Architecture

  • Detail the requirements of the infrastructure that Iberdrola must use to implement the solution.
  • Detail the pre-production (non-operational) environment included in the offer.
  • The solution must be integrated with corporate IT processes. Please provide details
    • Backup management.
    • Availability and capacity management.
    • Possible integration of other agents.

Accessibility

  • The orchestrator will be accessed by several security teams, spread globally.
  • All tickets must be considered restricted information with access according to the need to know (defined by the personal profile).
  • Tickets must be able to be created:
    • Directly by any of the company’s employees, eliminating the need for a small team of intermediaries to modify them.
    • Through a web menu, this menu being configurable by the tool administrators.
    • From the BMC Remedy solution from Iberdrola.
    • From the Servicenow solution that Iberdrola is deploying this year.
    • By e-mail.
    • From the following SIEMS: ArcSight, QRadar, Splunk.
  • It should be possible to schedule ticket creation automatically for recurring tasks. For example, an automatic monthly ticket to manage and trigger a set of actions.
  • Tickets can be updated by anyone with access to the ticket as determined by the user profile. Ticket closing will also be determined by user profile.
  • The solution must be integrated with Active Directory.
  • Access to the system shall be controlled through Active Directory groups.
  • The system administrator shall assign the persons to their respective roles: Security equipment from Spain, security equipment from UK, security equipment from USA, security equipment from Brazil, GLOBAL security equipment with access to all of the above.
  • Job roles will have defined access levels to perform predefined functions; e.g. Admin, read-only, read-write, etc.
  • Global business lines and functions shall be defined hierarchically in such a way that a member of a global’ team has access to all local, regional or national entries.

