These Data Security Evidence examples are intended to provide helpful information and assist you in completing Meta’s Data Protection Assessment. For any given question, please note there may be more than one way to demonstrate that you meet our requirements. Only a member of Meta’s review team can make a final determination on whether the evidence provided meets the requirements of our Data Protection Assessment. In addition to using this guide, we recommend consulting with your Chief Information Officer, the person with an equivalent role within your organization, or a qualified cybersecurity firm when preparing your responses to the Meta’s Data Protection Assessment to ensure your responses are complete and accurate.
Create a data flow diagram or description that shows how your app or system processes Platform Data.
To meet our requirements, the data flow diagram or description should include:
When submitting evidence to support your data security measures, please refer to the Evidence Guide provided in this document for examples of acceptable evidence. We accept common document file types, screenshots, and screen recordings. Ensure that files are not password protected and do not exceed 2 GB each. Accepted file types include .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip, and .zipx.
Redacting Sensitive Data
Before submission, remove any sensitive data from your evidence. This includes, but is not limited to:
Types of Evidence Required
Meta requires two types of documentation for each data security question:
Guidelines for Evidence Submission
A developer has created and regularly updates a Data Security Policy, which describes how the organization securely processes and protects data of varying levels of sensitivity.
A policy of this type might contain the following sections:
AWS RDS - encryption at rest is configurable in AWS RDS, so developers must make sure that the configuration option is set to apply this protection.
For a representative RDS instance that contains Platform Data, use the AWS CLI tool to fetch its StorageEncrypted configuration.
# List RDS instances in default region $ aws rds describe-db-instances \ --query 'DBInstances[*].DBInstanceIdentifier' [ "database-1", "database-2" ] # For each instance returned, retrieve the storage encrypted config $ aws rds describe-db-instances \ --db-instance-identifier database-1 \ --query 'DBInstances[*].StorageEncrypted' [ true ] $ aws rds describe-db-instances \ --db-instance-identifier database-2 \ --query 'DBInstances[*].StorageEncrypted' [ true ]
You may also take a screenshot of the AWS console showing that storage encryption is enabled. Consult AWS documentation on encryption at rest.
AWS DynamoDB is encrypted at rest by default. You can fetch the encryption at rest configuration for a table using these commands.
$ aws dynamodb list-tables --output table -------------- | ListTables | +------------+ ||TableNames|| |+----------+| || Users || |+----------+| $ aws dynamodb describe-table \ --table-name Users \ --query "Table.SSEDescription.Status" "ENABLED"
AWS DocumentDB must be configured to apply encryption at rest. For a representative cluster that contains Platform Data, use these commands to fetch the StorageEncrypted configuration.
$ aws docdb describe-db-clusters --query 'DBClusters[*].DBClusterIdentifier' [ "docdb-users" ] $ aws docdb describe-db-clusters \ --db-cluster-identifier 'docdb-users' \ --query 'DBClusters[*].StorageEncrypted' [ true ]
AWS S3 buckets may be configured to apply encryption at rest to all objects created within the bucket. Use these commands to list buckets and fetch the configuration for default bucket encryption.
$ aws s3api list-buckets --output table --query "Buckets[*].Name" --------------------------------------------- | ListBuckets | +-------------------------------------------+ | platform.storage | +-------------------------------------------+ $ aws s3api get-bucket-encryption \ --bucket platform.storage \ --query "ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault" \ --output table --------------------- |GetBucketEncryption| +-------------------+ | SSEAlgorithm | +-------------------+ | AES256 | +-------------------+
Microsoft Azure
Consult Microsoft’s documentation on encryption at rest in Azure that’s relevant to the organization’s use of their services.
Google Cloud Platform
Consult Google’s documentation on encryption at rest on Google Cloud Platform.
A developer has created and regularly updates a Data Security Policy, which describes how the organization securely processes and protects data of varying levels of sensitivity.
