Jump to content

Recommended Posts

For past 8 years, I design and host custom registration pages for small(er) events where users can submit their registration, upload paperwork if needed, look up their registration status, ... There are no accounts for users, only handful of admins, no credit cards, no social security numbers, no anything critical. Admins can log in and review/edit submitted information, export them in various ways, see the paperwork,...

 

Code and databases are hosted on shared HostGator servers with dedicated IP. I have SSL on all registration pages and log ins. Passwords for admin accounts are salted and encrypted. All registration fields are checked for malicious codes and scripts. 

 

Organization interested in my services has asked for "cyber security plan" and I am not exactly sure how to put that together and what to include. 

Any ideas?

 

Thanks

They're looking for assurance they can trust you. Depending on how big/strict they are, it could be fairly small, like

a few pages that say things like you've said above, or it could be a lot bigger.

 

As an example of "bigger", you might take a look at the Incident Response Plan docs produced by the American Institute of

Certified Public Accountants (aicpa.org). One reason to do so is that they think like accountants, and accountants are

usually the people that pay the bill$ you'll be sending them ...

 

It includes discussion of an Incident Response Plan, the Incident Response Team and its members, their roles & responsibilities,

notification policies, incident types, and some steps to mitigate incident effects.

 

https://duckduckgo.com/?q=security+incident+response+site%3Aaicpa.org&atb=v58-3_a&ia=web

Edited by dalecosp

Based on your comments, here are a few things to think about addressing in your response:

 

 

 

. . . users can submit their registration, upload paperwork if needed, look up their registration status, ... There are no accounts for users

1. Does any of the submitted information or documents contain PII data? If so, how do you protect that information. You say there are no accounts for users - yet they can look up their registration info. How, by email address or some other data that they previously submitted? How do you prevent others from looking up registration information about other users?

 

 

 

Passwords for admin accounts are salted and encrypted. 

I assume you mean hashed and not encrypted - otherwise you are doing it wrong?

 

Plus, they may want information on your disaster recovery plans - e.g. a malicious user jacks up your database and/or code. Do you maintain regular backups to restore the system and what is the expected time for doing so. And "who" has access to the data?

 

I'd suggest doing a google search for cyber security plans and find one to use as a template.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.