1.1 WORKFLOW
1.1.1 The system will dynamically capture data automatically and associate it with each ticket:

  • A unique reference number per ticket.
  • The ticket opening time and the timestamp of the date.
  • The name of the creators.
  • Ticket resolution / closing time and date timestamp.
  • Mailbox monitoring.
    1.1.2 Any entry of end-user data against the required fields shall be validated against the valid options allowed, with the exception of free-form fields such as title and incident details, etc.
    1.1.3 The system should be easily adaptable to capture company specific event and event information from data provided by the company; e.g. priority, line of business, function, type of incident, other ticket references, etc.
    1.1.4 The system should allow for the classification of the incident or potential incident by adding the fields:
    1.1.1 Depending on the level of impact of the ticket, the solution will require one level of notification or another (immediate, daily, monthly…) and a different set of recipients. The solution should enable and assist the above-mentioned notification and situational awareness process.
    1.1.2 A ticket may be categorized and re-categorized as many times as necessary.
    1.1.3 The ticket creation process will use predefined algorithms to automatically calculate a priority and a ticket risk based on the data entered by the user.
    1.1.4 The tool should allow the creation of’action’ or’root cause’ or’problem’ records to track specific follow-up actions for individual groups or users and allow them to be linked to’parental’ records such as incidents.
    1.1.5 The tool will allow automatic ticket production through direct integration with other systems, such as a SIEM, or the provision of an API that can be used.
    1.1.6 Enrichment of events. Each potential incident will be enriched according to the information provided (hostname, IPs, URLs, hashes, etc.). Enrichment will be done via API versus:
  • An Open Source Threat Intelligence Platform (MISP) solution.
  • IBM X-Force.
  • An Excel sheet (can be imported to another format manually on a regular basis) for asset classification with regulatory requirements (LOPD, GDPR, PCI, SOX….).
    1.1.7 The system shall allow for the intelligent direct processing of notifications and ticket ownership to the appropriate equipment in the correct circumstances, based on the information provided in the ticket and the predefined logic.
  • Type of event / incident.
  • Priority.
  • Region.
    1.1.8 The system will support the online workflow to allow easy monitoring and management of tickets based on criteria defined as priority, line of business, etc.
    1.1.9 Tickets will be presented at different stages of the life cycle, including:
  • Open’ – newly opened but not assigned.
  • In progress’ – being worked on and assigned to an owner.
  • Resolved’ – incident resolved.
  • Closed’ – the resolution has been verified and the ticket is closed. (Optional step).
    1.1.10 Ability to link additional information to a ticket, e.g. a Microsoft Office document. If the attached information is embedded within the application, you must follow the rules for classifying company information, restrict access to the required audience and encrypt’highly restricted’ information.
    1.1.11 Recognition of predefined SLAs for ticket resolution within defined time scales, compared to ticket type, priority and seniority.
    1.1.12 Creating specific fields (templates) for predefined events and event types. Specific event types will generate specific data fields for that type; for example, a hardware loss will request different data fields required for a phishing attack.
    1.1.13 Customizable dashboards that allow easy and intuitive ticket management at all stages, including lists and graphical views.
    1.1.14 Modify ticket recipients. Creation and storage of predefined technical procedures, so that they can be assigned automatically or manually to the tickets that, by their nature, correspond to them.
    1.2 REPORTS
    1.2.1 The tool will have a search function that allows the search of ticket metadata and keywords.
    1.2.2 Audit trails of all actions taken manually by individuals or automatically by the system.
    1.2.3 The solution will automatically produce an activity report on a monthly basis.
    1.2.4 The solution will make it easy to create new reports.
    1.2.5 The platform will be in production with the following reports implemented:
  • Security analyst activity report. Jobs/tickets managed by each analyst and grouped by security team (Spain, UK, USA, Brazil).
  • Report of services consumed / requested (incidents, vulnerabilities,…) grouped by security team (Spain, UK, USA, Brazil).
  • SLA report and management and resolution times by security team (Spain, UK, USA, Brazil).
    1.2.6 Reports may be generated on demand and the period of time to be applied shall be variable (month, four-month period, six-month period, year) or the start and end dates of the period shall be selectable.
DomainFunctionality
Core functionDoes the solution allow the client the creation of own workflows
Core functionCan the solution query external websites and aggregate the results? Please indicate for VirusTotal, Alexa.com, etc.
Core functionCan the solution remove / edit identifying information (based on Regex or similar) from data before sending it to external websites?
Core functionCan the solution create emails and send through SMTP/Exchange?
Core functionCan the solution automate security incident case handling?
Core functionCan the solution correlate related tickets by checking IP adresses against previous tickets by Service NOW (e.g. finding repeat offenders) 
Core functionCan the solution aggrerate phishing campaigns based on the same sender address? (i.e. by querying Service NOW for previous cases)
IntegrationCan the solution combine external information with internal databases (e.g. SQL/LDAP/ AD) to target VIP/HPU?
IntegrationDoes the solution integrate with FireEye HX?
IntegrationDoes the solution trigger an automatic quarantine using Fireeye HX and/or McAffee ePolicy Orchestrator?
IntegrationCan the solution be used to synchronize IOC between different HX instances (please outline how)? 
IntegrationDoes the solution integrate with Service Now?
IntegrationDoes the solution integrate with FireEye EX?
IntegrationDoes the solution integrate with FireEye CMS?
IntegrationDoes the solution integrate with Splunk?
IntegrationPlease indicate with which other products the solution can be interconnected
IntegrationCan the solution use different playbooks / run books based on the kind of initial event (i.e. DDOS, Phishing, Malware)
Data Architecture, Integration and Communications
Specific Requirements for Cloud
Technical Architecture
Data Protection
Access Control
Security  
Provide a secure data layere.g. Encrypt the data in database so that it’s not exposed to external usersThreat Intelligence, Forensics
Provide a secure environment with supported functionality and processes relevant to C3/C4 dataSpecifically to ensure that handling procedures mean that successful mitigation and resulting procedures are catered forThreat Intelligence, Forensics
All Email notifications should be sent with digital signature for security so that recipient ensure legitimacy of email sourceTo prevent spoofing an email addressThreat Intelligence, Service Management, Forensics
Service Desk administrators will not have access to sensitive dataThis is separation of duties.  Service Desk and Service Support personnel will not be able to view sensitive data which has been identified as a result of security alertsThreat Intelligence, Forensics
The system shall provide role based access rightsThis enables the restriction of users &/or administrators to access areas of the system. (Role based access control)Threat Intelligence, Data Hacking, Forensics
Application should be able to show different information to different users according to their rolesE.g. GSIM + SPOC (full detail); Management (high level, times, open tasks); … needs definitionThreat Intelligence, Service Management, Data Hacking, Forensics
Two factor authentication for login and accesssupported through DUO directly on the platformThreat Intelligence
All content needs to be encrypted on database levelThreat Intelligence, Forensics
User review/audit function will report/disable not used accounts after X daysGeneral
IF C4, then limited search capability, reports and with requirements of NDA Checkbox upfront for even authorised usersfor C4 a user will need to be specifically invitedForensics
 