See examples in section Q3.1-9.b.i of this page
Enforcing full disk encryption on managed devices (e.g., Intune/BitLocker on Windows or FileVault on Mac). https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
M365/O365 Cheat Sheets & Templates
A developer has created and regularly updates an Acceptable Use Policy, which describes how the organization securely processes and handles data of varying levels of sensitivity.
The policy states that people in the organization must not store Meta Platform Data (or PII) on organizational devices (laptops, tablets, etc.) and removable media (USB devices, phones, etc.).
Some developers may have a related data handling or data classification policy that classifies the types of data that this prohibition applies to (e.g., all PII data).
A developer has created and regularly updates a Data Security Policy, which describes how the organization securely processes and protects data of varying levels of sensitivity, including through the use of encryption in transit.
See the example in section Q3.1-9.b.i of this page
Qualys SSL Report
A developer has created and regularly updates a Vulnerability Management Policy, which describes how the organization’s vulnerability identification, testing, and remediation processes.
A policy of this type might contain the following sections:
SAST Scan from Snyk with findings: https://snyk.io/blog/sast-and-sca-better-together-with-snyk/
Example SAST Scan from GitLab with findings:
Example Acunetix DAST Scan with findings:
Example Penetration Test report that includes test date and a count of vulnerabilities showing no critical or high severity findings that are unremediated:
A developer has created and regularly updates a Cloud Security Policy, which describes the organization’s management, security controls/ configurations, and remediation processes regarding their cloud environment.
A policy of this type might contain the following sections:
Cloud Configuration Review - A developer uses NCC Scout Suite using the default ruleset for their cloud provider (in this case, AWS) to review their cloud configuration for vulnerabilities and security issues. The tool outputs a JSON file containing the detailed run results. In this example, there are a number of issues flagged as “Danger” severity that the developer needs to review and resolve. The raw NCC Scout Suite JSON file contains details about your cloud environment that you should not upload. Instead, filter the responses to show the count of findings by severity.
$ python3 scout.py aws --no-browser 2022-08-22 11:39:38 localhost scout[76981] INFO Saving data to scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-043954759379.js $ cd scoutsuite-report/scoutsuite-results $ tail -n +2 scoutsuite_results_aws-043954750000.js| jq '. | {last_run}' { "last_run": { "ruleset_about": "This ruleset consists of numerous rules that are considered standard by ********. The rules enabled range from violations of well-known security best practices to gaps resulting from less-known security implications of provider-specific mechanisms. Additional rules exist, some of them requiring extra-parameters to be configured, and some of them being applicable to a limited number of users.", "ruleset_name": "default", "run_parameters": { "excluded_regions": [], "regions": [], "services": [], "skipped_services": [] }, "summary": { "acm": { "checked_items": 4, "flagged_items": 2, "max_level": "warning", "resources_count": 2, "rules_count": 2 }, "awslambda": { "checked_items": 0, "flagged_items": 0, "max_level": "warning", "resources_count": 0, "rules_count": 0 }, "cloudformation": { "checked_items": 11, "flagged_items": 0, "max_level": "warning", "resources_count": 11, "rules_count": 1 }, ... some sections omitted for brevity ... }, "time": "2022-08-22 11:42:25-0400", "version": "5.11.0" } }
Another approach for conducting a cloud configuration review for developers using Amazon Web Services ruleset.
# Show that AWS Foundational Security Best Practices are enabled $ aws securityhub get-enabled-standards { "StandardsSubscriptions": [ { "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:043954759379:subscription/aws-foundational-security-best-practices/v/1.0.0", "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsStatus": "READY" } ] } # Show that aggregator is configured for a representative region used to process Platform Data $ aws securityhub list-finding-aggregators $ aws securityhub get-finding-aggregator --finding-aggregator-arn '{REPLACE-WITH-FINDING-AGGREGATOR-ARN}' # Demonstrate that the ruleset is running by fetching active findings and counting the number of lines of output $ aws securityhub get-findings --query 'Findings[?RecordState==`ACTIVE`]' --filters '{"GeneratorId":[{"Value": "aws-foundational-security","Comparison":"PREFIX"}]}' --output text | wc -l 4876 # Demonstrate that there are no active critical severity findings $ aws securityhub get-findings --query 'Findings[?Severity.Label==`CRITICAL`] | [?RecordState==`ACTIVE`] | [*][Title, GeneratorId]' --filters '{"GeneratorId":[{"Value": "aws-foundational-security","Comparison":"PREFIX"}]}' []
A developer has created a Cryptography Protection Standard that includes procedures on proper handling and protection of secrets or PII.
