BUSINESS REQUIREMENTS

Scope Ref Req Requirement

Area Type
Security
Security 1 Security
Security - 10.01 F Application processes must be designed to run
Access Control with the minimum access rights required for the
correct operation.
Security - 10.02 F Systems must only provide access to named
Access Control individuals with a valid reason to access the
system.
Security - 10.03 F Privilege escalation must be for the minimum
Access Control required time only.
Security - 10.04 F Each user account will be assigned to a single
Access Control end user.
Security - 10.05 F
Access Control Each account will be accessed by one person.
Security - 10.06 F Systems will only allow access from un-trusted
Access Control access network domains using approved access
methods.
Security - 10.08 F Administrative Account Activities must be
Access Control attributed to a named user.
Security - 10.09 F A list will be maintained of all privileged accounts
Access Control
Security - 10.1 F The list will include the privileged account name,
Access Control the role(s) that the privileged account has, the
details of who the privileged account is assigned
to. Date and time.
Security - 10.11 F All Privileged accounts will follow a pre-defined
Access Control naming convention.
Security - 10.12 F When in use all privileged accounts will be
Access Control assigned to individual users.
Security - 10.13 F Users with access to a Privileged account will be
Access Control required to login interactively to the system with
their Standard User account.
Security - 10.14 F Interactive login with a generic administrative
Access Control account will be prohibited.
Security - 10.15 F If a generic administrative account is retrieved
Access Control and used by an individual a process will be in
place to change the password for the generic
administrative account..
Security - 11.01 F A process will be in place in life to review the
Access access assigned to individual users.
Management
Security - 11.02 F The account creation process will only be
Access initiated once an approved person has authorised
Management the account creation.
Security - 11.03 F An In life process will be in place to review the
Access access assigned to an individual user account.
Management
Security - 11.05 F The frequency of User Access Reviews should
Access conducted at pre-approved intervals.
Management
Security - 11.05 F Standard Users with access to data held In
Access Confidence should be reviewed every 90 days.
Management
Security - 11.06 F Standard Users with access to data held In The
Access Strictest Confidence should be reviewed every 90
Management days.
Security - 11.07 F All Privileged account access should be reviewed
Access every 90 days.
Management
Security - 11.08 F A User Access review will involve confirmation
Access from the users line manager or an approved
Management alternative contact that the users access to the
system is still required.
Security - 11.09 F A process will be in place to monitor account
Access usage.
Management
Security - 11.1 F The process will generate an alert if the user
Access account is inactive.
Management
Security - 11.11 F A process will be in place to disable User
Access Accounts after a period of inactivity.
Management
Security - 11.12 F A process will be in place to delete disabled
Access inactive user accounts after a 60 days.
Management
Security - 11.13 F A process will be in place to delete disabled user
Access accounts after 90 days.
Management
Security - 11.14 F A process will be in place to review the user
Access access required if the user moves job roles.
Management
Security - 11.15 F A process will be in place to delete a user
Access account if the user leave the company.
Management
Security - 11.16 F The process to disable/delete user accounts will
Access be documented.
Management
Security - 11.17 F The process to disable/delete user accounts will
Access be auditable.
Management
Authentication 12.01 F Access to the system will be controlled through
the authentication of users.
Authentication 12.02 F Users who have not authenticated will be unable
to gain access to the system.
Authentication 12.03 F The login page will contain only the information
required for authentication. E.g. Username,
Password and Domain.
Authentication 12.04 F Autocomplete functions will be disabled on
authentication pages and interfaces.
Authentication 12.05 F Passwords will not be displayed in clear text by
an authentication interface.
Authentication 12.06 F Authentication credentials will be protected in
Transit using TSL Encryption or Higher.
Authentication 12.07 F Authentication credentials will not be transmitted
as part of a URL.
Authentication 12.08 F Authentication credentials will be prevented from
caching on the client side.
Authentication 12.09 F Authentication credentials will be prevented from
caching on intermediary nodes.
Authentication 12.1 F The system will only perform input validation
once both the username and password has been
Authentication 12.11 F entered.
If failure occurs during logon only anonymous
help must be given i.e. it must not be possible
without further reference to interpret the failure
message to know what part of the log-on
Authentication 12.12 F sequence
Processinghas failed.
time for correct and incorrect logins
should not be noticeably different.
Authentication 12.13 F The authentication solution will pass encrypted
authentication details between the client and the
server.
Authentication 12.14 F The system will automatically lock user accounts
after 5 failed attempts.
Authentication 12.15 F Locked user accounts should not be automatically
unlocked.
Authentication 12.16 F A locked user account should only be unlocked
after contact be the account owner to an
intermediary or support team.
Authentication 12.17 F An alarm will be generated when an account is
manually unlocked.
Authentication 12.18 F Access to the system will be controlled through
the authorisation of user accounts that will assign
valid permissions to access the system.
Authentication 12.19 F The account holder will only have access to the
functionality for which they have been granted
access rights to use.
Authentication 12.2 F The account holder will be prevent from
accessing functionality for which they have no
access rights to use.
Authentication 12.21 F The account holder will loose access to the
functionality for which they have previously been
granted when the access rights are removed.
Authentication 12.22 F It will be possible to report on the user account
details that have access to the system.
It will be possible to report on the roles that each
user account has and the areas of the system
that they are allowed access to.
Authentication 12.23 F Access will be granted on a least privilege basis
so that user accounts will be prevented from
accessing personal data that they do not need to
Authentication 12.24 F see.
A process will be in place to review the user
access available in the system.
Password 13.01 F Appropriate security controls will be in place to
Security protect passwords stored locally in the system.
Password 13.02 F Passwords stored locally in the system should be
Security encrypted.
Password 13.03 F A two way password hashing function should be
Security in use.
Password 13.04 F Passwords will be stored away from system data
Security and files.
Password 13.05 F Access to location where passwords are stored
Security will be configured in such a way to only allow
privileged users to access the data.
Password 13.06 F A policy will be in place to force all standard user
Security accounts to change the password.
Password 13.07 F The password change policy will force users to
Security change their passwords on a maximum 90 day
interval.
Password 13.08 F The password policy will prohibit the reuse of the
Security previous 6 passwords.
Password 13.09 F The password policy will prevent the user from
Security choosing a password related to the userid.

