Create a system security plan using documented security risks.

[adunkman]

As the Court, so that we can protect the public’s data while providing access to authorized users, we need to effectively balance security risks and controls.

Acceptance criteria:

• The mitigations for security risks documented are defined.
• Any work that is needed is prioritized in the Flexion backlog as appropriate.
• Provide Court with recommendations for routing and approvals (issue #321)

Notes:

• If the ATO repo goes private, it’s currently building to GitHub Pages which aren’t private. There may be an opportunity to keep discussion private but the ATO still public.
• Flexion has run a threat modeling brainstorming exercise which will be useful.
  • Cody made recommendations on how to address and flushed out to the DevEx/OpEx board tagged Security. They aren’t currently prioritized in the backlog.
• Security of PDF uploads is a subject that has been decided previously, but could be revisited if needed.
• What email security has been implemented?
• What security certificates for HTTPS/other transport-layer security is implemented?
• Accounts with a potential for high-exposure like the IRS Superuser account, and what controls are in place to ensure security.
• How sealed cases are handled and what controls prevent their disclosure beyond the intended audience.
• Incident management procedures are also related here, but being accomplished in #244.
• What third-party services, like Honeybadger, are used, and what data goes to them?

[adunkman]

There is prior documentation and discussion around acceptable risk, and that is documented in the user stories related to PDF uploads.

[adunkman]

What is acceptable risk for using exception tracking services like HoneyBadger?

[adunkman]

Mike meeting with Laura tomorrow evening to knock this out (at least for pre-MVP).

[adunkman]

Ongoing work is tracked in https://github.com/ustaxcourt/ato and #519.