Technical Security Requirements Clause Samples
POPULAR SAMPLE Copied 1 times
Technical Security Requirements. 6.1. The systems used to access or manage DCC Data must be under the management authority of the Contractor and have a minimum set of security policy configuration enforced. Such configuration shall be described in the Security Management Plan, and include consideration of:
6.1.1. firewalls and other perimeter security controls;
6.1.2. malicious software protection such as anti-virus software;
6.1.3. password complexity, lifespan and management;
6.1.4. security dependencies and responsibilities on suppliers for hosted or ‘cloud’ services and systems.
6.2. When DCC Data resides on a mobile, removable or physically uncontrolled device it must be stored encrypted using a product or service that is recognised as providing a standard to Good Industry Practice.
6.3. The ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) shall be applied to the design and configuration of IT equipment used to provide the Services.
6.4. The Contractor shall operate an access control regime to ensure all users and administrators of the Contractor System are uniquely identified and authenticated when accessing or administrating the Contractor System. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the Contractor System they require. The Contractor shall retain an audit record of accesses.
6.5. The Contractor shall ensure that any systems hosting internet-facing web services as part of the Services, whether part of the Contractor System or those provided by a sub-contractor, will be designed to ensure that:
6.5.1. user connections are appropriately secured and encrypted using transport layer security with an appropriate selection of cipher suites in accordance with Good Industry Practice;
6.5.2. user input is processed in a way to detect and prevent malformed input intended to cause undesired behaviour;
6.5.3. users cannot submit uniform resource locators that enable security controls to be bypassed or that cause undesired behaviour; and
6.5.4. use of the Services is subject to security event audit recording and monitoring so that malicious behaviour is detected and responded to in a timely manner.
Technical Security Requirements. The Service will: Ensure that any Council data which resides on a mobile, removable or physically uncontrolled device is stored encrypted using a product which has been formally assured through a recognised certification process. Ensure that any Council data which it causes to be transmitted over any public network (including the Internet, mobile networks or un-protected enterprise network) or to a mobile device shall be encrypted when transmitted. Must operate an appropriate access control regime to ensure users and administrators are uniquely identified. Ensure that any device which is used to process Council data meets all of the security requirements set out in the National Cyber Security Centre (NCSC) End User Devices Platform Security Guidance. At their own cost and expense, procure an IT Health Check from a certified supplier and penetration test performed prior to any live data being transferred into their systems. Perform a technical information risk assessment on the service supplied and be able to demonstrate what controls are in place to address those risks. Collect audit records which relate to security events in delivery of the Service or that would support the analysis of potential and actual compromises. The retention period for audit records and event logs shall be a minimum of 6 months. Must be able to demonstrate they can supply a copy of all data on request or at termination, and must be able to securely erase or destroy all data and media that the Council data has been stored and processed on. Not, and will procure that none of its sub-contractors, process the Council’s data outside the European Economic Area (EEA). Implement security patches to vulnerabilities in accordance with the timescales specified in the NCSC Cloud Security Principle 5. Ensure that the service is designed in accordance with NCSC principles, security design principles for digital services, bulk data and cloud security principle. Implement such additional measures as agreed with the Council from time to time in order to ensure that such information is safeguarded in accordance with the applicable legislative and regulatory obligations.