Access to the Home Energy Scoring system is restricted to U.S. Department of Energy HEScore administrators. Supporting IT staff at Pacific Northwest National Laboratory have maintenance access to the underlying hardware/virtual infrastructure for HEScore.
- The HEScore system maintains log records and send logs to a central collection point. These logs are used to detect malicious activity. For example, failed logins to the system are reviewed.
- The HEScore system is maintained and patched by professional IT staff.
- The HEScore system follows best practices in firewalling and reducing network exposure by only allowing network traffic required for business needs. For example, database connectivity is limited to the IP addresses of the web servers.
- Data stored by HEScore is hosted at Amazon and stored in a MySQL database.
- There is no encryption on the data stored in the HEScore databases.
- Only a zip code is required to run the HEScore application. All other data are optional input. The optional login utility requires having a Facebook account.
- Information provided by users may be shared with research collaborators and partners who help provide this service. We also may share the information provided through HEScore with the DOE and/or other federal agencies.
- No system is immune from compromise. However, if a compromise or data breach is detected, IT staff follow incident response procedures that include taking affected systems offline and performing forensics to identify the cause and extent of the breach. To ensure system integrity, any compromised system is rebuilt from original media.