London Borough of Hackney 3rd Party Information Security Requirements Gathering Form

Intended Audience Anyone intending provide a business application, to host or

process Council information away from the Councils ICT
infrastructure (3rd Party)
Document Authority LBH Information Security Management Forum
Contacts for document: LBH Security Manager, Andr De Wet
CDM Reference 5281732
Version information: This version published July 2012
Background
London Borough of Hackney Information Security are required to assess the adequacy of security controls for all applications/systems/projects/services that host or process LBH data,
prior to those systems going live. after a major change or at regular intervals. Increasingly those systems are hosted by third party organisations, off our network.
About this form
Youve been asked to fill in this form because you are involved in planning a new application/system, manage a system or planning to make a major change to a system which
processes/hosts Council data outside of the Council network. The infomation provided will be reviewed at regular intervals for operational systems

Where technical expertise is required, we expect relevant technicians to be consulted to provide accurate answers.

The answers should be provided by a combination of staff from the third parties involved, and the internal Council staff responsible for the project, depending on where the necessary
understanding resides.

Where the system is not affected by questions in this form, you are at liberty to mark these N/A, but please detail why you believe these are not applicable.

Once you have completed the form, please submit it to LBH ICT Security ( ICTSecurity@hackney.gov.uk ) , who will review the form and ask further questions as required to complete
their review. Based on this review, London Borough of Hackney ICT Security may require additional controls/mitigations to be implemented as a condition for signoff.

1. Summary information about system/project under review

1.1 Company Name (3rd Party to the Council)

1.2 Please enter your contact details and your role with this project or system: Name:
Telephone Number:
Mobile number:
email address:

Role:

Confidential when completed 1

1.3 Please detail the name of the London Borough of Hackney contact and their details. Name:
Telephone Number:
Mobile number:
email address:

Role:

1.4 Are you ISO 27001 compliant? If not, are you aiming to become ISO 27001 compliant,
and when by?

1.5 If the system, solution, project or development has a name, please indicate it here:

Has the system previously been known by another name?

1.6 Please advise if this system is part of a larger system or project and if so provide details
of the system or project. Is this system dependant on another system or project?

1.7 Please give an indication of how urgent the Information Security approval is and
indicate any critical decision dates:

1.8 (LBH internal question) Is a contract or Non Disclosure Agreement in place with the 3 rd
party?

2. High-level details
2.1 Please give a very brief description of what the system is for and how it will work

2.2 Please describe the information/data that is stored/processed by the system.

(Provide detail of any personal data collected/processed (including name, email,

address, mobile, DOB, age, bank details, staff number, salary, NI number, next of kin,
images, nationality, race, gender, criminal record, religion, sex life, political
opinion/affiliations, IP addresses etc.)

Any personal data being held on behalf of the London Borough of Hackney is subject to
the Data Protection Act 1998.

State if you are registered as a data controller with the Information Commissioners Office
(ICO) and provide registration number.

Confidential when completed 2

2.3 Please can you supply us with a reasonably detailed diagram of the information flows
within the system and between it and other systems? Please provide details of the
systems, secure method of transmission and the type of data.
2.4 Please can you supply us with a high-level system diagram showing what equipment will
be used, where it is located and how it is inter-connected? (This can be the same
diagram as above if it covers both clearly.)

2.5 Is your requirement likely to need a name registered on the Internet? If Yes then provide
details of the registered domain name, who the registration authority is and certificate
expiry date.
2.6 Provide details of any other parties that the 3rd party will subcontract to. (Any other party
that will have access to the hosted system or data) What is the contract period for each
3rd party or sub-contractor?
2.7 What audit rights will the Council have in the contract with the supplier?
2.8 Will the data be shared with any other third parties? If so have you audited the third
parties to determine whether they have implemented appropriate security measures?

2.9 If the new system is replacing an older system then please explain how the data will be
securely destroyed or migrated.
2.10 The Council follows strict change management procedures. What change management
procedures are in place for this application and also with the Council?

