-
Notifications
You must be signed in to change notification settings - Fork 2
Play 11: Manage security and privacy through reusable processes
Contact the appropriate privacy or legal officer of the department or agency to determine whether a System of Records Notice (SORN), Privacy Impact Assessment, or other review should be conducted
This is not applicable for the prototype. This will be addressed for a production application.
Determine, in consultation with a records officer, what data is collected and why, how it is used or shared, how it is stored and secured, and how long it is kept
This is not applicable for the prototype. This will be addressed for a production application.
Determine, in consultation with a privacy specialist, whether and how users are notified about how personal information is collected and used, including whether a privacy policy is needed and where it should appear, and how users will be notified in the event of a security breach
This is not applicable for the prototype. This will be addressed for a production application.
Consider whether the user should be able to access, delete, or remove their information from the service
This is not applicable for the prototype. This will be addressed for a production application.
“Pre-certify” the hosting infrastructure used for the project using FedRAMP
This is not applicable for the prototype. This will be addressed for a production application.
Use deployment scripts to ensure configuration of production environment remains consistent and controllable
Source control and DevOps tools are being used to keep development, test and production environments consistent.
These questions apply more to a production environment than a prototype and so are not addressed in the response. General information on Bluemix security is provided below.
Does the service collect personal information from the user? How is the user notified of this collection?
Does it collect more information than necessary? Could the data be used in ways an average user wouldn't expect?
How does a user access, correct, delete, or remove personal information?
Will any of the personal information stored in the system be shared with other services, people, or partners?
How and how often is the service tested for security vulnerabilities?
How can someone from the public report a security issue?
Designed with secure engineering practices, the IBM® Bluemix platform has layered security controls across network and infrastructure. Bluemix provides a group of security services that can be used by application developers to secure their mobile and web apps. These elements combine to make Bluemix a platform with clear choices for secure application development.
Bluemix ensures security readiness by adhering to security policies that are driven by best practices in IBM for systems, networking, and secure engineering. These policies include practices such as source code scanning, dynamic scanning, threat modeling, and penetration testing. Bluemix uses IBM SoftLayer Infrastructure-as-a-Service (IaaS) cloud services and takes full advantage of its security architecture. SoftLayer IaaS provides multiple, overlapping tiers of protection for applications and data.