Information Security

Owned by Andrew Watkins
Last updated: 22-01-2020
2 min read

This page is required reading for all systems developers and operational staff for the Voluntarily platform.

Voluntarily seeks to ensure:

  • Integrity - your data is secure and accurate.

  • Confidentiality - your data is private and we don’t collect unnecessary personal information.

  • Availability - systems continue to be available and we recover quickly from incidents and disasters.

  • Respect - Information issues and vulnerability reports are taken seriously, reviewed quickly and changes made as necessary.

 

Integrity within a system is the concept of ensuring only authorized users can only manipulate information through authorized methods and procedures.

Confidentiality within a system is the concept of preventing unauthorized access to specific information or tools.

Availability within a system is the concept of authorized users being able to access the system.

Respect recognises that people are more important than software and machines. We must listen to the concerns and advice of our customers and stakeholders, following best practices.

 

Activities related to Information Security are grouped in Jira under https://voluntarily.atlassian.net/browse/VP-923?jql=text%20~%20%22platform%20security%22

 

Key Resources

Assets and Information Systems Catalogues and Owners of Technical Risk

To consistently apply an information security plan, all assets need to be catalogued. Each asset should have a specific owner who is accountable and responsible for the execution of processes that secure the asset. Asset catalogues should include information assets, technical components and information systems. Voluntarily needs to determine a risk ownership structure, which considers the impact to partners and contributors to the project.

https://voluntarily.atlassian.net/browse/VP-988

https://voluntarily.atlassian.net/wiki/spaces/VP/pages/100597782

System Design - Creating a shared understanding among developers and outside contributors.

The Voluntarily platform is developed by a core set of employees as well as a wide range of outside contributors. To ensure the consistent application of security across the various modules, develop a series of engineering and design standards for:

  • Access Control

  • Cryptography

  • Operations Security

  • Communications Security

  • System Lifecycle Activities

Operational Design - Tools and processes to operate the system securely.

The team should determine an approach to monitor and maintain the security of the platform through its lifecycle. The team should implement a series of tools and processes to address:

  • System availability

  • Disaster Recovery

  • Change Management

  • Application and System Logging

  • Management of Technical Vulnerabilities

Disaster recovery and incident management plans.

The team should determine an approach to detecting and managing security incidents. The team should implement tools capable of centrally aggregating event logs and implement a process for reviewing events to determine if a security incident has taken place.

The team should develop the processes and procedures to manage the incident according to its impact and define the responsible parties. The team should define a disaster recovery plan and periodically test the plan to ensure the system can recover from a significant incident.