2.11 (LBH Internal Question) Who in the Council will be responsible for controlling access to
the data after go-live? (e.g. who is the Information Asset Owner)

What data classification (protective marking) has been applied to this data?
2.12 (LBH Internal Question) What is this applications Business Impact Level i.e. system
classification?

3. Operational Support Responsibilities Matrix

Most systems need to be operated, supported, maintained and repaired. What plans are in place to perform these functions?
Infrastructure Support details and name of responsible organisation
3.1 Physical hardware/data centre (Computers, network infrastructure, Power, UPS and
cooling)
3.2 Virtualisation support (where applicable)
3.3 Operating system Support
3.4 Database support (DBAs)
3.5 Application / Web application support (Code)
3.6 Application / Web application support (User Admin)
3.7 System & database backup

Confidential when completed 3

4. Information Security Policy Comply?
Yes/Partial/No
4.1 Please provide a copy of your high level information security policy

(For very small organisations, a brief statement outlining your approach to information
security may suffice.)

4.2 If the body holding the data is a subcontractor to the body which has the contract with
the Council, can we please also have the Information Security Policy of the contracted
party?

4.3 Who are the owner(s) of your security policy? (names and positions please)

(Very small organisations who is responsible for information security in your business)
4.4 Is there a management body to ensure adequate information security, and if so who
chairs it (include job title)?
4.5 How is the Information Security Policy communicated to all staff?
4.6 Is the Information Security Policy regularly reviewed? When was the last time it was
amended?

5. Physical, Hardware and Network Comply?

Yes/Partial/No
5.1 Where are the servers which will hold the Councils data?

all in the UK
some in the UK (where are the rest?)
none in the UK (where are they?)

5.2 How do you control physical access to your information processing facilities?

Are there physical entry controls to all areas holding Council data, consider:

Server rooms
Paper records
Backup facilities
Tape/disk storage

5.3 Will any hardware be stored outside of locked server rooms?

5.4 Will this system require the installation of any hardware devices on Council premises?

5.5 Please describe how Council data is kept logically and/or physically separated from
other users data?

Confidential when completed 4

5.6 What firewalls or network control measures (e.g. IDS) are in place to protect the
system/data?

Describe how you configure, maintain the above, and monitor alerts generated

6. Software (including operating systems and databases) Comply?

Yes/Partial/No
6.1 Please indicate what operating systems (including virtualisation environments) will be
running on the systems holding and processing Council data.
6.2 What process and procedures will be applied to remove unnecessary services from
running automatically on each of the operating systems (a process known as
hardening)?
6.3 Please outline your approach to security patching of operating systems and applications
that form part of the system.

Please confirm that critical and important security patches are up to date.
6.4 Please give details of any databases that form part of the system.
6.5 Please give details of any encryption applied to data at rest on the system (including
within database tables).

How will the keys be stored, transferred or revoked?

6.6 Please confirm that all pre-installed system account passwords have been changed from
their defaults.
6.7 Please outline any anti-malware (antivirus, etc) tools used to protect the system.

7. Access Control Comply?

Yes/Partial/No
7.1 Please describe the logical access routes available to access this system, describing
how users and system administrators uniquely identify themselves.
(e.g. User login with password over web, Admin login over private network, at console,
remotely via VPN for support etc.)
7.2 Please state what password policy is in place for user and administrator accounts:

Password Minimum Length/Complexity

Password change interval
Password history
Account lockout (after invalid password entries)

Is a screen lock enforced after a set amount of user inactivity?

7.3 Please state what additional measures are in place to secure administrators accounts
with privileged access (e.g. stronger passwords, monitoring etc.)

Confidential when completed 5

7.4 How many people will be administrators and have the ability to make changes to the
system's functionality (e.g. add users, delete/modify/view confidential information,
change system configurations etc.)

