DIT Security Policy

For information on keeping yourself secure while using this system, click here.

In designing and building the technical infrastructure and the applications DIT have followed UK government security guidelines and recommendations. In particular security issues in the areas of Individual Access, Application and Data and Infrastructure have been addressed.

The following threats and impacts have been considered in the design.

  • External connections may be used as a conduit to attack the DIT infrastructure
  • Malicious loading of the site, etc. Reducing service levels and user inconvenience.
  • The threat of importation of other malicious software via external connections (e.g. Java applet from the Internet).
  • That a component of the E-commerce configuration will fail and deny network service.
  • Local or national power cuts.

The following countermeasures are in place.

  • E-commerce equipment are installed in rooms which meets the requirements for this site. Measures include robust partitioning, robust doors fitted with push button coded locks and viewing panel, ceiling and floor voids space limited to deter external intrusion, air-cooling and UPS.
  • The visible security measure is that each appropriate individual at an oil company or other valid company will be allocated an id and password. The process of this allocation will be agreed with companies and not individuals. The id and password will be validated by the system and will determine which applications and business processes that individual is given access to.
  • The components are configured to comply with the requirements for UK Government systems including the enforcement of 8 character passwords and their construction.
  • At the application level authenticated users are allowed database access through a secure connection using the HTTPS protocol. Database accesses are resolved into a number of SQLNET commands. At all points of the data transmission the data will be encrypted using 128 Bit key techniques. Sensitive data will be encrypted in the Database. The Database will process the SQLNET commands and return the result to the application server. The SQLNET command will then be processed back into a HTML form.
  • The internal DIT infrastructure comprises a number of servers and databases mirrored for resilience. The infrastructure is protected by a series of routers and firewalls.
  • The Infrastructure allows Secure Sockets and JavaScript. It features anti-spoofing measures. It permits DNS look-ups on the DIT Web site from within the internal network. It provides a management DMZ for maintenance of the Web sites. All other paths/features are disabled.