile Sites – Risks and considerations
· Personal devices (BYOD) and enterprise; access/content (managed and unmanaged devices)
· Jail-breaking, fake apps, QR codes
· Malware, social engineering attacks, infected SD cards
· Activity/data interception & routing, insecure data storage
· Lost or stolen devices
Mobile sites – Solutions
· Mobile Device Management (MDM)
· Policies, configuration compliance, usage
· Sanitize app user inputs, anti-malware, anti-spyware
· Provision VPN profiles, SSLVPN, secure mobile forms
· Remote data wipe, mandate PINs/passcodes
· Secure access
· Built-in firewalls
· Unique users
· Is there Multi-factor authentication?
· What are the VPN options?
· Is it Isolated GovCloud or Cloud HSM?
· Is your hosting vendor certified or audited yearly by an independent party?
· Have you visited the data center?
· How will the hosting vendors help in a security incident?
· If your organization hosts, does technical team have incident handling procedures documented?
· Have the technical teams investigated what role their ISPs will play in helping mitigate issues?
· Fail to plan, plan to fail!
Security should never be an afterthought. Use basic security principles and the questions that they answer as guidelines. Make sure security is built into every phase.