Interface  
Capability for interface build to key security tools such as Remedy, ArcSight and Splunk PlatformsGeneral, SIEM, Service Management, Data Hacking
Data from ArcSight (CEF, …) can be imported/exportedGeneral, SIEM, Data Hacking
Data from Outlook can be imported/exportedImport emails, generate calendar itemsGeneral, Incident Management
Data from Remedy can be imported/exportedGeneral, Incident Management, Data Hacking
Data from Splunk platforms can be imported and exportedExchange + Certificate Signing, PGP, SMIMEGeneral, Incident Management
Files can be uploaded through an API (moderated)customisation commands from ArcSight, Remedy, otherGeneral, Data Hacking
The system shall be capable of combining data from other security related systems Interfaces available with other systems and data can be importedGeneral
A new instance can be added directly in the tool by any authorized userUser can manually enter new information to the applicationGeneral
New instances can be added by an customisation command from ArcSightcustomisation commands can trigger a new instanceGeneral
A new instance can be added with dedicated emails from OutlookEmails can be received and automatically turn into an instance.  Email Needs to have a standard tag to highlight that it is an incidentGeneral
New instances can be added with an customisation command from RemedyTickets in ticket que can automatically turn into an instance.  Can assign a due date/time to each task.General
The application can export information in STIX or other security related IOC documentationTI, Data Hacking
Access to application through  mobile platform (statistical, management report, other)Console is mainely browser based, but mobile apps to be availableGenearal/Management, Threat Intelligence, Service Management, Data Hacking
The application to work properly on browsers (Firefox, Chrome, Internet Explorer)General, Threat Intelligence
Accessible via organisation standard web interface IE9 & IE10 & IE11The system dashboard and other system tools to be accessible using IE9 & IE10General
The application must not need any special libraries to run (client side)No local java, no local flash, no SilverlightGeneral
An administration panel for the user rights can be enabled for special groups/usersNew user, edit user, edit rights, edit roles, edit groups will be controlled by a master AdministratorGeneral
An administration panel for reporting can be enabled for special groups/usersNew report, selection of fields, scheduled reports, export file types will be controlled by a master Administrator.  A user can only run reports on incidents that they can see.Genaeral/manager
The application provides an admin interface to place help texts to functions or choices in the applicationE.g.. Help text for instance creation, help text for different severity levels including links to URLsGeneral, Data Hacking
User information can be retrieved from active directoryGeneral
User access controls should be based on groups, individuals and functionsGeneral, Threat Intelligence
External users can be set up by a special user groupNon-Vodafone users can be created/disabledGeneral
An administrative function for ADDING/EDITING/DISABELING  users (» THREE DEDICATED ENTRIES)General, Incident Management
Every instance can be assigned to an individualGeneral, Incident Management, Threat Intelligence, Data Hacking
Every instance can be assigned to a groupGeneral, Incident Management, Data Hacking
Each Incident can be assigned to a resolver groupThis to ensure that no incident remains unallocated.General, Incident Management
Every instance should have an ownerEach incident will have a creator, owner and membersGeneral, Threat Intelligence
Every instance can be assigned to one or more entitiesGroup and individualGeneral, Threat Intelligence, Data Hacking
Every new instance will be assigned to the GSOC 1st line.General
All unassigned instances will be assigned to the GSOC 1st line within 2 hoursDEPRECATED/REVIEW IN REGARDS TO ASSIGNMENT.  n/a see above, FR12General
Member of a cyber security group able to accepts/rejects instanceThis would give a feedback loop to manually opened instances to the customer.  A user can ‘resolve’ an issue and add a reason for closure in order to reduce false positives.General
Assigned user can add and edit but not change  the information log of the instancesFields need to be defined.  Observers should not be able to change any information.
(Unable to link to any other databases with types or categories of incidents/threats etc.)
General, Data Hacking
Incident manager can mark data in instance as deprecated/hidden/falseFields need to be defined.
Incident manager can indicate who can see what in terms of users, but not based on specific fields for an incident
General, Incident Management