A policy of this type might contain the following sections:
An organization uses AWS Secrets Manager to security store sensitive data, including the Meta App Secret.
An organization has configured its Meta app to require App Secret proof for API calls.
Examples of deploying application / column level encryption with common hosting providers:
A developer has created an Identity and Access Management policy that describes the way the organization handles the access management lifecycle and applies authentication protections like MFA.
A policy of this type might contain the following sections:
AzureAD
An organization uses AzureAD as their Single Sign On solution. This policy requires Multi-Factor Authentication.
The policy is then mapped to the cloud apps to which it applies. Using this approach, evidence should show the entire Selected items section to make it clear which cloud apps require MFA.
Okta
This rule requires MFA for all logins.
AWS IAM
This is an example of an AWS IAM policy that allows MFA configuration but forbids other actions if MFA is not present.
GitHub
An organization has configured GitHub authentication to require MFA for everyone in the organization.
A developer has created an Identity and Access Management policy that describes the way the organization handles the access management lifecycle and applies authentication protections like MFA.
See examples in section Q3.1-15.e.i of this page
Access Is Revoked for Departed Personnel:
A developer uses Workday as the authoritative source for Human Resources (HR) data, including current employment status. This developer uses Google Cloud Identity as their Identity Provider (IdP) for managing user accounts and granting access to information systems and tools.
A developer submits evidence that access is revoked for departed personnel by submitting a report that shows that a recent (i.e., within the past 12 months) reconciliation report has been run showing that no active user accounts exist in Google Cloud Identity for people who are not active employees according to a Workday report of current employees.
Access is Revoked When No Longer Used:
A developer uses Google Cloud Identity as their Identity Provider (IdP) for managing user accounts and granting access to information systems and tools.
A developer submits evidence that access is revoked when it is no longer used (e.g., no logins in the past 6 months) by submitting evidence of their user directory sorted by last sign in to demonstrate that there are no active user accounts where the last sign in was older than this.
GitHub (Code Repository):
A developer uses a Single Sign On (SSO) tool for identity management and granting access to information systems and tools. The developer has configured GitHub to require SSO authentication.
A developer has created a Patch Management Policy that describes how the organization will identify, prioritize, test, and deploy patches in their various environments (e.g., mobile, backend, organizational device endpoints).
See example in section Q3.1-12.b.i of this page
Snyk for a NodeJS app
A developer uses the Synk Command Line Interface (CLI) to identify packaged third-party dependencies that have known security vulnerabilities and prioritize based on the severity of those vulnerabilities.
Snyk Dashboard
Trivy
A developer uses Trivy to find vulnerabilities in a machine image. The example image below shows high severity vulnerabilities in libraries included in this image that need to be patched.
NPM Audit
AWS inspector
Github Security Alerts Enabled
Puppet
Chef
Ansible
Snyk (Dependency/Components/Library files) scan
Black Duck by Synopsys
Sonatype Nexus Lifecycle
Mend
Veracode
OWASP’s Dependency-Check
OWASP Dependency-Track
GitLab Dependency Scanning
JFrog Xray
Windows Defender (Antivirus)
The evidence must demonstrate that your entire organization has Windows Defender enforced.
WSUS (Windows Server Update Services)
Browsers, operating systems, and other applications used by employees / contributors: SCCM (System Center Configuration Manager)
A developer has created a Logging and Monitoring Policy that includes procedures for collecting, correlating, maintaining, and taking appropriate action on auditable events.
A policy of this type might contain the following sections:
Local Windows Event viewer
Windows Security Event auditing example
SolarWinds Event correlation workflow example
Windows Powershell