Platform and/or Products In Scope
Access rights for the internal users on the platform, whether admin or write access to customer data are always required.
Your organization could have different access tables for internal users, customers, and third parties. Customer and third party access may not necessarily be in scope depending on:
- Whether the your organization manages the access for their customers (if so, it would be in scope)
- Whether your organization and third parties have write access to data, including the ability to change configurations (if so, their access would be in scope)
Other Input Tools
Any tool that grants write access to the production database should be considered in scope for access controls.
Databases In Scope
All places where customer transaction or master data is held should be in scope.
- Example: The data from the platform is written to the primary MongoDB database, but the organization neglected to consider that sensitive files that customers upload to the platform are stored in a separate S3 bucket
- Example: Fivetran is used to extract data from the production database and into a data warehouse (both Fivetran and the data warehouse would be in scope)
Code Orchestrators and Infrastructure Code
Always Required:
- The repositories for orchestrators or other relevant Infrastructure as Code (i.e. Terraform) should be in scope for change management
- If Infrastructure is not managed through a secure code repository, your organization must perform and document a review of the baseline configurations at least annually
Please reach out to support@secureframe.com with any questions!
Comments
0 comments
Article is closed for comments.