The Security Gate is used to determine the security risk profile of the app and assess whether regulatory guidelines apply, such as HIPAA for Patient Health Information (PHI), SOX for general ledger data, and PCI for monetary transaction data. The app is tested for security vulnerabilities that may put KP data at risk.
The MCoE Certification team partners with the Technology Risk Office (TRO) , specifically Application Security (AppSec) and the Red Team, to complete this gate.
The Security gate requires a TRO intake form, Solution Architecture Document, and app test credentials.
KP Technical Risk Office reviewers will need technical specification documentation to review. This is typically created by the app developer (either KP internal or an external vendor).
- Internal developers should follow the KP SDLC standard and create a Software Architecture Document of equivalent quality to the template examples posted on the SDLC site.
- If you are using a vendor, request documentation that captures the data security approaches utilized in the app as early as possible. MCoE strongly advises that you require delivery of this documentation as part of your Statement of Work. Common industry terms for this type of documentation include Data Flow Diagram, Logical Solution Design Diagram, and Solution Architecture Document.
KP Technical Risk Office reviewers will need to download and test your app as part of their process.
- Vendor apps available for free download on public app stores can generally be downloaded from those stores by the reviewers individually.
- Custom apps or those not available for free download will need to be provided to your reviewers as app binaries or source code. Review module 3 of KP’s national Mobile App Certification Policy training on KP Learn to learn the difference between app binaries and source code.
- Your reviewers will need at least 2 sets of valid credentials (user names and passwords) to test with.
The TRO security consultants document and/or log their findings into JIRA with risks prioritized by severity. High-severity risks may require resolution before app launch.
For MCoE Certification to be awarded, all of TRO’s Very High and High defects will need to be risk accepted or remediated prior to your release.
After MCoE Certification is awarded, any remaining defects will need to follow TRO’s Risk Response Process.
Service Level Objective
30-45 Business Days