pioneerx01 Posted July 20, 2017 Share Posted July 20, 2017 For past 8 years, I design and host custom registration pages for small(er) events where users can submit their registration, upload paperwork if needed, look up their registration status, ... There are no accounts for users, only handful of admins, no credit cards, no social security numbers, no anything critical. Admins can log in and review/edit submitted information, export them in various ways, see the paperwork,... Code and databases are hosted on shared HostGator servers with dedicated IP. I have SSL on all registration pages and log ins. Passwords for admin accounts are salted and encrypted. All registration fields are checked for malicious codes and scripts. Organization interested in my services has asked for "cyber security plan" and I am not exactly sure how to put that together and what to include. Any ideas? Thanks Quote Link to comment Share on other sites More sharing options...
dalecosp Posted July 20, 2017 Share Posted July 20, 2017 (edited) They're looking for assurance they can trust you. Depending on how big/strict they are, it could be fairly small, like a few pages that say things like you've said above, or it could be a lot bigger. As an example of "bigger", you might take a look at the Incident Response Plan docs produced by the American Institute of Certified Public Accountants (aicpa.org). One reason to do so is that they think like accountants, and accountants are usually the people that pay the bill$ you'll be sending them ... It includes discussion of an Incident Response Plan, the Incident Response Team and its members, their roles & responsibilities, notification policies, incident types, and some steps to mitigate incident effects. https://duckduckgo.com/?q=security+incident+response+site%3Aaicpa.org&atb=v58-3_a&ia=web Edited July 20, 2017 by dalecosp Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 20, 2017 Share Posted July 20, 2017 Based on your comments, here are a few things to think about addressing in your response: . . . users can submit their registration, upload paperwork if needed, look up their registration status, ... There are no accounts for users 1. Does any of the submitted information or documents contain PII data? If so, how do you protect that information. You say there are no accounts for users - yet they can look up their registration info. How, by email address or some other data that they previously submitted? How do you prevent others from looking up registration information about other users? Passwords for admin accounts are salted and encrypted. I assume you mean hashed and not encrypted - otherwise you are doing it wrong? Plus, they may want information on your disaster recovery plans - e.g. a malicious user jacks up your database and/or code. Do you maintain regular backups to restore the system and what is the expected time for doing so. And "who" has access to the data? I'd suggest doing a google search for cyber security plans and find one to use as a template. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.