7.5 Are there any generic logon accounts with access to Council data? If Yes then please
describe how you manage these accounts.
7.6 Have all those with access to Council data, whether staff, contractor or temporary, been
adequately vetted on recruitment?

Please describe any additional vetting carried out on system administrators with higher
levels of access.

7.7 Please describe the processes you have in place to manage system access accounts for
new joiners, movers and leavers. E.g. Revocation of rights, deletion of obsolete
accounts, approval of permissions etc.
7.8 Who is responsible for ensuring that logical access rights are up to date and maintained
to:

The operating system

The database
The application
7.9 How are security incidents managed and reported to the Council?

Are all those with access to Council data made aware of when and how to report
incidents?
7.10 What is the organisations approach to those who commit security breaches?
7.11 If relevant, how do other applications or systems that need to gain access to the data
uniquely identify themselves?
7.12 How does the system enforce different levels of access to ensure users only have the
minimum level of access to data and functions needed for an individual to do their job?

7.13 Can you detect unauthorised access to Council data? If you do, what will you do with the
information obtained? Can you tell whether the data was viewed, altered or deleted?

7.14 What logs are kept of successful/unsuccessful usage attempts? How long are logs kept
for?

8. Disaster recovery, backups and data erasure Comply?

Yes/Partial/No
8.1 If the system were to become non-operational as a result of an event that affected it (or
dependent systems), would this impact the ability of the Council to perform its normal
business functions? Please explain what business continuity and disaster recovery plans
are in place:

Confidential when completed 6

8.2 (LBH Internal Question) If the system is affected by an external event, how long can it be
unavailable before it causes significant disruption to Council operations?
8.3 What method will be put in place to secure archive historic material and data?
8.4 What methods will be put in place to securely back-up the system (and securely store
the back-ups)?
8.5 How will the system be restored (either from backup or a rebuild from scratch) to a
known working state?

And how has the restore process been tested?

8.6 If the contract with the LBH requires a high availability level (say 95% availability or
above), how do you secure against:

Power outage
Single points of failure
Unavailability of critical staff
Unsatisfatory maintenance of equipment
Failure of equipment or software

8.7 Provide details of your data retention policy

8.8 Please describe how Council data will be securely destroyed when no longer needed

9. Web Application Security Comply?

If the system incorporates any web application functionality please complete this section. (If not please put N/A) Yes/Partial/No
Understanding Data Flows / Interactivity
9.1 Please outline what the web application actually does (functionality etc)
9.2 Describe core user journeys / business processes.
9.3 What data does the web application store?
Does this include: personal data, childrens data, confidential Council data etc.?
Technical
9.4 Where will the web application be hosted?
(Advanced365, Council premises or other Third Party hosting)
9.5 Are users of the application required to login?
Is this login over a secure link e.g. HTTPS?
9.6 Please describe any other data transfers / connections between users' browsers and the
web application?

e.g. Cookies, Form submissions etc

Please explain how these data transfers are secured in transit (e.g. HTTPS - SSL/TLS
etc)

9.7 Please describe the web application software operating environment.

(E.g Linux, Apache, MySQL, PHP, Windows, IIS, .NET, SQL Server etc.).

Confidential when completed 7

9.8 Please outline your approach to identifying applicable security patches and applying
these to the web application software operating environment.

Please confirm that the operating environment is fully up to date in terms of critical and
important security patches.
9.9 The following list is the OWASP top ten list of web application security issues:

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Please confirm what processes you have in place to minimise the risk of these issues
being present in your web application. (E.g. Developer training, code reviews etc.)

9.10 Please indicate whether any vulnerability scanning or penetration testing has been
carried out on the application?

If so please indicate any critical or significant findings from such reviews and how you
have addressed them.
9.11 Please outline the firewalling strategy for web application (attach a diagram if you have
one)
Hosting/Capacity
9.12 How have you ensured the data links to the web server are adequate for traffic volumes
anticipated?

Have you tested under anticipated load?

Confidential when completed 8