Access to the Home Energy Scoring system is restricted to U.S. Department of Energy HEScore administrators. Supporting IT staff at Pacific Northwest National Laboratory have maintenance access to the underlying hardware/virtual infrastructure for HEScore.
- The HEScore system is maintained and patched by professional IT staff.
- The HEScore system follows best practices in firewalling and reducing network exposure by only allowing network traffic required for business needs. For example, database connectivity is limited to the IP addresses of the web servers.
- Data stored by HEScore is hosted at Amazon and stored in a MySQL database.
- There is no encryption on the data stored in the HEScore databases.
- Information provided by users may be shared with research collaborators and partners who help provide this service. We also may share the information provided through HEScore with the DOE and/or other federal agencies.
- No system is immune from compromise. However, if a compromise or data breach is detected, IT staff follow incident response procedures that include taking affected systems offline and performing forensics to identify the cause and extent of the breach. To ensure system integrity, any compromised system is rebuilt from original media.
- Access to the API and the data accessible by the API is restricted at the application level by a secret API access key provided to developers of software that accesses the application. The API and the data accessibly by the API are further restricted based on user roles, with all API interactions requiring user authentication.