All state changes need timestamps and the actual user information, on who performed which actionGeneral, Data Hacking
Incident manager can invite/block users to view/edit the instance.Not only GSOC but also GSOC internally (e.g.. C4 instances)General, Incident Management
Several users can append information to the instance at the same time but not able to overwrite each other commentsNew information is moderated by Incident Management.  Dialogue will notify users that they are not working on the latest version of an incident if any given field is being edited at the same time.General, Threat Intelligence, Data Hacking
Updates to an instance need to be notified to responsible incident manager and assignee(s)General, Data Hacking
An instance has information fields, which can/cannot be altered or edited by anyoneFields need to be defined. Only ‘created by’ and ‘date created’ cannot be changed.General, Incident Management, Data Hacking
An instance can be categorized by a severity.Examples: S1, S2, S3, …General, Incident Management, Data Hacking
An instance can be categorized by an internal complexity categoryExamples: 1 client vs. 50 clients; 1 server vs. 30 servers, … (only internal measurements)General, Incident Management, Data Hacking
An instance can be linked to another instanceParent/Child relationship. Can be done Manually and automaticalyGeneral, Data Hacking
An instance can be cloned to a new instanceFields, which are taken over, can be definedGeneral
An instance can be assigned to another group within cyber security communityGSIM to DE CSIRT to EH back to GSIM … // OwnershipGeneral
Users outside the cyber security community can be invited to the instance with limited rightsAuthorized by the instance managerGeneral
Files can be uploaded by a user (moderated)User can manually upload new files to the applicationGeneral
Uploaded files will be handled in a protected way (malicious files have to be marked)Password protection, alert before downloading, encryption, Can be uploaded manuallyGeneral
Uploaded files will be hashed/analysedTimestamp, uploaded by user, file hash, file size, Can Have manual actions associated with attachment & then for added attachment can be sent to another system.General, Incident Management, Data Hacking (generate the hash)
Attachments can be commentedGeneral Data Hacking
Interface to Exchange or SMTP interface to generate emailsSending (signed) emails from information fields from instanceGeneral
Active Directory data to be maintained at 99.98% accuracyNothing is stored in AD – it is only queriedGeneral
Active directory access for address bookGeneral
An instance can be set to “request to close”General
With categorizing an instance, a task list according to the use case action plan is initiatedIncident Management
An instance has different stages, which cover the lifecycle of an incident (may change in the future)E.g.. Identification, Containment, Eradication, Recovery, Lessons Learned, Closed, ArchivedGeneral, Incident Management
The system shall enable grouped searches which result in targeted notifications and reporting.  Those uninterested in a search, or set of searches, do not receive notifications or reports resulting from themThis avoids the ‘data dump’ method of reporting requiring recipients to sift and filter to find the items of interest.  Equally it also precludes one set of users viewing reported items which they should not be privy to.General
Search for previous/duplicated instances, additional informationUsers from the cyber security community can search through all information on full text.  Able to search on a variety of fields and text.General, Data Hacking
An instance has different status, which cover the ticket lifecycleE.g.. Assigned, in process, rejected, closedGeneral, Incident Management
An instance can be reassigned by dedicated people, even if the original owner is not availableRe-assignment if owner/manager is sick.  Only an Administrator can reassignGeneral, Incident Management
An instance can be escalated to another person/manager manuallyNo feedback after time, No feedback on requested informationGeneral, Incident Management
The system shall provide metrics to determine progress towards continuous improvement targetsGeneral, Incident Management, Data Hacking
An instance can be escalated to another person/manager automaticallySLA timesGeneral,
The service capacity shall be able to manage max number of users/network assets500-1000 scalability requiredGeneral,
The capability to tailor make end user communications using messages template for alert to be sent to end users in order to take actionNotifications can be created according to the recipients own needs i.e. how the notification is formatted, what it contains and who it goes toGeneral, Forensics, Data Hacking
 
