HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
ITC-002
CHECKLIST FOR BASIC SECURITY CONTROL REQUIREMENTS
- PROJECT AND APPLICATION LEVEL
Version 2.9
Project : _____Project Management Tracker ITR SR92184_____Date : ____Nov 2020_
Machine/Server : ___________________________________ (fill in one for each machine)
Server Location : PJC / WHL / Vendor premise (delete where not applicable)
Team Leader
: __________________
Signature : ___________________
SSO In-Charge : __________________
Signature : ___________________
Note #1 :
This is a checklist which guides through the project team to act on standard security requirements that
need to be complied with before implementation. This list should not be treated as a detailed security
requirement specification.
Note #2 :
Please take note that controls listed below are the standard and basic controls. There could be other
control areas which should be considered and applied where applicable. Vendors and project team
members should highlight other relevant security requirements for review and compliance if they know
of any. These additional controls can be added into this checklist for follow-up purposes.
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
Other remarks
GITS: Is it that in the
cloud you have the three
environment there?
Physical Separation of Environment
1.
The development, testing and
production environment should be kept
separated via physically separate
environments.
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
No
Since, the Atlassian
Jira software is been
used as a SaaS, the
DEV, TEST and PROD
environments will be
maintained in the
Cloud. They are not
physically separate.
Yes, 3 instances can be
created.
Building security into our
network architecture
Atlassian practices a
layered approach to
security for our networks.
We implement controls at
each layer of our cloud
environments, dividing our
infrastructure by zones,
environments, and
services. We have zone
restrictions in place that
Page 1
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
Standard Account and Password
Policy Settings
include limiting
office/staff, customer data,
CI/CD and DMZ network
traffic. We also have
environment separation to
limit connectivity between
production and nonproduction environments,
and production data is not
replicated outside of
production environments.
Access into production
networks and services is
only possible from within
those same networks – e.g.
only a production service
can access another
production service.
GITS: This apps will be
using SSO? Confirm?
Application should provide screen to
maintain the following settings. Ensure
settings/values can be changed anytime.
Yes SSO can be
configured
Account/Password Policy :
a) Min Length = 8 alphanumeric
Note :
- To force combination of alphabet and digit.
- To also allow acceptance of symbols,
upper- and lower-case alphabet characters
- Whenever permissible, to enforce min
length = 12
2.
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
b) Min Password Age = 0 day
c) Max Password Age = 90 days
d) Password Expiration Warning
Message = x days
Note : The message should appear x day
before the actual expiration date and
inform the expiration date.
e) Password History =max or 24
f)
Unsuccessful Log-on Attempts
Allowed = 3
g) All passwords must be force-
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Yes
As the existing HLB
SSO will be extended
to Atlassian Jira, HLB
prevailing account and
password policy
settings will be
continued as they are
used in the bank
systems today.
ITC-002
Other remarks
Connect your identity
provider to your
Atlassian organization
Atlassian Access includes
two features for
connecting your identity
provider: SAML single
sign-on and user
provisioning.
SAML single sign-on
If you’d like your users
to authenticate through
your company’s identity
provider when they log
in to your Atlassian
cloud products, you can
set up SAML for single
sign-on (SSO). SSO
Page 2
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
changed after each reset by ID
administrator
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
allows a user to
authenticate with one
set of login credentials
and access multiple
products during their
session.
h) Set dormancy of IDs to x days i.e. if
ID is inactive for x days, ID will be
disabled automatically. To provide
feature to delete disabled IDs
manually. Please explain how the
application checks for dormant IDs.
(Refer ITSOP,6.2.5.6(x) states as
suspend dormant id at 30 days and
removed after 90 days, wherever
permissible)
Note : It is mandatory for application to
integrate to Active Directory (AD) for
password authentication.
Control on Application Super ID
Password for super ID should be
changed prior to production and
controlled by IT Security.
3.
Its password should be split into two
and held by independent custodians.
Functions performed by this ID should
be split by creating less powerful IDs.
System Supplied ID or Default IDs
not to be used
4.
System Supplied ID or Default IDs in
software components (e.g. sa, root,
etc.) should not be used in application.
