Recreation Properties risk assessment
A review of security risks for the Recreation Properties Application was conducted in April 2010. The decisions from the resulting discussions should be included in the design and development of the application.
The Recreation Properties web site project is to create a single place where information about church recreational properties can be managed and presented, and members can reserve properties and make any necessary payments.
|1||Private information, such as accounts, passwords, or other sensitive information will be intercepted or accessed by unauthorized users.||Encrypted communication, such as HTTPS, must be used for all authentication and any transmission of potentially sensitive information. Passwords or other authentication keys must not be stored within application data storage.||All authentication is handled through LDS Account. (01 May 2010)|
|2||Payment of funds could violate PCI regulations.||All payment of funds must utilize existing secure church payment methods or an external vendor's services, such as PayPal, which comply with PCI regulations. Financial information must not be stored within application data storage.||All transactions are handled externally to the application using secure methods. (01 May 2010)|
|3||Inappropriate, deceptive or damaging information, messages or photographs could be placed on the site.||All information created and edited must be reviewed by a trusted person before being made public.||Only property managers have the rights to make information public. Agent stake president will be requested to review and approve. (01 May 2010)|
|4||Church funds could be misused or improper transactions could be conducted.||The church is required to audit all financial transactions. The application must support logging of all transactions to an external system to ensure that they can be reviewed and audited.||When using money movement engine (MME) all transfers will be requested of the church systems which will log them (church internal or private group transactions). (08 May 2010)|
|5||Unauthorized individuals could look up sensitive information, such as property locations, uses, and/or schedules.||All access to the information on the website must be restricted to those with LDS Accounts. Specific group reservation information should be limited to the property managers and the specific entities making the reservations.||Private information, such as phone numbers and addresses will not be posted in areas where they can be seen by non-property management. When reserving the property, there will be an option to select the unit or family name, person reserving, or group type which will show on the schedule, including the option to leave the name blank and just show that it is reserved. (08 May 2010)|
|1||Technical controls could be subverted allowing unauthorized access or modification to information, or compromise of users computer systems or information.||Access to all input fields should be checked for validity and all invalid input blocked. Other development best practices should be followed to minimize these risks.|
|2||A system failure could cause loss or corruption of information within the application which could result in loss of availability to the application or resource.||The application data store should be created in such a way to facilitate application data backup and restoration without requiring the application to be shut down.|
|3||An individual with administrative rights could remove a property, camp, or site causing existing reservations to be lost or unlinked, resulting in conflicts or double-booking of resources, resulting in the loss of availability to a resource for an authorized party with a valid reservation.||The application data store should use referential integrity to ensure that resources which have been scheduled cannot be removed without requiring the administrator to move the reservations to a new resource or cancel the reservations. When reservations are canceled, the person making the reservation should be notified.|
|4||A photograph of a person may be added to the application without their approval, or a youth photograph may be posted in violation of local laws.||A notice that photographs to be added to a property description cannot contain images of people and a check box indicating compliance should be added to the photograph upload screen.|
|5||Someone scheduling a site may reserve dates or times needed for another important regional or general church event causing conflicts or restricting access, resulting in loss of availability to a resource by a party which should have priority access.|| The reservation calendar should be restricted to a specific periods of availability, such as from the current date through the end of next calendar year. Later calendar periods should be opened based on a specific and announced times for each group based on priority of access.
As an example, access to the newly opened schedule calendar should be broken into phases to first allow general and regional leadership, then local leadership, and finally individual member families and groups access to schedule the site, depending on who is to have priority access to the resource.