Security Requirements in Vendor Assessment and Evaluation Framework

Posted on by Mr. Tiwari
  1. Ensure for the compliance on Protection of Personal Data (PDPL) which is UAE Data Protection Law and with the latest amendments.
  2. Ensure for the compliance of Saudi Arabia’s new Personal Data Protection Law Royal and with the latest amendments.
  3. Ensure to fix the security issues reported using SonarQube OWASP after the automated scan for new source code.
  4. Ensure to conduct a Privacy Impact Assessment (PIA) and share the required documents.
  5. Ensure to use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC).
  6. Ensure us to support the identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users.
  7. Ensure that you incorporate ‘privacy by design’.
  8. Ensure that you use an automated source code analysis tool to detect security defects in code prior to production.
  9. Ensure to provide documentation establishing and defining your encryption management policies, procedures and guidelines.
  10. Ensure on formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods.
  11. Ensure that the management provision the authorization and restrictions for user access prior to their access to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components.
  12. Ensure us to restrict, log and monitor access to your information security management systems.
  13. Ensure us on right to audit if Americana should ever determine there is a need to do so.
  14. The PI/sensitive data which is extracted from data sources should be hashed/masked/tokenized and stored. 
  15. The communication Data in Transit should be secured with TLS 1.2
  16. The PI/sensitive data should always be stored in the Database level
  17. All the data resides in the data storage (Data at rest) should be encrypted with AES 256.
  18. The encryption keys should be separated and placed securely in Hardware Security Module (HSM)
  19. The data in use should be isolated and secured.
  20. Data retention period should be set based on Americana requirement.
  21. If there is a requirement to delete certain PI data from the repository then there should be a process in place to locate those data and delete it
  22. All the logs should be forwarded to our SOC for further analysis.
  23. Ensure us on right to audit if Americana should ever determine there is a need to do so.
  24. Ensure to conduct Interactive Application Security Testing or IAST which requires the ‘agent’ to reside into the context of each application that are running.
  25. Ensure that detection of active security vulnerabilities in comparison to that DAST being able to detect once application is deployed & SAST being only able to detect code anomaly when applications instances aren’t running.
  26. Ensure that IAST detects vulnerabilities which otherwise go un-noticed during SAST scans in terms of configuration information at runtime, backend connection information, third-party libraries/frameworks & database queries in runtime.
  27. Ensure compliance with law of the land including data protection and privacy as per prevailing laws in respective jurisdiction.!.

Related Posts