Yes, if the same be
used with the HLB
SSO/IAM systems. As
the existing HLB SSO
will be extended to
Atlassian Jira, HLB
prevailing account and
password policy
settings will be
continued as they are
used in the bank
systems today.
Yes. As the existing
HLB SSO will be
extended to Atlassian
Jira, HLB prevailing
account and password
policy settings will be
continued as they are
used in the bank
systems today.
GITS: The user ID is
using email ID to login
or staff domain ID?
Yes, if the same be used
with the HLB SSO/IAM
systems.
Any super ID or
administrator ID here?
As the existing HLB SSO
will be extended to
Atlassian Jira, HLB
prevailing account and
password policy settings
will be continued as they
are used in the bank
systems today.
GITS: What are the
supplied or default ID
used? Please specify and
what are their access
rights?
Default are those already
prevalent in Bank, whereas
the supplied would be the
ones created specifically
The access rights as
previously configured.
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Page 3
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Passwords for Application /Vendor
Supplied ID or Default IDs to be
changed
5.
Should allow passwords for such IDs be
changed at any time.
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
Yes. If this exists with
current HLB system,
same will be followed
as HLB SSO will be
extended to Atlassian
Jira too.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
GITS: What are the
supplied or default ID
used? Please specify and
what are their access
rights?
If this exists with current
HLB system, same will be
followed as HLB SSO will
be extended to Atlassian
Jira too.
The default Ids if
configured will have same
access rights as decided for
the Atlassian Jira Site
Grant Access on Need-to Basis
For segregation of duties, different IDs
should be created and granted accesses
based on job functions as defined in the
user access matrix. There should be
segregation of duties between ID
administrator and operations.
6.
Main Deliverables :
- User Access Matrix be developed
before UAT
- User access matrix report must be
able to be generated from the
application.
- User Access Matrix must be
signed off prior to cutover
- Different IDs be created and
tested during UAT
Yes
If this exists with
current HLB system,
same will be followed
as HLB SSO will be
extended to Atlassian
Jira too.
GITS: Please provide the
draft UAM
As in the attached
document given below
Refer to item 4 in Appendix A for further
details
All parties must be trained and are ready
to perform the following job functions :
- Security /ID administrator
- Application support
- Operator
No Sharing of ID
7.
ID cannot be shared for accountability
reasons. Every ID must have an owner,
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Yes. This requirement
will be followed in
similar lines with the
existing HLB SSO
Page 4
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
common ID is to be removed / disabled,
e.g. Guest account on Windows
platform.
Audit Logging on Sensitive IDs
To create audit logs which can capture
the activities of each sensitive IDs and
all users. Should provide flexibility in
selecting IDs to be logged.
8.
Example of Sensitive IDs include :
- ID Administrator
- Super ID
- Parameter setter/Configuration
setter
- IT Support ID
More information will be provided when
project starts.
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
system.
Note: The
understanding and
discussion on the
existing system with
the HLB need to be
done.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
Yes
The audit log tracks
key activities that
occur from your
Atlassian organization
and across your
organization’s sites.
The audit log includes
activities for up to
180 days. These logs
can be exported
periodically.
Find below sample
audit log:
GITS: Please provide the
sample log. Does it have
all the items in Appendix
A item 3
As given in attachment
below:
Further details can
be found on the
following URL:
https://support.atlass
ian.com/securityand-accesspolicies/docs/trackorganizationactivities-from-theaudit-log/
Refer to item 3 in Appendix A for further
details
GITS: Please provide the
sample log. Does it have
all the items in Appendix
A item 1
9.
Report required for housekeeping
of IDs
To create report to list out IDs not used
for X months.
Should provide flexibility in defining
value X.
More information will be provided when
project starts.
Refer to item 1 in Appendix A for further
details
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Yes
One can go to the User
Management section
under Settings to see a
list of all users. One can
change the filter at the
top from All Users to Has
site access to see active
persons.
To see their activity, you
can create a Dashboard
with the Activity Stream
gadget to see the
activity being generated.
Page 5
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
One could use a filter for
a group of users, or
individuals to see what
they have been doing
recently.
The attachment too
small cannot see.
Yes
You can view the
information from the
user sessions under
the Security on the
JIRA Administration
page and download.
10.
