Security and Compliance

Owned by Chris Welford
Last updated: Jul 13, 2022 by Fiona Sargeant (Unlicensed)
3 min read

Overview

This page aims to give some guidance on the areas you should consider as you integrate the service you are building on PhixFlow into your risk management, audit and compliance programs.

See also - this describes how PhixFlow is designed to be secure. This may be useful to completing security assessments that apply to this service.

Risk Assessments

We recommend your risk assessment process includes the following:

  • User types – staff, contractors, associates.

    • Dialogue with end-users as well as technology staff, to identify and understand the risks and existing counter-measures.

    • Device types and who owns and manages them.

    • Locations where the system will be accessed from e.g. homes, offices, public areas.

    • Treatment of any high priority risks identified by applying good or best practices in network and firewall configuration, intrusion detection and prevention strategies, server hardening, configuration, deployment, application monitoring and usage guidelines.

General Recommendations for Using PhixFlow Securely

  • Implement least privilege access by:

    • Only placing users in groups appropriate for the tasks they need to do.

    • Review accounts used by PhixFlow solutions for access to databases and email accounts ensuring they only have the level of access needed.

    • Limit the number of administrators or accounts with full access.

    • Do not use the system for testing or development as it is common for additional user accounts to be required, and authorisation to be relaxed to enable testing.

Hardening

The following table lists the areas that require hardening and recommendations

Area to Harden

Recommendations

Operating Systems

Refer to the PhixFlow system planning guide and Vendor recommendations

Apache Tomcat application server

Refer to the PhixFlow system planning guide and vendor recommendations

PhixFlow Database server

Refer to the PhixFlow system planning guide and database vendor recommendations

PhixFlow Application

Refer to the PhixFlow Installation guide for installation with least-privilege access and removal of installation files and users.

PhixFlow Solutions Configuration

Review the permissions implemented on any applications.
Audit users and remove any that no longer require access.
Ensure a strong password policy used.

Intrusion Detection & Prevention (ID/IP)

If your company currently uses intrusion detection monitoring tools, the following information may be helpful.

Whitelist/Blacklist

Pattern

Description

Blacklist

.php, .exe, .asp, .aspx,

PhixFlow does not use any of these file extensions

Blacklist

..\ – <! </script>

Requests with these character combinations are not required

Whitelist

? & :

PhixFlow uses these characters in the URL

Deploying PhixFlow for Mobile Access

PhixFlow mobile uses the same web application as for web access, which employs responsive design and HTML5 to deliver user interfaces that are compatible with a large number of mobile phones, tablets and netbooks. This approach ensures that no confidential data is stored by PhixFlow on the device itself, and the security policies with regard to user accounts and access are centrally managed exactly as for web access.

Deploying any application for mobile access does present some additional risks. These include loss, theft or shared use of mobile devices and tablets. Other risks include incorrect data input as users can sometimes make mistakes performing data input on very small interfaces.

Because of this, a further risk assessment should be carried out prior to deploying PhixFlow involving users and technology staff, and then risk treatment agreed to reduce the likelihood or impact of any significant risks. This process is something PhixFlow consultants can facilitate or assist with if required, especially if screens and processes need to be reviewed and optimised for mobile devices.

We recommend that in addition to following the guidelines on web access, that all mobile devices used to access PhixFlow applications containing confidential data be protected from unauthorised access by applying the following controls:

Centrally Managed Mobile Devices

We recommend that all mobile devices should be centrally managed to ensure updates are applied and security vulneraries are patched in accordance with the customer's security policy.
We recommend that the remote management allows lost or stolen devices to remotely wiped of all data and settings.

Auto-lock / PIN Unlock

We recommend all devices have an auto-lock feature that requires a PIN or passcode to unlock it.

Restrict Use in Public Places

We recommend that customers have a policy in place that limits the viewing of large amounts of confidential data on tablets and laptops in busy areas such as trains, hotel bars and cafes.

Review Read-only Access

When data does need to be entered or viewed in public places, we recommend that customers review screens, process and access controls to reduce the volume of data.