Quality Assurance functions  
An instance can be reopened (and reassigned) with a given reason.General
An instance has to be closed with a given exit codeExamples: Resolved, Unresolved, Duplicated, Merged, Rejected, …General
Ability to create policies and the application needs to be compliant to these existing policies within GroupPCI, SOX, ISO, other (full set of policies need to be defined)General
The application needs to accept exceptions to the policies for the local marketsCustomers/local markets might not need to apply for the Group policies
Exemptions can be applied to local markets/OpCos
General
An instance can be investigated/monitored/reviewed before closureGeneral, Data Hacking
QUERY FUNCTION / SEARCH CAPABILITY / FILTERING OVERALLNo query, but filter and search is available.General
A DEDICATED FACILITY TO VIEW WORKING QUEUE / BACKLOGbacklog is a list of low severity or long running incidentsGeneral
ISO 9001 SUPPORT CAPABILITYISO 9001 is an International Standard that gives. requirements for an organization’s quality manage- ment system (QMS). It is part of a family of standards. published by the International Organization for Stand-General
Use of the system shall not adversely affect the performance of any other integrated systems or services nor the network upon which it residesNo degradation of other services and network functions during normal operationGeneral
 
Management and control functions  
Incident manager needs dedicated view on all instances and their authorized usersIncident Management, Threat Intelligence
All information in the application needs to be classified with C1-C4 level statementC3 is default settingGeneral, Threat Intelligence, Data Hacking
A user can have one to many different roles (SPOC, CTSO, CTO, other) for assignment purposesGeneral
The application can import and process IOC definitions e.g.. written in STIXYes for artefacts, otherwise no for anything importing manuallyIncident mangement, TI, Forensics
Admin role with ability to add, edit or delete UsersIncident mangement, TI, Forensics
External Users can be set up by a special User GroupGeneral, Incident Management
Keep reliable and accurate records and have the ability to track them with a full audit logGeneral
Improve the sharing of knowledge and best practices stemming from incidents and investigationsGeneral
An instance can be categorized by one security category.Examples: malware infection, Compromised host, …
19 Out of the Box categories already exist.  Can also be assigned to more than a single category (e.g. malware and phishing)
General
 
Alerting  
New instance triggers notification (email, internal popup, other) to assigned functionGeneral, Threat Intelligence, Service Management, Data Hacking
SMS notification will be send for high critical instances.General, Threat Intelligence, Service Management
Notifications contain instance number and URL to instance (no confidential information)General, Service Management
Users must log in to the application to see any content/informationGeneral, Threat Intelligence, Service Management
All notifications will be logged with the recipients, timestamp and contentGeneral
An escalation mechanism shall enable the alerting and notification to be extended according to a user driven hierarchy.General
An escalation workflow embedded in the communications function to allows auto escalation to a named line manager or teamThis applies to both infrastructure failures remediated by VSSI, or Security Alerts.  Built in (customisable) escalation paths ensure that where SLAs have been, or are about to be breached, a suitable team or manager is alerted.General
Notification way can be configured per individual (email, internal, other)General
The system shall provide alerts by log and alternative mechanisms and channels depending on a configurable range of alert typesDepending on the type of alert a pre-determined mechanism or channel can be used e.g. system log, screen, text, email etc.General
A dashboard provides information and status about all queued instances & tasksGeneral, Service Management, Data Hacking
 
