Security by Design Clause Samples

Security by Design. 5.1 The Supplier shall apply the ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) to the design and configuration of IT systems which will process or store Government Data. 5.2 When designing and configuring the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) the Supplier shall follow Good Industry Practice and seek guidance from recognised security professionals with the appropriate skills and/or a NCSC certification (▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/section/products-services/ncsc-certification) for all bespoke or complex components of the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier).

Security by Design. Secure Software Development Life Cycle (SDLC) is followed and can be evidenced.

Security by Design. Seller represents and warrants it has made commercially reasonable efforts consistent with industry standards to ensure that all Software and Firmware is designed free from material vulnerabilities (whether in proprietary software code or third party software code, including the applicable operational support system (“OSS”) ) and a reasonable commercial security by design program has been established and maintained for all Software and Firmware, including when used in, or incorporated the goods, or Software/Firmware used in the installation, maintenance, configuration, or support of the goods (the “Security Protocol”). The Security Protocol will include a testing regime designed to model threats and detect security and design bugs, defects, and flaws through: (a) penetration testing (ethical hacking); (b) OSS scanning; (c) static code analysis and (d) all other testing and verification necessary to ensure adherence to industry standard “Security by Design” principles (collectively, a “Security by Design Program”). Seller further represents and warrants that it will reasonably assist with and participate in any similar Security by Design Program established by Buyer, including providing Buyer documentation regarding Seller’s compliance with these requirements reasonably requested by ▇▇▇▇▇.

Security by Design. 1The Supplier shall apply the ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) to the design and configuration of IT systems which will process or store Government Data.

Security by Design. Data can only be directly accessed by authorised Brightmile team members. We employ a principle of least privilege across all services and resources, users and resources can only read or write to the resources they require. We segregate using VPC (virtual private networks) to isolate our services from each other. All data is only accessible via our secure encrypted API. This API is secured using an industry standard ID & token management solution. By employing this solution Brightmile never directly reads or stores passwords or credentials and all access management is deferred to this platform. There is no way to programatically access a user’s password or credentials. We use token minting to mint access controls directly into the user’s token. These tokens are then re-verified our server on every request to ensure there is no inappropriate or unauthorised access to data. Through usage logs we log every data access at point of usage and can quickly revoke all access to any resource or all resources automatically. Our system notifies us immediately via push, email and through dashboards of any unauthorised access to our systems. Any account that makes 5 or more invalid password requests for an access token is blocked and all access is revoked. Although all data is secured through our API stack, we also employ cloud level access controls and database access controls directly on the storage solutions we employ. Geolocation data is read only and cannot be read or processed by an end user, and is not accessible via any API. Positional information is processed upon upload, stored in a read-only format and never retrieved again by the platform.

Security by Design. The Service Provider shall apply the ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) to the design and configuration of IT systems which will process or store Government Data.

Security by Design. The Auditoria’s Software Development Lifecycle (SDLC) standard defines the process by which Auditoria creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). Auditoria engineers perform numerous security activities for the Auditoria Solution including: 10.1. internal security reviews before products are launched; 10.2. periodic penetration tests performed by independent third-party contractors; and 10.3. conduct threat models for the Auditoria Solution including documenting any detection of attacks.