Chapter 7 DXp InformatIon SeCurIty • Define the process for responding to incidents related to breach or theft of private data. The process should identify the roles and responsibilities during a data breach incident. • Encrypt private data when it is stored or when it is being transferred. • If the private information is stored in physical records, they should be secured in locked cabinets and should be destroyed at the earliest time. Information Security Best Practices This section discusses security-related best practices. Privacy Best Practices Privacy information includes PII such as email ID, phone numbers, and such. Privacy information should be transferred only over a secure transport layer (such as HTTPS) and the information should be masked during display. Private information should not be cached and should not be shared with external services. Do not store any private information in session cookies. Authentication and Authorization Authentication and authorization should be centrally controlled within an organization. For integration with external third parties, we should use federated security such as SAML. A separate service account should be created for authentication and integration across application layers. A robust password policy should be defined that covers various aspects such as password complexity, password expiration, password storage, account lockout, and such. Simultaneous logins for the same user ID should not be allowed. Use security plugins and filters provided by the platform. Implement the “separation of duties” principle wherein the resource actions are carried out by a separate set of entities. For instance, an application user cannot be an administrator of the same application. Post authentication, all resources should be provided access based on their roles and permissions. 208