Logging of Unsuccessful Log-in
Attempts
Unsuccessful login attempts should be
logged and can be retrieved by ID
administrator at any time.
Refer to item 2 in Appendix A for further
details
GITS: Please provide the
sample log. Does it have
all the items in Appendix
A item 1
To help protect your
Atlassian account, we
have have a security
measure in place that
will lock your account
after multiple,
consecutive failed login
attempts.
I’ve been locked out of
my account after I failed
to log in multiple times.
What can I do?
When your account was
locked, we sent an email
with instructions on how
to unlock it. Follow the
instructions in that email
to regain access to your
account.
I haven’t received an
email to unlock my
account.
Please contact Atlassian
Support and we’ll send
another recovery email
to the address
associated with your
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Page 6
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
Atlassian account.
I received an email
telling me that my
Atlassian account has
been locked after
multiple failed logins.
This wasn't me. Why did
I get this and what does
it mean?
Do not unlock your
account. The email that
you received is a
security measure to let
you know that someone
has attempted to log in
to your Atlassian
account, and we
protected it. The IP
address associated with
the login attempts has
been locked out. You
can continue to log in
like normal from the
devices that you
normally use. However,
if you are still
concerned, we
recommend that
you reset your
password.
Need more
information?
If you still have concerns
or need any further
information, contact Atl
assian Support.
The attachment too
small cannot see.
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Page 7
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
GITS: Please provide
where you set the
settings
11.
Auto-Logout
To auto-logout user when terminals are
idle for x minutes. To provide flexibility
in defining value x.
To select an idle session
duration from an
authentication policy:
1. Navigate
to Authenticatio
n
policies at admi
n.atlassian.com.
Yes NO
2. Select Edit for
the policy you
Jira Software: There is
want to modify.
a provision in Jira
3. On
Software product to
the Settings pag
update the Idle
e, select length
session duration for
of time for Idle
managed accounts.
session
duration.
When you save changes
to the session duration,
users don't get logged
out of their
accounts. The new idle
session duration will
apply the next time a
user logs in.
No Simultaneous Sign-on
12.
13.
Do not allow any user to conduct
multiple simultaneous online sessions,
such as logging in to multiple terminals
concurrently in order to effectively
establish accountability.
No Hard-Coding of Sensitive
Information.
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
GITS: Please provide
where you set the
settings
Yes NO
Yes
Hard coding sensitive
information, such as
GITS: Is there any
password saved anywhere
in the system or
Page 8
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Hard-coding of sensitive information
(e.g. ID, password, PIN, security key,
passcode, passphrase etc) in source
programs must be avoided.
Sensitive Information to be
Encrypted
14.
Sensitive information (especially PIN,
password, security key, etc) must be
encrypted and protected by access
controls during transmission and
storage.
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
passwords, server IP
addresses, and
encryption keys can
expose the information
to attackers. Anyone
who has access to the
class files can
decompile them and
discover the sensitive
information. ...
Consequently,
programs must not
hard code sensitive
information.
Yes
The purpose of data
encryption is to
protect digital data
confidentiality as it is
stored on computer
systems and
transmitted using the
internet or other
computer networks. ...
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
application?

Users are stored in
the cwd_user table
of Jira's database.

Passwords are
stored in
the Credential col
umn of the table
and are hashed.

Jira uses a
password encoder
called atlassiansecurity which is
a wrapper around
Bouncy Castle's
implementation
of PKCS #5 v2.0
(aka
PBKDF2) utilizin
g a random 16byte salt and
10,000 iterations,
which results in a
256-bit hash.

This salted
PKCS5S2
implementation is
provided by
Embedded Crowd.
You may read
this community
post on password
security from one
of our Crowd
developers for
more details.
GITS: What items are
encrypted and what
algorithm is being used?
Page 9
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
The display and printing of such
sensitive information (if required),
should be suppressed or masked.
Hardware encryption is to be deployed
for highly sensitive/exposed systems,
e.g. Internet based systems.
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
These algorithms
provide confidentiality
and drive key security
initiatives including
authentication,
integrity, and nonrepudiation.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
Encryption system should be designed
such that no single person has full
knowledge of any single encryption key.
15.
16.