Password 13.1 F The password policy will prevent the user from
Security choosing a password related to the users identity.

Password 13.11 F The password policy will prevent the user from
Security choosing a password related to the date.

Password 13.12 F For a standard user account the password policy

Security will force the user to choose a password that is a
minimum of eight characters long.

Password 13.13 F For a privileged user account the password policy

Security will force the user to choose a password that is a
minimum of twelve characters long.

Password 13.14 F The password policy will not restrict a user from
Security choosing any characters in the creation of their
password.
Password 13.15 F The password policy will prevent the user form
Security selecting a password commonly found in
dictionaries of commonly used passwords.
Password 13.16 F The password policy should prevent a user from
Security setting a password that an be easily guessed.
Password 13.17 F The password policy will force the user to select a
Security password with at least one character from each
of the following character sets:
o decimal number: (0... 9)
o capital case letter: (A... Z)
o lower case letter: (a… z)
o non alpha-numeric
Password 13.18 F Passwords will not be displayed in clear text
Security anywhere in the system.
Password 13.19 F Systems must not be deployed with default
Security credentials.

Password 13.2 F Any default or supplied user ids or passwords e.g.

Security manufacturers’ supplied passwords, must be
changed as soon as the system/application is
loaded within a company environment.

Session 14.01 F Systems should not permit multiple sessions

Termination using the same User ID.
Session 14.02 F An alert should be generated if an account is
Termination used to login more once.
Session 14.03 F User sessions will be terminated after a
Termination maximum of 30 minutes inactivity.
Session 14.04 F When a time-out occurs the screen will be
Termination cleared of all displayed information.
Session 14.05 F A user session must not exceed 12 hours
Termination
Logging 15.01 F User Access to the system will be controlled via
an approved logging service
1
 DCR 4235, giraffe trigger
SEVAS 11-Apr Deployed to PCRF
CRQ000000077723 Giraffe project