[Discharge Upgrade Wizard] Add information to the Privacy, Security & Readiness Review ticket template

[FranECross]

Status

[2024-09-26] [Fran] I added as much info as I could and this now needs Chris to review/edit as needed. I'll then take the info below and submit the appropriate Readiness Review ticket.

Description

As part of the Staging review for the Discharge Upgrade Wizard, I need to submit a Privacy, Security & Readiness Review ticket. I've captured below the ticket contents/questions, and will completed the information in collaboration with the FE engineer working on DUW,

AC

• [ ] Provide all information below. Mark N/A if it doesn't apply to DUW

Readiness Review Ticket info below

Note that this will be copied/pasted into the official ticket and submitted.

Guidance

• VFS Lead engineer or product manager: using this template, create issue in va.gov-team-sensitive and answer the questionnaire in its entirety.
• Do NOT put any PII, PHI, or other Potentially Sensitive Data into the Issue contents.
• The Platform Security Team will review this issue and conduct all conversations and follow-ups through this issue (excluding PII/PHI/Potentially Sensitive Data).
  • As a requester: complete any follow-up action items and provide all requested information in this issue.
• Do NOT close this issue, Security Reviews may only be closed by a member of the Platform Security Team. The Platform Security Team will update the Platform Collaboration Point Tracker upon closure.

Stakeholders from the requesting team

• Lead engineer: Chris Kim
• Product manager: Fran Cross
• OCTO-DE product lead: Michelle Middaugh
• Anyone else on your team whose presence is needed to speak to the technical architecture and security concerns: None

Questions to be Answered

The following product or feature descriptions may be answered with a reference link to the team’s documentation. However, the provided links must be specific to the request.

• Please describe what problem this product or feature solves.

  • The existing discharge upgrade wizard was built in Vets.gov days. It does not use current design or content patterns. It requires a lot of scrolling due to the legacy pattern. We are also unsure if the information within the wizard remains correct. Based on learnings from the PACT Act wizard, this effort will improve the ability for Veterans to determine their eligibility for a discharge upgrade by re-modernizing the product to align with current VA.gov design and content standards, and convert to a subtask pattern.

• Please describe a plan to monitor this code base after deployment, including the following scenarios (NOTE: If you don't (yet) have such a plan, or don't know how to get started with one, we can work on this with you!). N/A The Discharge Upgrade wizard is un-authed, where a user chooses radio buttons or a dropdown select for answers, and nothing is stored. It doesn’t have any external or API dependencies, so there is nothing to monitor.

  • The code base is compromised at source- or run-time.
    • How does the code base get disabled in the product?
    • How would you detect a compromise?
    • What process and privilege does the code base execute under?
      • If so, is that process isolated?
      • If so, what additional credentials are available to that process?
    • The code base is infiltrated or ex-filtrated.
  • Links to dashboards that help identify and debug application issues

• [N/A] Provide your Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)

• [NO] Are there any new application endpoints, front- or back-end? If so, please give examples of how any of the endpoints could be abused by unauthorized parties, as well as a plan to mitigate such threats.

• [NO] Is there any new logging data being captured? If so, what data is being captured, how, and where is it stored?

• [NO] Is Personal Health Information/PHI, Personal Identifiable Information/PII, or any other Personal Information/PI being captured? If so, please answer the following questions:

  • [N/A] Is the PHI strongly encrypted?
  • [N/A] Is the PII encrypted?
  • [N/A] Can the sensitive information be scrubbed?

• [NO] Are there any new, modified, or existing Cookies being used?

  • If so, are there any new Cookies?
    • If so, why can’t the existing Cookies be used?
  • If so, are there any modified Cookies?
    • If so, how are the Cookies modified?
  • If so, are there any existing Cookies?

• Is this feature authenticated or unauthenticated?

  • Unauthenticated

• [NO] Are there any other specific subjects that you want to highlight or focus additional attention on?

Artifacts

Please provide the following documentation as attachments.

• [None] Architecture Diagram: This project enhanced the existing Discharge Upgrade Wizard; this is just a simple app built in Vets website. This is an unauthenticated wizard, guiding the user through questions to a results page that displays information depending on their answers.
  • Figma representation of existing wizard, and new user flow using subtask pattern (which is one page for each set of information e.g. beginning page, each question, review page, results page.
  • Muralwith** new user flow and logic, including the review screen logic. ~This diagram must go beyond simple boxes and lines. It must clearly indicate which portions of the architecture are within the scope of the review, which portions are dependencies within the product, and which portions are external dependencies.~ ~This diagram must also illustrate the following specifics.~
  • ~Which implementation of security approaches were considered along with the approach that was chosen and why? This is unauthenticated, and captures no user information.~
  • ~If there are any libraries or components that this code base will depend upon that are currently not yet part of the code base? How and why were these selected?~
• [ ] Incident Response Plan, including Points of Contact for your system and dependent VA back-ends.
  • If a security vulnerability is discovered or reported in this code base, what is the plan and timeline for rolling out the fix?
• [N/A] Sequence Diagram: Unauthenticated This diagram must include any authentication steps if this is an authenticated experience.
• [N/A] Data Flow Diagram: Data is not being captured. User is answering questions (that aren’t being captured/logged, which is used for the app to decide which screen to then present. ~This diagram must illustrate the following specifics.~
  • ~What data is collected or used, and where, including information such as credentials used by this system? No data is collected or used. There is logic that determines the questions presented to the user, but the answers to the questions are not stored or associated to a sessions or user.~
  • [N/A] Where is the data is stored and how, including information such as any encryption used?
  • [N/A] How is the data transferred, including information such as any encryption used?
  • [N/A] Who accesses the data and in what capacity (read or read-write)?
  • [N/A] What is the audit trail of data access and manipulation?
• [ ] API Endpoint Documentation: The Discharge Upgrade Wizard doesn’t have any external or API dependencies. ~This may include a link to a Swagger/OpenAPI document. Any new API endpoints introduced by this product or feature must be explicitly identified.~
• Product Specifics:
  • [X] A link to the Release Plan with the "Planning" sections completed (in each section: Phase I, Phase II, Go Live)
    • DUW Launch Plan ticket
  • [x] A link to the Initiative
  • Ensure Product Outline contains Incident Response info, including:
    • ~Points of contact for your system and dependent VA back-ends~
    • ~Links to dashboards that help identify and debug application issues~
  • [N/A] Is there a playbook included in your product outline, for investigating and handling likely failure modes? If so, link to your Product Playbook

Additional information

Please refer to Platform Collaboration Cycle or the Privacy and Security Review Touchpoint on Platform website for more information about the Collaboration Cycle.

cc @raywangoctova

[FranECross]

I've added some information and will need Chris to review and edit as well. Targeting Sprint 14.

[chriskim2311]

@FranECross I have made some additions but other than that looks good to me! Let me know if I have missed anything.

[FranECross]

@chriskim2311 Thanks! I'll review today and ping you with any questions.

[jilladams]

@FranECross reminder to review and clsoe when you get a chance

[FranECross]

Closing as complete; appropriate collab ticket submitted