...
This document contains the following sections:
- PhixFlow security design features
| This section describes the approaches and features within PhixFlow that address common security vulnerabilities and ensure PhixFlow is as secure as possible. |
- Deploying PhixFlow for web access
| This section provides input into your risk assessments and web deployment decisions. |
- Deploying PhixFlow for mobile access
| This section describes additional deployment decisions for mobile access. |
| Anchor |
|---|
| _Toc461783723 |
|---|
| _Toc461783723 |
|---|
|
PhixFlow security design features| Anchor |
|---|
| _Toc461783724 |
|---|
| _Toc461783724 |
|---|
|
Secure coding
...
PhixFlow logs all access and access attempts to support forensic data analysis. In addition, all changes to configuration objects in PhixFlow are audited.
During a project, PhixFlow consultants follow a methodology that captures additional security requirements, which for example may include auditing changes to data records.
| Anchor |
|---|
| _Toc461783730 |
|---|
| _Toc461783730 |
|---|
|
Deploying PhixFlow for web access| Anchor |
|---|
| _Toc461783731 |
|---|
| _Toc461783731 |
|---|
|
Introduction
...
To protect PhixFlow from security vulnerabilities we recommend a best practice approach is used to identify assess and apply operating system and web application server security updates as soon as possible.
You should also ensure clients operating systems and browsers also deploy security updates as soon as possible, if possible using automatic updates for high priority security vulnerabilities.
Audit PhixFlow user accounts regularly, checking for accounts that are no longer needed or not being used and disable or remove them.
| Anchor |
|---|
| _Toc461783743 |
|---|
| _Toc461783743 |
|---|
|
Deploying PhixFlow for Mobile AccessPhixFlow mobile uses the same web application as for web access, which employs responsive design and HTML5 to deliver user interfaces that are compatible with a large number of mobile phones, tablets and netbooks. This approach ensures that no confidential data is stored by PhixFlow on the device itself, and the security policies with regard to user accounts and access are centrally managed exactly as for web access.
Deploying any application for mobile access does present some additional risks. These include loss, theft or shared use of mobile devices and tablets. Other risks include incorrect data input as users can sometimes make mistakes performing data input on very small interfaces.
Because of this, a further risk assessment should be carried out prior to deploying PhixFlow involving users and technology staff, and then risk treatment agreed to reduce the likelihood or impact of any significant risks. This process is something PhixFlow consultants can facilitate or assist with if required, especially if screens and processes need to be reviewed and optimised for mobile devices.
We recommend that in addition to following the guidelines on web access, that all mobile devices used to access PhixFlow applications containing confidential data be protected from unauthorised access by applying the following controls:
...