Infopoint Security Policy and Guidelines

1. Overview

Application vulnerabilities account for the largest portion of attack vectors outside of malware.   It is crucial that Infopoint be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.

2. Purpose

The purpose of this policy is to define application security assessments within Arrive Systems. Such assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc.  Discovery and subsequent mitigation of these issues will limit the attack surface of Arrive Systems Infopoint services available both internally and externally, as well as satisfy compliance with any relevant policies in place.

3. Scope

This document covers all application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies.

All application security assessments will be performed by delegated security personnel either employed or contracted by Arrive Systems. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of Arrive Systems is strictly prohibited unless approved by the Arrive Chief Digital Officer.

Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.

4. Policy

4.1 Infopoint is subject to security assessments based on the following criteria:

a)    New or Major Application Release – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.
b)    Third Party Application Integration – will be subject to full assessment after which it will be bound to policy requirements.
c)    Point Releases– will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
d)    Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.
e)    Emergency Releases – an emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases will be designated as such by Arrive's Chief Digital Officer, or an appropriate manager who has been delegated this authority.

4.2 All security issues that are discovered during assessments must be mitigated based upon the following risk levels.

a)    High – any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
b)    Medium – medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line odenied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
c)    Low – issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.

4.3 The following security assessment levels has been established by the internal Arrive Systems Testing Committee: 

a)    Full – a full assessment is comprised of tests for all known features of the Infopoint vulnerabilities using both automated and manual tools as identified. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
b)    Targeted – a targeted assessment is performed to verify vulnerability remediation changes or new application functionality.

5.    Security Compliance Considerations

Device Hardware

The InfoPoint device has limited hardware features in order to exactly comply to run the InfoPoint application on the tablet as a room signage system, and ensuring a secure and robust design. the following aspects are tested to ensure security from a hardware perspective: 

a)   No microphone
b)   No camera
c)   No sensors (ex. accelerometer, GPS, or any other Android devices built -in sensors)
d)   Controlled connectivity to avoid security vulnerabilities: 

i.    No bluetooth 
ii.   No bluetooth; Low Energy
iii.  Device can only connect with the following interfaces:

(1)    Wi-Fi
(2)    Ethernet
(3)    USB

e)    Audio output through internal speakers only
f)    All external buttons on the device are suppressed and not active, such as :

i.    No power button
ii.   No home button
iii.   Volume button is present

g.    No support for an SD card
h.    No SIM card interface
i.    All ports for external communication are disabled, except for the ICMP port.

Android OS
InfoPoint runs on Android OS Version 4.4.4 (KitKat). The 4.4.4 version of  the Android OS boasts of industry-leading security features. This version pioneered the  Message and Calendar consolidation. Moreover, this version of Android is the most apt for ‘Locking’ the in-built Android features. As of April 2017, security vulnerabilities identified in Android 4.4.4 continue to have patches published from Google.

Similarly, the account credentials are not stored by the application and is handled by the OS directly, thereby reducing risk of information retrieval through the website. 

Following are the focus of major upgrades for the newer Android versions:

Features Relevance for Infopoint
Battery Life   Not relevant
Torch display Not relevant
Multi tasking Not relevant
Notification Not relevant
Guest user account Not relevant
Google Voice Not relevant

Following are extra points for considering the security comprises through the application:
•    Account credentials storage – the account related information (Google or Microsoft) is not stored in the application and hence poses no threat in case the Infopoint application is compromised. 
•    Encrypted communication – communication to the Infopoint for Microsoft related product suites is through secured HTTPS protocol.

As of March 2017, the decision stands from the Chief Digital Officer of Arrive Systems to not to upgrade the Android version as the upgrade does not prove any advantages to the Infopoint application itself. 

Note: In case of any intrusions, the only access of network resources through the Infopoint Application will be the dedicated mailbox for the room assigned within the panel. The security policies for defining mailboxes are the responsibility of the organization that deploys Arrive Infopoint since the policies may vary upon the business objectives of that organization. For securing the mailboxes for unwanted access, please refer to the security compliance documents published by Microsoft on their ‘Technet’ forums. 

Kiosk Mode

InfoPoint Application runs in a secured lock down mode which ensures that all the unwanted features of the tablet are supressed. Arrive team refers to the Infopoint running on Lockdown manager as the ‘Kiosk Mode’. Kiosk mode ensures:

1.    Custom Launcher – the Android default launcher is disabled to ensure that only the admin will have access to InfoPoint and System Settings (for user access security measures)
2.    Android Keys and home screen are locked: 

a)    Disabling back, home, recent app, power, volume buttons
b)    Disabling home key
c)    Tablet always remains on the Infopoint application
d)    Disabling back key allows maximum control of user interface
e)    Disabling menu key avoids access to app setting commonly available via menu keys
f)     Hiding OS navigational buttons
g)    Hiding all notifications and avoiding access to system or any other application settings.
       If notification bar must be visible, Kiosk Mode can be disabled.

 3.    Android OS updates – all OS updates are disabled.

6. Definitions and Terms
None.

7. Revision History

Date of Change Responsible Summary of Change
June 2015 Arrive Systems Creation of the document
March 2016 Arrive Systems Updation of the document to the new format
March 2017 Arrive Systems Updation of the document to the new format