Reporting  
The application can create reports manually (click by users)5 standard templates are available and further customisable reports are available.General, Threat Intelligence, Service Management, Data Hacking
The application provides different SLA times and KPIs based on the severity, category and statusGeneral, Threat Intelligence, Service Management, Data Hacking
The application will create reports based on schedules (time or event trigger)General, Service Management, Data Hacking
The application can create PDF reports from single instancesContaining all information, like a log, containing all related events, files, peopleGeneral, Threat Intelligence, Service Management, Data Hacking
Standard Reporting for each groupe.g. Incident management, Treat Intelligent, etc.General, Forensics, Threat Intelligence, Service Management, Data Hacking
The application can create statistical reportsOpened/Closed cases per category/local market over timeframe (week/month/year).
Additional analytical  reports
General, Threat Intelligence, Service Management, Data Hacking
The application provides an interface to select fields for export.each field can have a condition associated with it before it gets populated, i.e. a filed will only appear if a condition is met.General, Data Hacking
The application can create report of several instances in CSV, XML, PDFE.g.. Predefined reports can be used to extract 5 out of 20 fields in CSV for reporting.
XML only via API
General, Service Management, Data Hacking
The system shall create configurable management information reportsGeneral, Service Management
Event based ad hoc reportingNEW REPORT, IF X > 10 or TIME LONGER THAN YGeneral, Service Management
Dedicated facility for dedicated access via Mobile (e.g. Statistics)Responsive UIGeneral
The system shall provide event/time ‘stamps’ for use in general and audit reporting.General, Data Hacking
Reporting for role based, management information and ‘customer’ required.Daily report. E.g. Availability of environment and status of control checks and reporting (Service Operations) I.e. not security alerts
(Content and format to be determined)
General
The format of reports shall be configurableIn terms of style and layout and suitable as evidence of evaluation as required by operational managers, users as well as internal and external auditors e.g. high-level dashboards and technical reportsGeneral, Service Management, Data Hacking
The system shall be able to send pre-determined reports to recipientsEither by email or other business standard mechanismsGeneral, Service Management
The system shall provide reports which support the service levels and key performance indicators devised to inform management of the service and satisfy auditorsGeneral, Service Management, Data Hacking
The system shall provide reporting formats which allow targets and tolerances to be depicted.This enables users to set target levels and acceptable tolerances which can be easily shown and analysed by recipients of reports.General, Service Management
The service shall provide data access and reporting sufficient for external auditing needsProvision of non-sensitive data and associated reports to provide external auditors with their requirements without transgressing data protection, or similar regulatory and legal standardsGeneral
Management Reports of trend analysisReal-time stats dashboard to show activity and progress of the live view of the incidents and related team and resolver activities for management purposesGeneral, Forensics, Threat Intelligence, Service Management, Data Hacking
The system shall provide a reporting package enabling operational and management information reportsReporting from the database by standard, pre written reports, or by customisable query driven reports in an intuitive, graphical user interfaceGeneral, Service Management
 General
The system shall be capable of modular improvements and additions to provide further capability via formal change and release control mechanismsProvision for staged approach to system and service improvements in the form of additional capability supporting the security evaluation, reporting and remediation activitiesGeneral
The reporting service shall be capable of being driven by predetermined service level agreements e.g. date drivenThis enables the scheduling of reports according to differing service level agreements and reporting calendars.General, Service Management
Exception Reporting “OUT OF SLA / KPI” EVENTSGeneral, Service Management, Data Hacking
Report on fact and duration of each issueTo illustrate how long it takes for each action to be dealt withGeneral, Forensics, Service Management, Data Hacking
 
Shiftlog functions  
The system shall support Shiftlog entriesRequire an analyst Shiftlog to make notes about occurrences etc.General
The application provides a Shiftlog log function, where more information on What\How is requiredGeneral
Any information from the Shiftlog can be used as the core of a new instance at any timeInformation like author, timestamp, content is taken over to new instanceGeneral
Time limited Edit Function» Better versioning of all versions\LogsFor example we need a forum style comments log which allows a time limited change to be made for example if a comment has been made or a to made a correction.  After 60 minutes all comments will be locked.General
Mark evidence as DEPRECATED/INVALIDResilient’s primary function is to provide an IR platform. Our use cases do not cover case management incluidng chain of custodyGeneral
 