Avoid Installation Using Super IDs
Where possible, avoid installing software
components and application by using
super IDs. (e.g. root or administrator
IDs)
This is to avoid situation where
resources are owned by super ID and
super ID capability is required during
support and operation of system.
Avoid starting / running service or
application using ID with super user
rights (e.g. Windows based system
used to run services using administrator
ID).
Yes
Yes
GITS: What ID being
used for installation?
Installation of JIRA cloud
is not applicable in local
machines or local servers
managed by HLB through
cloud or locally. Currently
super user of JIRA is used
to create the projects and
administration activities.
No HLB super user is used
for any kind of
installations.
GITS: What ID being
used for services?
This is not applicable for
JIRA cloud application, as
the complete control of
running any services are
handled by Atlassian team
only.
Security Patches
17.
Ensure that latest security patches for all
components (e.g. database, web server,
application server etc) in the whole
application system are being applied and
tested.
Please state patch release version
18
Please print-screen the system setting
for record.
Identity Governance and
Administration (IGA) Integration
The application must be able to
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
10
Yes
As the application is
used as SaaS, all the
security patches will
be managed by
Atlassian. They will
update all the
subscribers with the
patch updates.
GITS: What version is
being deployed?
Yes
Please find attached
SSO and IGA
configuration guide.
GITS: Have they discuss
with brightnexus on this.
The document cannot
open
Page
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
No.
Control Requirement
Can be Complied?
(Y/N)
To be filled in by vendor
at Project initial stage.
Pls justify in details for
each of your response.
integrate to the bank’s IGA for ID
administration automation task.
Jira SSO IGA
guide.pdf
Please refer to the attached IGA
Integration Requirement document and
fill up accordingly.
Controlled Fulfilled?
To be filled in by SSO prior
to UAT and Production
Implementation. Pls justify
if cannot comply.
ITC-002
Other remarks
Please complete the IGA
integration requirement
HLB_IGA_Integratio
n_Requirement_v1.0_App_Sec_Checklist1.docx
Customer and / or other Sensitive /
Confidential Data Downloading (To
be replied by business owner)
19
This is to review and identify any
customer and / or sensitive / confidential
data download, reporting or data export
feature within the application. If such
feature is required, please fill up the
attached template for review and
signoff.
Proper controls must be in placed if
there is any customer and / or sensitive
/ confidential data download.
No
There will no
Customer and /or
sensitive / Confidential
data download feature
in the application.
Downloading Customer Information.xlsx
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
11
Page
HONG LEONG BANK BERHAD
INFORMATION TECHNOLOGY DIVISION
ITC-002
Appendix A: GITS Requirements
On top of the requirements in the Application Security Checklist, we also have the below requirements. We may have
more requirements after we review the application during the UAT.
No
1
2
3
4
Requirements
To provide a screen at front end to generate user ID listing report in Excel format.
This screen should have the below filtering criteria for report generation: User Group
 Status (e.g. active, locked, dormant etc)
This user ID listing report needs to have the below fields: User login ID
 User Name
 Status (e.g. active, locked, dormant etc)
 User Group
 Branch (if applicable)
 Last Login Date
 Creation date
To provide a screen at front end for us to generate the unsuccessful login attempt report in Excel format.
This screen should have the below filtering criteria for report generation: IP address
 Date
 User ID
This unsuccessful login attempt report needs to have the below fields: Date & Time
 User ID
 User Name
 Reason for unsuccessful login
 IP address of the workstation
To provide audit log screen (at front end) with audit log report generation in Excel format. The audit log should
capture all the activities performed by the ID administrator .This audit log screen should have the below filtering
criteria for online query and report generation: Date
 User ID
 Types of changes
 Status (Successful / Failed)
The audit log report should capture all the activities performed by the ID administrator with the below fields:a. Date & Time
b. User ID
c. User Name
d. Types of changes
e. Status (Successful/Failed)
f. Before image of the changes
g. After image of the changes
To provide a screen for us to generate the user access matrix report in Excel format. This report should list
down all the menus tagged under a role/group in the system. This screen should allow us to generate the user
access matrix report by allowing us to generate the report by selecting one role, multiple roles or all roles.
********************************* End Of Document ************************************
Version No. : v2.9 (FINAL)
Effective Date: 15 Jun 2020
12
Page