ON-TRAIN. The Supplier should undertake a security-informed risk assessment on the Service provided which:
a) identifies threats, vulnerabilities and impact;
b) analyses likelihood and consequences; and
c) ultimately evaluates risks against risk appetite and demonstrates the adequacy of the assessment process and suitability of the techniques employed. The Supplier should document and implement one or more cybersecurity policies for applicable systems, which will address the risks that have been identified.
ON-TRAIN. The Supplier should undertake full systems and software identification / classification & impact assessment for cyber threats and record sufficient information about identified systems to allow effective assessment of system vulnerability.
ON-TRAIN. Suppliers shall provide obsolescence management for the design life of the rolling stock and should include all rolling stock-related hardware, software and firmware.
ON-TRAIN. Verify that the addition of security features does not adversely affect connectivity, latency, bandwidth, response time, and throughput, when connected to existing equipment.
ON-TRAIN. Suppliers shall ensure that the system architecture and design for services provided meets Industry Standard and best practice including network, device, and physical security, with relevant segregation from other services and critical systems as there is an increased risk of cyber-attacks if passengers are permitted access to a network used for train systems.
ON-TRAIN. Suppliers shall ensure where feasible Open Source Software (“OSS”) be used for non-safety critical systems that collect, process or store data. OSS has a variety of benefits including cost reduction, software customization, collaboration and innovation, good security, risk reduction and market penetration.
ON-TRAIN. Suppliers shall follow Secure Development Practices to ensure secure product development is integrated into the System Development Life Cycle (“SDLC”) to reduce the security risks of the Goods provided.
ON-TRAIN. Provide clear and written verification documentation that the safety system is certified after incorporating the security devices.
ON-TRAIN. Conduct security testing of its information technology systems used to provide the Services, (as detailed in clause 4 of the Minimum Security Measures). In addition, the Supplier shall for ON-TRAIN:
a) ON-TRAIN. it is recommended that the Supplier provide the following:
i) prior to contract award (to help the Customer understand the Supplier Service capabilities);
ii) post contract award but prior to product delivery; and
iii) post product delivery annually or whenever significant changes or updates are made to the Services or technology.
ON-TRAIN. Provide clear and written verification documentation that the safety system is certified after incorporating the security devices.
1) SECURE-DEV. Suppliers should adhere to the principles of good security practice for system and software application development. The Supplier will conform to the following requirements:
a) System development methodology - There will be a documented system development methodology to ensure that systems and applications meet business and information security requirements. These will be based upon sound systems development and project management principles.
b) Documented environments - System development will be performed in appropriate development environments, separated from test and production environments protected from illegitimate access. The environment will be secure.