Workflow management functions  
The application should be able to adopt and change “quickly” to the workflows.Incident type can be changed at any time and dynamic changes are possibleGeneral, Threat Intelligence, Service Management
ABILITY TO INTRODUCE A NEW / EDIT / REVOKE A WORKFLOWSM Note: Workflow changes should be applied to “open” instances as well (not only new)General, Threat Intelligence
MAINTAINANCE OF HISTORY WORKFLOWSGeneral, Threat Intelligence
STRATEGY OF WORKFLOW AMMENDMENT (CHANGES, TIMEFRAMES, OTHER)General
 
Architecture  
The application is scalable to the amount of users / dataMore servers in cluster, more performanceGeneral
The application can be run in a high availability cluster (EXTEND TO SINGLE ITEMS)High cluster availability will be provided through VMWareGeneral
The application is compliant to the data centre standardsProcess monitoring, Hardware monitoring, port monitoringGeneral
The system will allow for differing administration access rights depending on the role of the userMaster Admin will control access of other types of users.General
Administrator access rights shall only allow individuals to view and administrate data pertinent to their area of controlGeneral
Application should show different information to different roleswill be able to vary visibility for different user rolesGeneral
An administration panel for the user rights can be enabled for special groups/usersGeneral
All state changes need timestamps and the actual user, who performed which actionGeneral
The application can be run in a high availability cluster (EXTEND TO SINGLE ITEMS)General
Flexibility of design to allow for an increase in scope and usage in future yearsGeneral
The data retention period shall be:  x Years, Y Months, Z daysnothing is deleted, and backups can be managedGeneral
The application is scalable to the amount of users / dataGeneral
ARCHIVING OVERALL? – PERFORMANCE, SPACE, OTHERGeneral
Maintenance and support for environmentGeneral
Field defenition, usage of REGEX to PARSE IPS or otherGeneral
 
Runbook  
Ability to create Play books/Run BooksGeneral, Service Management
Linking incidents to threat intelligenceGeneral, Threat Intelligence, Data Hacking
Support and simulationGeneral
Ability to create report trend on how often each run book is used and where a certain run book has not been used for a certain period timeGeneral
 
