|
#
|
Requirement
|
|
Complies?
Yes/No
|
Comments
|
|
1
|
The
solution must require users to individually login to the system with a
uniquely identifiable username and password
|
M
|
Yes
|
Minimum
password is 8 characters. Password policy setting requires usage of
upper-case and lower-case letters, number and special characters.
After 3 unsuccessful attempts account will
be locked.
Password
can be restored via email.
Multi-factor
authentication is supported.
|
|
2
|
The
solution must be compatible with the latest version of the Microsoft Internet
Explorer web browser
|
M
|
Yes
|
Microsoft
IE is fully supported. For the best
user experience, we recommend the use of Chrome, Edge or Firefox
|
|
3
|
The
solution must be compatible with the latest version of the Microsoft Edge web
browser
|
M
|
Yes
|
Microsoft
Edge web browser is fully supported
|
|
4
|
The
solution must be compatible with Microsoft Windows 7, 10 and any future
releases of the Microsoft Windows Operating System.
|
M
|
Yes
|
As a
browser-based application, ISO Manager is compatible with all modern operating
systems – including Microsoft Windows 7 and 10. It is actively developed and will
continue to support future releases of the Microsoft Windows Operating
System.
|
|
5
|
The
solution should be compatible with the latest version of the Google Chrome
web browser
|
HD
|
Yes
|
Google
Chrome web browser is fully supported and recommended
|
|
6
|
The
solution must encrypt information and data in transit. Encryption protocols
and ciphers must meet the requirements of the Queensland Government Data
Encryption Standard.
|
HD
|
Yes
|
ISO
Manager is implemented with TLS1.2 as a mandatory requirement. It fully supports encryption of data at rest and in transit
|
|
7
|
The
solution should support API integration to other systems (for example,
iServer, ServiceNow). This will be used to import information assets from our
enterprise architecture solution into the ISMS assurance solution.
|
HD
|
Yes
|
ISO Manager
supports API integration to other
systems and is actively developing a range of connectors. Development costs may apply for systems not
currently with an active connector.
Custom asset import
requirements can be factored in at implementation time.
|
|
8
|
The
solution should support federated identity management and authentication
using SAML for single-sign-on.
|
HD
|
Yes
|
ISO Manager supports federated identity management and authentication using SAML2 for
single-sign-on. (eg Okta).
|
|
9
|
The
solution should support multi-factor authentication for users connecting from
outside of ’s internal computer network.
|
HD
|
Yes
|
Duo (OTP), email and google authenticator out of box, others
can be integrated upon request.
|
|
10
|
The
solution, including application, database and underlying operating system(s)
hosting electronic information should
be scanned monthly for security vulnerabilities.
|
HD
|
Yes
|
ISO
Manager hosted on customer-dedicated Windows Server 2019 platforms with a
fortnightly patch cycle. A range of
vulnerability scanning tools (including Qualys) are run daily to check for
vulnerabilities.
The
platform’s Web Application Firewall and Anti-malware platforms are updated
daily.
Access
to the platform can also be limited to a range of IP addresses (IP
whitelisting) if additional access restrictions are required.
|
|
11
|
Vulnerabilities
should be scored against the Common Vulnerability Scoring System (CVSS 3.0).
Where a vulnerability is scored 7.9 or higher (up to a total of 10) the
security vulnerability needs to be patched / mitigated within 48 hours.
Security vulnerabilities lower than 7.9 need to be patched / mitigated within
1month of identification.
|
HD
|
Yes
|
ISO
Manager will provide vulnerability patches according to SLA defined in the contract.
Product
and platform vulnerabilities are remediated rapidly according to our Patch
Management policy and SLAs.
|
|
12
|
should have the right to undertake annual
system penetration testing of the solution when required; Alternatively, the
supplier should agree to undertake annual system penetration testing of the
entire solution.
|
HD
|
Yes
|
ISO
Manager conducts penetration testing at least once a year (or based on major
release) with an independent contractor.
Additional
penetration tests are done several times a year by ISO Manager clients from
different business sectors according to their requirements.
ISO
Manager is happy to grant , permission (with
mutually agreed date/time) to conduct non-destructive penetration testing on
their ISO Manager Australian instance.
We do
note that penetration testing can potentially cause availability issues where
not properly conducted and should only be carried out within agreed
parameters.
|
|
13
|
The
supplier agrees to allow to ingest
system security logs into our threat intelligence platform. Alternatively,
the supplier should monitor logs via their own SIEM / threat intelligence
solution.
|
HD
|
Yes
|
ISO
Manager Australia (Gadget Access) agrees
to allow to ingest logs into a threat
intelligence platform as required but does already monitor logs via our own
SIEM.
|
|
14
|
should be notified within 8 hours of
suspected or confirmed information security incidents and data breaches.
Information security incidents and data breaches must be defined within the
agreement.
|
HD
|
Yes
|
ISO
Manager Australia (Gadget Access) will notify of any security incident that has
the potential to impact Confidentiality, Integrity or Availability of ’s data
within 8 hours.
A full
PIR and investigation will be conducted for any incident that materially
impacts data confidentiality or integrity.
Availability
issues (eg. Emergency server patching), will be
notified immediately wherever possible.
|
|
15
|
The solution should comply with the requirements of the;
Queensland Government Information Security
Policy.
International information security standard
ISO / IEC 27001:2013
Australian Signals Directorate’s ‘Essential 8’
controls to mitigate Cyber Security Incidents.
Queensland Government Information Security Classification Framework,
Queensland Government Data Encryption Standard
Queensland Government Authentication Framework and
OWASP Top 10.
|
HD
|
Yes
|
The
solution is designed to meet the requirements of Australian and International
businesses and has been customised to specifically meet those needs of
Queensland businesses.
The
guidance of the ASD and OWASP have featured in design and testing decisions.
Encryption
meets the requirements of QLD Govt. Data Encryption standards.
Pentesting
and secure code development is conducted agains the
OWASP Top 10 and OWASP ASV.
|
|
16
|
The
solution should include the ability to assign different access permissions
and rights to different users.
|
HD
|
Yes
|
ISO
Manager has granular (role based) access control.
Please
see Annex 14
|
