Professional Documents
Culture Documents
A.14.1.A Appendix Specification of Information System Requirements
A.14.1.A Appendix Specification of Information System Requirements
Has the data to be processed been classified according to Information Classification Policy? (Public,
Internal, Confidential, Secret)
If so, please confirm the classification:
Have an information asset owner and manager been identified and engaged?
Please, detail:
Where will production and test data likely be stored? (check all that apply)
☐ On server(s) managed by Internal IT Services (ITS)
☐ On AWS managed by Kinexon
☐ On Cloud/server(s) managed by a third party
Please summarize:
Has consideration been given to the security requirements for hosting?
Please summarize:
Significant assurance can be taken from the presence of current and suitably scoped certifications: ISO
27001 for information security management; ISO 22301 for business continuity management; ISO 27017
for cloud security; …
Has the retention and deletion of processed data been taken into account?
Please summarize:
Does the project involve the migration of data from one system to another?
Please summarize:
Migration offers a unique opportunity to apply retention and disposal principles and mitigate information
risk by reducing the amount of data migrated.
What data entry method(s) will be used? (check all that apply)
☐ End user input via Web interface
☐ End user input via client application
☐ File(s) transferred from other system(s)
☐ Other – please specify:
Will copies of data be transmitted out of the technology or service?
If so, what transmission method(s) will likely be used? (check all that apply)
☐ Electronic file transfers to other information systems within Kinexon
☐ Electronic file transfers to entities external to Kinexon
☐ Output to spreadsheets/databases created by users of the IT product or service
☐ Other – please specify:
For each method checked, briefly describe the purpose of the data transmission:
What groups or individuals external to Kinexon will have access to the technology or service?
Please detail below, considering all likely scenarios; e.g. normal use, support, compliance activity.
Has access control – authentication, authorization, and auditing – been included in testing?
Please summarize:
Has secure operation of the system been included in user training and guidance as necessary?
Please summarize:
SECTION 4: Third party services Y/N
Will the project use third party services (for example, development, business analysis, project
management, HR, another consultancy)?
Please summarize:
Third party services must meet Kinexon security standards. Where they reference certifications or
accreditations, these should be checked. Consideration should be given to ongoing audit of security.
Will the deployed system use third party services for hosting?
Please summarize, referencing any standards claimed or required, availability SLAs required, geographical
location of the data center:
Will the deployed system use third party services for data processing?
Please summarize, referencing any standards adhered to:
Will the deployed system use third party services for support?
Please summarize, referencing any standards adhered to, SLAs required:
Does this require a dedicated remote access solution, or access to Kinexon monitoring systems?
Please summarize:
Are security perimeters (barriers, walls, entrance gates with card access control, or checkpoints)
used to protect areas containing information and information processing resources?
Please summarize:
Are secure areas protected by appropriate entry controls to ensure that only authorized personnel
are allowed access?
Please summarize: -
Have physical security measures been designed and implemented for offices, offices and facilities?
Please summarize:
Is physical protection against damage caused by fire, flood, earthquake, explosion, ... and other
forms of natural or man-made disasters designed and implemented?
Please summarize:
Have physical protection and guidelines for working in the secure areas been designed and
implemented?
Please summarize:
Are access points such as loading and unloading areas and other points through which unauthorized
personnel can gain access to the facilities controlled and, if possible, are these points isolated from
the data processing facilities to prevent unauthorized access?
Please summarize:
SECTION 7: Equipment located outside the organization’s premises Y/N
Is there a pre-authorization process, without which equipment, information or software must not
leave Kinexon's premises? (check all that apply)
☐ Employees and external party users who have authority to permit off-site removal of assets should be
identified.
☐ Time limits for asset removal should be set and returns verified for compliance.
☐ Where necessary and appropriate, assets should be recorded as being removed off-site and recorded
when returned.
☐ The identity, role, and affiliation of anyone who handles or uses assets should be documented and this
documentation returned with the equipment, information or software.
Please summarize:
Are security measures applied to equipment located outside the organization's premises, taking into
account the different risks involved in working outside the organization's premises? (check all that
apply)
☐ Equipment and media taken off premises should not be left unattended in public places.
☐ Manufacturers’ instructions for protecting equipment should be observed at all times, e.g. protection
against exposure to strong electromagnetic fields;
☐ Controls for off-premises locations, such as home-working, teleworking and temporary sites should be
determined by a risk assessment and suitable controls applied as appropriate, e.g. lockable filing cabinets,
clear desk policy, access controls for computers and secure communication with the office;
☐ When off-premises equipment is transferred among different individuals or external parties, a log
should be maintained that defines the chain of custody for the equipment including at least names and
organizations of those who are responsible for the equipment.
Please summarize: