Medium Level Application requirements

  1. An application security plan must exist.
  2. Data must not be cached on any servers or client computers that could compromise confidentiality.
  3. A reliable way to verify new authorized users must exist when creating accounts (whether created by administrators or users) such as an ID or employee number validation. Acceptible methods must be included in the application security plan.
  4. User passwords or their hash are not transmitted in the clear.
  5. User accounts cannot be reset with a single private question.
  6. User passwords cannot be stored on client computers.
  7. Sensitive data cannot be transmitted across the internet withoout being encrypted.
  8. Data must be stored on a different server than the webserver.
  9. Data access must be limited to people with approved need.
  10. Only a hash or encrypted password may be stored.