Versions Compared

Old Version 15

changes.mady.by.user Kyle Erickson

Saved on

compared with

New Version 16

changes.mady.by.user Adam Paczuski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The PopMedNet software is designed to be highly secure and suitable for transferring sensitive data. The PopMedNet software has passed a detailed independent security audit. The following information details the major system security specifications of PopMedNet v5v6.


  • All communications between the DataMart Client application and the Portal use HTTPS/SSL/TLS connections to securely transfer queries and results between the application and the Portal. 
  • Enhanced system procedures
    • Securely stores credentials as Salted Hashes
    • Uses cryptographically secure random values for session IDs (.Net Type 4 GUID)
    • Cookies marked as ‘SECURE’, ‘SESSION’ & ‘HTTPONLY’ and the cookie domain
  • Web Service and Portal Authorization
    • Ensures all submissions are performed via POST method
    • Does not publish WSDL
    • Limits the number and size of file submissions

  • All credential and connection information needed by the DataMart Client to communicate with the PopMedNet portal or to DataMart data sources are stored in the Windows Credential Manager using AES-256 encryption.

  • Requires users to select strong passwords. The password strength rules are configurable by each network implementation. The default rules are as follows: at least 8 characters, maximum length of 100, at least 1 number, at least one nonnumeric character, at least one capital letter, at least one lower case letter, and at least one special character. 
  • Forces users to change their passwords on a scheduled basis. The time period after which a password must be changed is configurable by each network implementation, the default time period is every 6 months.3 months.
  • Previously used passwords are not allowed to be re-used for a 6 month time period. 
  • Automatically logs users off after thirty minutes of inactivity.
  • Backs up files or deleted queries on the disaster recovery database for 4 days and automatically deletes on day 5.
  • Audits all network activity (e.g., access, user ID changes, query initiation, results upload, etc.).
  • Provides a highly granular access controls system to enable customized access control configuration.
  • Requires all users accounts to be approved or created by an authorized user.
  • Provides DataMart Audit logs and Network Activity Reports for specified network users.