Purpose
Security is and shall continue to be the topmost concern of Rocheston Department of Certification (RDoC) for tackling the ever-evolving threat landscape while maintaining data confidentiality and integrity of the certification process. As a certifying body, RDoC has policies and procedures necessary for ensuring this security element is preserved throughout the entire certification process.
RDoC security policies cover:
- System Security Policy
- Data Security Policy
- User Security Policy
- Password Management Policy
System Security Policy
System Security policy involves the security of:
- Database User Management: Database administrator(s) are responsible for maintaining all aspects of the security policy. Only the database administrator will have the privileges required to manage all privileges of the users.
- User Authentication: Database users are verified by using unique and secure username/passwords combinations.
- Operating System Security: Only the database administrator must have OS privileges for files management. The security domain of the OS accounts is also maintained by the administrator.
Data Security Policy
RDoC assigns highest priority to data security including access control and use of database at the object level. Based on the data security policy, a user’s access to a specific schema object is clearly defined, and subsequently followed to ensure proper access control.
Data security depends on the level of security accorded for the data in the database and the sensitivity of data. Authorized user(s) are allowed to create any schema object, or grant access privileges for their objects to any other user of the system. The security administrator is the only person with the privileges to create objects and grant access privileges for objects to users.
User Security Policy
RDoC is committed to ensure security and confidentiality of data is maintained at all times. Persons granted access to information assets in the performance of their assigned duties are referred to as ‘Authorized User(s)’. The authorized users include RDoC staff members, students, volunteers, or vendors/third-party contractors. Authorized users will:
- Seek access to data only through RDoC’s established authorization and access control processes.
- Access data only on a need-to-know basis.
- Disseminate data to others only if authorized.
- Report any inappropriate data access to RDoC.
- Get information on knowledge and skills required to maintain data confidentiality from RDoC.
- Sign required Non-disclosure/confidentiality statements before accessing critical data.
- Commit to protect data and avoid placing data on unauthorized personally owned devices.
Users who access data for which they are not authorized and/or commit breaches of confidentiality may be subject to disciplinary action including termination of registration/certification/relationship, and/or liability to civil and criminal penalties. System activities such as log-ins, file accesses, and security incidents shall be recorded and appropriate internal audit would be conducted. Records of those granted physical access to restricted areas (e.g., key card access lists), shall be maintained.
Password Management Policy
Database security systems are dependent on strong and secure passwords that are not vulnerable to theft and misuse. Password management involves the following tasks/processes:
- Password expiration monitoring: If the password expires or about to expire, it must be changed as soon as it expires. A warning message appears as soon as the password expires and when users try to log in to their accounts, it will force users to change the password. Access is denied until a new password is set.
- Password strength monitoring: The password must be at least ten characters long. The password should not be the same as the username or the previous password and should have at least one alpha, one numeric, and one punctuation mark character.
- Password complexity verification: The password complexity verification checks if the password satisfies minimum length requirements and if the password is not the same as the username.
- Two Factor Authentication: All users must enable Two Factor Authentication to enhance security as an additional level of protection.
Security Standard Operating Procedures:
System and Application Software Security
RDoC uses licensed enterprise software and services for all our data and platform requirements. The licensed enterprise software is thoroughly tested by the developers and constantly updated and comes with documented version history listing bugs and fixes.
Change control management must be implemented for systems handling confidential data, to monitor and manage hardware/software configuration changes. Change control management of physical hardware as well as cloud services, includes documentation of change requests, approvals, testing, and implementation.
Mobile device security is another key priority in securing sensitive data. Lost/misplaced/stolen devices must be protected from unauthorized access and confidential data disclosure. Any mobile device containing confidential data must be access controlled with password and kept in a secure location if not in use. Laptops and workstations of RDoC employees are fully disk encrypted and restricted with Admin privileges. Authorized users must choose approved storage services inhouse over externally attached storage devices whenever possible, to minimize the risk to confidential data.
All external storage devices must be encrypted if they are used for confidential data storage. Data Write access to the external storage devices must be restricted to authorized computers.
To prevent loss of important documents/records and provide continuous operation consistent with the organizational objectives, backups of all data are taken daily and are fully-recoverable as they are stored on third-party cloud servers with continuity and data recovery plans in place.
Annual testing of preventive mechanisms for fire, utility services and other environmental hazards must be conducted. Emergency modes/alternatives of operation must be documented to ensure continuity of critical services in the event of a natural disaster, fire, act of vandalism, or act of terrorism. All critical data centers and computerized systems must have documented and tested disaster recovery plans to ensure critical services are recoverable in an emergency. RDoC uses cloud service providers for storing and processing all our data and is governed by the policies of the service providers.
RDoC shall be committed to compliance with applicable laws and regulations associated with the protection of confidential information while ensuring compliance with software licensing agreements.
Efficient disposal of sensitive data from all devices that are no longer under the control of RDoC is essential to secure the confidentiality of the data. The devices are formatted and reset to factory settings before they are disposed. Devices could include computers and digital storage devices including, but not limited to desktop workstation, laptop, server, notebook, handheld computer, and hard drives; and all external data storage devices such as disks, SANs, optical media, magnetic media, and non-volatile electronic media.
Certification Exam Administration Security
RDoC aims to ensure security throughout the entire certification process and takes preventive and corrective actions for the same. RDoC has implemented measures for safeguarding the confidential nature of the examination materials before, during and after the certification exam administration. RDoC shall prevent fraudulent practices in the examination process through these steps:
- A candidate can register for the examination by filling up the exam application form online.
- Before starting the exam the candidate must agree to the conditions listed in the candidate agreement.
- A candidate has to show a valid ID proof to the webcam for authentication
- The proctor also must validate the candidate’s identity against the previously submitted registration record.
- During the examination process, the proctor monitors the candidate based on specified conditions.
Item Bank Security
RDoC shall keep all exam items secured. The exam questions (item bank) are securely saved on the cloud and examination forms are monitored by the Exam committee from early draft versions to final format, and accounting for/documenting delivery/receipt of drafts of every examination. Other steps taken to maintain its security includes:
- Access to the item bank is controlled and limited to authorized reviewers required to sign confidentiality statements when presented with examination content.
- To prevent item overexposure and reduce the risk of fraudulent activities, the item bank is revised every two years.
- Moreover, the items are displayed by random selection each time to minimize the risk of memorization or use of previously administered test content to which candidates may have access online.