Information Security Requirements - Vendor

Application Architecture
Requirement Comment

Application should support 3-tier architecture  Yes

Does the application support High Availability? No, current Arch is single/single
Segregation between production and test servers
Customer to Confirm
Should be confirmed by IP addresses
Application should have one function per server (database servers,
One application server and one separate DB server 
web servers, application servers should be separate)
Web interface must support secure encryption communication (TLS
Yes 
v1.2/HTTPS/SFTP)
Communication between Database and Application should be
encrypted “Encrypted communication must be enabled over DB NA 
configuration”

- High level diagram architecture includes ERP system components

and the other systems connected to it “if any”

- Low level diagram that includes data flow, services, and ports
between all system components
 Access control
Requirement Comment
State the security account matrix which identify the actions,
privileges, and workflow of each account (user/admin)

The system shall enforce the restriction that users have one
Configurable 
concurrent session at a time.
Internal applications should integrate with active directory NA, requires SSO 
Inactive user accounts shall be removed or disabled at least after 90
 Available
days of inactivity
Login error messages are not too informative (must not specify
 NA
username or password is incorrect)
Limit repeated access attempts by locking out the user ID after not
 Available
more than six attempts.
lockout duration minimum of 30 minutes or until an administrator
 Custom
enables the user ID.
The application must not store the user login credentials and
Yes, encrypted in DB 
passwords in clear text format
The application must not store sensitive authentication data post-
Yes 
authorization
The application must not transmit the login credentials in clear text
over any part of the network, all login operations must be conducted Yes 
using secure encrypted protocols
Application should have a User Password change module for users to
Available 
change their own passwords, providing the old password
Segregation between Administrative interface and standard user
 Default Interface, depends on user privileges
interface
Administrative interface should not be reachable from the internet  Yes

Change user passwords/passphrases at least every 90 days. Available 

Do not allow user to submit a new password/phrase that is the same
 
as any of the last four passwords/phrases he or she has used.
Set passwords/phrases for first- time use and upon reset to a unique
Available 
value for each user and change immediately after the first use.

Enforce Password Complexity Policy

-          Require a minimum length of at least eight characters. Available 

-          Contain both numeric and alphabetic characters

Session Timeout [max 15 minutes] Available 

No admin should have direct access to the databases all access should
be done through programmatic methods through a dedicated app Available, Onsite DBA to manage 
database user.
Only database administrators have the ability to directly access or
DBAs, also Developers need to query database 
query databases.

Logging
Requirement Comment

All solution assets are capable of generating logs & audit trails  Yes

At least the following details must be provided with each logged

event:
-          Date and time
Configurable per required logging level 
-          type of event

-          Success or failure indication

 -          IP-address of the origin

-          Workstation ID of the origin

-          Identity or name of affected data, system
component, or resource.
-          User ID
Secure audit trails so they cannot be altered or unauthorized
Available 
modifications for files.

DB Hardening
Requirement Comment
DB need to be on a supported version and last patches need to be
Would be after upgrade 
applied
Change vendor-supplied defaults and remove or disable unnecessary
Available
default accounts on DB.
Application Users passwords should be hashed in DB using SHA-256
All passwords are encrypted
with salted value
Application DB user should be stored encrypted in the config file.
Yes
Encryption key should be stored securely
Change root/Administrator and place it in safe Doable

DB should be integrated with AD Active directory NA

DB Account lockout at max 6 attempts and Account lockout duration
Configurable
should be min 30 min
DB session Timeout should at max 15 min Configurable
Password Policy on DB level: Available
- Password length at least 7 characters
- Password complexity – Alphanumeric
 - Password history min 4
- Password expired at max 90 days
Application should not use the “SA” user within its configuration
Yes, Application uses own APPS user
connection string to the DB. As it need to use his own user
DB default ports need to be changed Configurable