High Level Application requirements

  1. Items 1 through 9 of the medium level requirements must be met.
  2. Only a password hash may be stored.
  3. Passwords may only be transmitted as a hash and the transmitted hash must be either encrypted or hashed with a second value.
  4. Two factor authentication or more must be used.
  5. Sensitive data may not be transmitted in the clear.
  6. Sensitive data must be stored in encrypted form.
  7. Public facing forms that allow users to enter data in a database or send email must be protected against automated entry.
  8. Someone must be responsible for the security of the application.
  9. The database must be properly protected and access limited only to computers that need access.
  10. User passwords must have minimum complexity rules following the organizational password policies.