Technical Security Requirements. 6.1. The systems used to access or manage DCC Data must be under the management authority of the Contractor and have a minimum set of security policy configuration enforced. Such configuration shall be described in the Security Management Plan, and include consideration of: 6.1.1. firewalls and other perimeter security controls; 6.1.2. malicious software protection such as anti-virus software; 6.1.3. password complexity, lifespan and management; 6.1.4. security dependencies and responsibilities on suppliers for hosted or ‘cloud’ services and systems. 6.2. When DCC Data resides on a mobile, removable or physically uncontrolled device it must be stored encrypted using a product or service that is recognised as providing a standard to Good Industry Practice. 6.3. The ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) shall be applied to the design and configuration of IT equipment used to provide the Services. 6.4. The Contractor shall operate an access control regime to ensure all users and administrators of the Contractor System are uniquely identified and authenticated when accessing or administrating the Contractor System. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the Contractor System they require. The Contractor shall retain an audit record of accesses. 6.5. The Contractor shall ensure that any systems hosting internet-facing web services as part of the Services, whether part of the Contractor System or those provided by a sub-contractor, will be designed to ensure that: 6.5.1. user connections are appropriately secured and encrypted using transport layer security with an appropriate selection of cipher suites in accordance with Good Industry Practice; 6.5.2. user input is processed in a way to detect and prevent malformed input intended to cause undesired behaviour; 6.5.3. users cannot submit uniform resource locators that enable security controls to be bypassed or that cause undesired behaviour; and 6.5.4. use of the Services is subject to security event audit recording and monitoring so that malicious behaviour is detected and responded to in a timely manner.
Appears in 3 contracts
Samples: Governance, Risk and Compliance Solution, Supplier Relationship Management Agreement, Employee Value Proposition
Technical Security Requirements. 6.1. The systems used to access or manage DCC Data must be under the management authority of the Contractor and have a minimum set of security policy configuration enforced. Such configuration shall be described in the Security Management Plan, and include consideration of:
6.1.1. firewalls and other perimeter security controls;
6.1.2. malicious software protection such as anti-virus software;
6.1.3. password complexity, lifespan and management;
6.1.4. security dependencies and responsibilities on suppliers for hosted or ‘cloud’ services and systems.
6.2. When DCC Data resides on a mobile, removable or physically uncontrolled device it must be stored encrypted using a product or service that is recognised as providing a standard to Good Industry Practice.
6.3. The ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) shall be applied to the design and configuration of IT equipment used to provide the Services.
6.4. The Contractor shall operate an access control regime to ensure all users and administrators of the Contractor System are uniquely identified and authenticated when accessing or administrating the Contractor System. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the Contractor System they require. The Contractor shall retain an audit record of accesses.
6.5. The Contractor shall ensure that any systems hosting internet-facing web services as part of the Services, whether part of the Contractor System or those provided by a sub-contractor, will be designed to ensure that:
6.5.1. user connections are appropriately secured and encrypted using transport layer security with an appropriate selection of cipher suites in accordance with Good Industry Practice;
6.5.2. user input is processed in a way to detect and prevent malformed input intended to cause undesired behaviour;
6.5.3. users cannot submit uniform resource locators that enable security controls to be bypassed or that cause undesired behaviour; and
6.5.46.6. use The Contractor shall ensure that systems hosting internet-facing web services as part of the Services is Services, whether part of the Contractor System or those provided by a sub-contractor, will be subject to a test to identify security event vulnerabilities in the systems to a Good Industry Practice standard:
6.7. The Contractor shall seek to remediate issues identified by tests to identify security vulnerabilities in the systems within time periods defined in the Security Management Plan, based on Good Industry Practice for categorising such issues.
6.8. The Contractor shall procure the application of security patches to vulnerabilities within time periods defined in the Security Management Plan, based on Good Industry Practice for categorising vulnerabilities, except where:
6.8.1. the Contractor can demonstrate that a vulnerability is not exploitable within the context of any Service; or
6.8.2. the application of a security patch adversely affects the Contractor’s ability to deliver the Services in which case the Contractor shall request an extension from the DCC that includes a security patch test plan.
6.9. The Contractor System shall be maintained with the provision for major version upgrades of all commercial off-the-shelf software to be upgraded within 6 months of the release of the latest version, such that it is no more than one major version level below the latest release throughout the Term unless:
6.9.1. where upgrading such commercial off-the-shelf software reduces the level of mitigations to known threats, vulnerabilities or exploitation techniques, provided always that such upgrade is made within 12 months of release of the latest version; or
6.9.2. is agreed with DCC in writing.
6.10. The Contractor shall collect audit recording records which relate to security events in the systems or that would support the analysis of potential or actual compromises. In order to facilitate effective monitoring and monitoring so that malicious behaviour is detected and responded to in forensic readiness such Contractor audit records should as a timely manner.minimum include:
Appears in 1 contract
Samples: Contract for Services