Project No.:
Document No.:
SECURITY TECHNICAL SPECIFICATION
Project name
insert project name
Release
Draft/Final
Date:
Author:
Project
Director:
Project
Champion:
Accountable
Body:
Imperial College – Commercial in Confidence
106765746
insert project name
Date:
.
DOCUMENT HISTORY
Document
Location
This document is only valid on the day it was printed.
The source of the document is:
Revision History
Revision
date
Distribution
Author
Summary of Changes
New
Version
This document has been distributed to:
Name
Title
Date of
Issue
Version
PURPOSE
To document the technical specification for the security of a project. Identify any security issues,
and associated risks. To illustrate the architecture on which a proposed solution is built and
demonstrate that consideration has been given to security, access control and disaster recovery.
CONTENTS
Security Requirements .................................................................................................................... 3
Physical systems and Operating systems.................................................................................... 3
Supported Application Software ................................................................................................... 3
User Authentication ..................................................................................................................... 3
Communication Security.............................................................................................................. 3
Security Architecture ....................................................................................................................... 4
Access Control ............................................................................................................................ 4
Access Requirements.................................................................................................................. 4
Operations Security ..................................................................................................................... 4
Data Security ............................................................................................................................... 5
Disaster Recovery And Business Continuity.................................................................................... 5
Business Impact Analysis ............................................................................................................ 5
Resilience Requirements ............................................................................................................. 5
Related Documents ........................................................................................................................ 5
Technical Approval .......................................................................................................................... 6
Imperial College – Commercial in Confidence
Page 2
106765746
insert project name
Date:
.
SECURITY REQUIREMENTS
Ensures the project uses standard technology, and agreed principles when enforcing security.
Physical systems and Operating systems
Any computer systems used in the solution should:
1. Use a current version of one of the following operating systems:
o Microsoft Windows 2003 Server
o RedHat Enterprise Server 4
o Sun Solaris 10
o Mac OS X 10.4
2. Support any operating system security patches
3. Use strong Administrator passwords
Supported Application Software
1. If required, the solution should use supported database software:
o Oracle
o Microsoft SQL Server
2. If required, the solution should use supported web server software:
o Microsoft Internet Information Server (IIS)
o Apache
3. The solution should use the latest versions of any required software
User Authentication
1. Any user authentication should be handled by integration with:
o Windows Active Directory
o Kerberos
o Oracle SSO OR
2. Agree available authentication method with ICT Security Group
3. Any built-in authentication methods must use encrypted passwords in a non-reversible
format (e.g. SHA-128; MD5 / SHA-1 is no longer considered suitable for sensitive
information such as passwords)
Communication Security
1. Any authentication of users must use an encrypted transfer of username and password
(e.g. HTTPS)
2. Where available, secure versions of protocols should be used (e.g. SFTP, POPS)
List any exceptions and justifications. Signoff must be obtained for any exceptions.
Imperial College – Commercial in Confidence
Page 3
106765746
insert project name
Date:
.
SECURITY ARCHITECTURE
Describes how the solution will ensure appropriate access is provided, whilst enforcing least
privilege policy. Describes how the solution will implement security requirements identified in the
functional specification.
Access Control
Describe how the solution will ensure that users and administrators of the system are assigned
appropriate roles and privileges.
Access Requirements
Describe how the solution will be accessible, and by whom.
Physical Location Access Requirements
ICT Datacentre
Externally hosted
Refer to Technical Platforms Specification.
Location Access Requirements
Internet
Internal only
Restricted internal only – describe
User Access Requirements
Publicly accessible
College staff
College students
Restricted external users
Restricted internal users
Maintenance Access Requirements
3rd party support access requirements?
Specify whether using:
1. Contractor VPN Service
2. Other – describe
Under what conditions:
1. At any time
2. With prior agreement only – describe process
Operations Security
Describe any security issues relating to operational management of the solution.
Change Control
Will changes to the operational environment be subject to ICT Change Control policy?
If not, explain.
Operations Access
Will the solution be subject to ICT Security Policy for platform security and maintenance?
If not, explain.
Imperial College – Commercial in Confidence
Page 4
106765746
insert project name
Date:
.
Data Security
Describe the sensitivity of the data to be handled by the solution.
Data Sensitivity
Is the data defined as sensitive:
o Patient-related data, including ‘coded’ data
o Commercially sensitive research data
o Financial data
o Personal data of any other type (i.e. data covered by the Data Protection Act)
Data Regulation Requirements
Does the solution comply with relevant data regulation requirements:
o Data Protection Act
o Financial Services Authority
o Payment Card Industry
o Contractual / Non-disclosure agreement
DISASTER RECOVERY AND BUSINESS CONTINUITY
Describes the disaster recovery and business continuity requirements for the project.
Business Impact Analysis
Has a Business Impact Analysis been performed?
What is the resulting criticality of the system?
Technical Disaster Recovery Plan documentation required before release? (Yes, for criticality < 4)
Resilience Requirements
What is the strategy for ensuring required business continuity is met?
Describe any redundancy the solution includes to ensure required business continuity.
RELATED DOCUMENTS
This document should inform the Release to Production documentation.
This document should address any security issues identified in the Risk Log.
Refer to any Network and Platform technical specification documents.
Imperial College – Commercial in Confidence
Page 5
106765746
insert project name
Date:
.
TECHNICAL APPROVAL
Any Security Technical Specification being proposed requires review by the teams that will
implement it and service it in production. In seeking approval, ensure to gain commitment from the
Technical teams that implementation of the proposed platform is realistic and achievable within the
resources available.
APPROVAL:
Threshold
Accountable
Body
£0-100k
N/A
£100k-1m
Operations
Committee
£1-5m
Management
Board
Council
>£5m
Approval
Please Tick
Operations
Services
Security Team
Manager/Network
Operations
Manager/Data Centre
Operations Manager
Data Centre
Manager/Security Group
Manager/Network Group
Operations Manager
Faculty Support
Manager/Business
Systems Support
Manager/Service Desk
Manager
ICT Link
Manager/Campus
Support
Manager/Service
Delivery Manager
Head of IT Services

Deputy Director of ICT

Head of Technology
Operations
Director of ICT


Name:
Signature:
Date:
………………………
………………………
………………………
………………………
………………………
………………………
Name:
Signature:
Date:
Name:
Signature:
Date:
Imperial College – Commercial in Confidence
Page 6