ON-TRAIN. The Supplier should undertake a security-informed risk assessment on the Service provided which:
ON-TRAIN. The Supplier should undertake full systems and software identification / classification & impact assessment for cyber threats and record sufficient information about identified systems to allow effective assessment of system vulnerability.
ON-TRAIN. Suppliers shall provide obsolescence management for the design life of the rolling stock and should include all rolling stock-related hardware, software and firmware.
ON-TRAIN. Verify that the addition of security features does not adversely affect connectivity, latency, bandwidth, response time, and throughput, when connected to existing equipment.
ON-TRAIN. Suppliers shall ensure that the system architecture and design for services provided meets Industry Standard and best practice including network, device, and physical security, with relevant segregation from other services and critical systems as there is an increased risk of cyber-attacks if passengers are permitted access to a network used for train systems.
ON-TRAIN. Suppliers shall ensure where feasible Open Source Software (“OSS”) be used for non-safety critical systems that collect, process or store data. OSS has a variety of benefits including cost reduction, software customization, collaboration and innovation, good security, risk reduction and market penetration.
ON-TRAIN. Suppliers shall follow Secure Development Practices to ensure secure product development is integrated into the System Development Life Cycle (“SDLC”) to reduce the security risks of the Goods provided.
ON-TRAIN. Provide clear and written verification documentation that the safety system is certified after incorporating the security devices. The following definitions shall apply to this Schedule:
ON-TRAIN. Conduct security testing of its information technology systems used to provide the Services, (as detailed in clause 4 of the Minimum Security Measures). In addition, the Supplier shall for ON-TRAIN:
ON-TRAIN. Provide clear and written verification documentation that the safety system is certified after incorporating the security devices. SECURE DEVELOPMENT (SECURE-DEV) – additional schedule The following Secure Development additional schedule shall apply if the Services and or [Goods] involve the production of systems and software applications.
