DIVOC
DIVOC 3.5
DIVOC 3.5
  • Introduction to DIVOC
    • What DIVOC is and what it's not
    • DIVOC Docs Index
  • Platform
    • Release Notes
      • DIVOC 2.0 Release Features
      • DIVOC 3.0 Release Features
      • DIVOC 3.1 Release Features
      • DIVOC 3.5 Release Notes
    • Specification
      • API Documentation
      • Setting up DIVOC development environment
    • DIVOC's Verifiable Certificate Features 2.0
      • Creating a DIVOC Certificate
        • Overview of DIVOC’s digital certificates
        • What information is included in the DIVOC certificate?
        • DIVOC’s certificate generation service: How does it work?
        • Compliance with internationally used COVID-19 certificate schemas
      • Distributing a DIVOC Certificate
      • Updating a DIVOC Certificate
      • Revoking a DIVOC Certificate
      • Verifying a DIVOC Certificate
      • DIVOC's Native COVID-19 Certificate Specification
      • DIVOC’s EU-DCC Adapter Service
      • DIVOC’s SHC Adapter Service
      • Adding a User Type in DIVOC
      • Printing Certificates at a Facility
      • Normal QR Code Versus Signed/Verifiable QR Code
      • What Information Goes Into a QR Code?
      • WHO Master Vaccine Checklist
      • EU Master Vaccine Checklist
    • DIVOC's Verifiable Certificate Features 3.0
      • How to Configure a New Tenant?
      • How to Access the VC System and Generate Tokens
      • How to Generate Certificates
      • How to Fetch Certificates
      • How to Update Certificates
      • How to Revoke Certificates
      • How to Suspend Certificates
    • DIVOC's Verifiable Certificate Features 3.1
      • How to Verify Certificates
    • DIVOC's Verifiable Certificate Features 3.5
      • How to Create New Schemas
      • How to Manage Schemas?
    • DIVOC Architecture
    • Installation
      • Skills needed to set up DIVOC
      • Implementation Checklist
      • Setting Up DIVOC in k8 Cluster
        • How to Install DIVOC
        • How to Install DIVOC for V3.0
        • Backup & Restore: Postgres, Clickhouse, Kafka, & Redis
        • Infrastructure Recovery
        • Server Hardening
    • Verifiable Credential (VC): Production Deployment
    • Configuration
      • Configuring the Certification and Verification Component
        • Generating Signed Key Pairs
        • Configuring certificates
          • Step 1: Create a certification generation request
          • Step 2: Configure the QR code content
          • Step 3: Configure the certificate template
        • How to set up the verification portal for implementation
        • How to configure the update certificate API
        • Configuring Environment Variables in 2.0
      • Configuration Management Via ETCD
        • Adding a New Vaccine and ICD-11 Mapping
          • Adding a New Vaccine and ICD-11 Mapping Using ETCD CLI
        • PDF Template Change for Vaccine Certificates
          • PDF Template Change for Vaccine Certificates via ETCD CLI
        • EU Vaccine Configurations
          • Adding a New Vaccine and its Mapping via ETCD CLI
        • Payload Changes in the QR Code
          • Payload Changes in the QR Code via ETCD CLI
    • Performance Report
  • Products
    • Issuing COVID-19 Vaccination Certificates in India
    • Issuing COVID-19 Test Reports in India
    • Issuing COVID-19 Vaccination Certificates in Sri Lanka
    • Issuing COVID-19 Vaccination Certificates in the Philippines
    • Issuing COVID-19 Vaccination Certificates in Jamaica
      • Troubleshooting
    • Issuing COVID-19 Vaccination Certificates in Indonesia
    • Open Events
      • Past Events
      • DIVOC in the Media
  • DIVOC Demo
    • Program Setup (Via Orchestration Module)
    • Facility App
    • Issue and Verify Certificates
    • Citizen Portal
    • Feedback
    • Analytics
  • Community
    • Roadmap
    • Partner Support
      • Terms and Conditions of Using the DIVOC Site
      • Privacy Policy: Short Version for Display
      • Privacy Policy: Detailed
      • Platform Policy Guidelines
      • Privacy Policy Recommendations
      • Troubleshooting Guide
    • Source Code
    • Discussion Forum
    • Issues
    • Project Repo
Powered by GitBook
On this page
  • Data backup policy recommendations
  • Authentication and password management
  • Error handling and logging
  • System configuration
  1. Community
  2. Partner Support

Platform Policy Guidelines

Data backup policy recommendations

The following checklist should be followed for data protection:

  • Implement least privilege, restrict users to only data and system information that is required to perform their tasks.

  • The full backup of data should be taken once a day:

- Postgres DB

- Redis cache

- Kafka

- ETCD

  • The full backups are retained for two weeks.

  • Incremental backups (hourly) are retained for one day.

  • Once the full backup is taken successfully, incremental backups can be purged.

  • Backup files will be kept in a separate environment.

  • Backup files will be encrypted before storing on another environment/server.

Authentication and password management

Authenticating the identity of a principal and verifying its authorisation to act are foundational controls that other security controls are built upon. Organisations should standardise on an approach to both authentication and authorisation. Consider the following authentication and password management:

  • The communication channels need to be encrypted to protect authentication tokens. Use only HTTPS POST/GET requests to transmit authentication credentials.

  • All keys, passwords, and certificates must be properly stored and protected.

  • Disk level encryption should be implemented.

  • All authentication controls must be enforced on a trusted system (such as the server). Partition site by anonymous, identified, and authenticated areas.

  • Establish and use standard, tested, authentication services whenever possible.

  • Use a centralised implementation for all authentication controls, including libraries that call external authentication services.

Error handling and logging

Exception handling is a programming concept that allows an application to respond to different error states (such as network down, database connection failure, etc.) in various ways. Handling exceptions and errors correctly are critical to making your code reliable and secure.

Error and exception handling occur in all areas of an application, including critical business logic as well as security features and framework code. Error handling is also important from an intrusion detection perspective. Certain attacks against your application may trigger errors, which can help detect attacks in progress. Consider the following:

  • All logging controls should be implemented on a trusted system (such as the server).

  • Restrict access to logs to only authorised individuals.

  • All the system and system access logs should be enabled.

System configuration

The following checklist should be followed for system configurations:

  • Ensure servers, frameworks, and system components are running the latest approved version.

  • Ensure servers, frameworks, and system components have all patches issued for the version in use.

  • Restrict the web server, process, and service accounts to the least privileges possible.

  • When exceptions occur, fail securely.

  • Remove unnecessary functionality and files.

  • Remove test code or any functionality not intended for production, before deployment.

  • Remove unnecessary information from HTTP response headers related to the OS, web-server version, and application frameworks.

  • Implement a software change control system to manage and record changes to the code/ configuration/scripts in both development and production.

PreviousPrivacy Policy: DetailedNextPrivacy Policy Recommendations

Last updated 2 years ago

All content on this page by is licensed under a .

eGov Foundation
Creative Commons Attribution 4.0 International License
Creative Commons License