Team Specific  
Automated search facility and grouping resultsTo be able to search on related issues and create a dashboard/display of historic data on all related issuesForensics, Data Hacking
If occurrence of an issue is greater than 1 to flag the issue and escalate the issue to responsible group Create a report with number of occurrence and history of occurrences and escalateForensics
An automated security Marker(Classification) to lock down the issue to a certain/related teamSo the issue won’t be open to unauthorised usersForensics
Create new groups on functionality and lock down user accounts to the specific related functionality with fine grain security controlForensics
Customizable dashboards on group and individual basis depending on workload and roles and responsibilityForensics, Data Hacking
To enable to edit and have influence on the reportTo be able to pull reports and edit it where applicableForensics
Task List with time stamps and action plansEach individual can have a dashboard on their list of completed actions with the time taken to complete each action and a list of assigned actions in progressForensics
Enabled SharePoint and URL hyperlinks in the body of the incident which can be clicked on to take you to the related linkForensics
Adaptable to type of situationsTemplate fields to be displayed depending on types of incidents and some fields could be made mandatory actions to followForensics
Ability to create watch listForensics, Data Hacking, Threat Intelligence
Ability to assign group members to watch listForensics, Data Hacking, Threat Intelligence
Email notifications to be sent out to all users in watch list each time the status of watch list changes or the issues get updatedForensics, Data Hacking, Threat Intelligence
A visual hierarchy to be displayed for Parent/Child tickets and issuesAs well as linking related issues to enable visual hierarchy Forensics, Data Hacking
Timer Widget to capture the time stamp and date of issuesForensics
To enable creating dedicated new user groups that can view sensitive dataAuthority level for related Senior & Incident management Forensics
To create a dedicated portal to be used for requesting an activity or service To follow a process to raise ticket fro service requestService Management
To have a centralised list of escalation contacts depending on role and responsibility Service Management
Secure central documentation/Service catalogue repository with enabled document versioning to be used and accessed by authorised usersService Management
Links to be provided or ability to attach documents from repository Service Management
Facilitate KPI and metrics reportingService Management
Create and automate KPI & Dashboard for Service and operational reportsService Management
Enable product categorizationsE.g. Operational, Resolution, SLA for each ticket, customer and market categoriesService Management
Enable handling service, incident and change requestService Management
Handling different category and subcategories of ticket and statusService Management
Facility to create business continuity planService Management
Analytical too, understanding narrativesThreat Intelligence
Searchable, searchable capability on individual fields Threat Intelligence, Data Hacking
Automated alerts in email or text format on assigned issuesThreat Intelligence
Automated email alerts on priority issues and escalated issuesThreat Intelligence
Ability to email contents of STIX reportsThreat Intelligence
Simplification of data in STIX is enabledE.g. Visual display at parent/child level in incidentsThreat Intelligence
Ability to have interface with other platformsE.g. SilobreakThreat Intelligence
Ability to create tailor made searching scenarios which can be saved for future usemultistring searching and search on specific fields Threat Intelligence, Data Hacking
Creating a logical order of input to create a workflow processStep by step logical flow to followThreat Intelligence
Creating and requesting automatic progress report on selected issuesThreat Intelligence
Ability to create a specific dashboard to display your team’s individually assigned issues, details on actions taken and progress Threat Intelligence
Help & support option on process and required actions on set processesTeam to be able to edit, update and add new subject areas and processThreat Intelligence
Email notifications each time assigned/raised issues status are updated/changedThreat Intelligence, Data Hacking
Create trend profiles of the types of attacks and issues and ability to link a user or groups of users or URL etc. to that profile as knowledge shareThis should be restricted to be viewed by authorised users within the teamThreat Intelligence
Ability to viewing and checking the quality of created issues by level 1 & 2Data Hacking
Granularity on reporting and ability to create detailed reporting on chosen fieldsData Hacking
Trending capability reports and ability to search on issues that have same pattern or has a trend on same userData Hacking
Ability to create tailor made dashboards and ability to create tailor-made metrics Data Hacking
Ability to search on related issues & creating a report of the list & summary of those issuesData Hacking
Capability to refine and customize notifications and alertsData Hacking
To allow for external connectors for data import & exportData Hacking
Catering for hand over and providing information logs for analysts transitioning to next shiftData Hacking
Dedicated document storage repository for the use of authorised users onlyEthical Hacking
Ability to send out vulnerability alert and notifications to local markets and different usersEthical Hacking, Service Management
Ability to create a record of vulnerability notifications and alertsEthical Hacking
Reports, Alerts and Notifications should have customized Vodafone look & feelGeneral, Service Management
Tool should have an integrated CMDBSIEM Team

Audit Logging


Requirement
Description
Confirm your application will log user access attempts (Pass/Fail)?Failed and successful user log ins, including the user name, date, time they logged in
Confirm your application will log user sessions or user activity (if different to logon/logoff) ?Tracking of user sessions on the application including user name, time and date of session
Confirm your application will log escalation of user privileges?Application logging when a user has escalated privileges including the user who made the change and the user who’s rights have been altered
Confirm your application will log use of administrator accountsLogging when an administrator account is used or escalated rights are used to perform functions such as SU Root on Unix
Confirm your application will log system changes/updates?Application logging when new patches or changes have been deployed
Confirm your application will log system errors/ critical errors?Logging of system  and critical errors including error code, time and date
Confirm  your application will log application stop / start / resets, error conditions, failures and threshold exceptions?Creating a log entry when the settings for logging events has changed or logging has failed. Also log start / stop times
Confirm your application will log backup activity?Logging when backups are taken and if they fail
Confirm your application will log changes in storage levels?Logging when the storage levels for servers/databases have been altered
Confirm your application will log  terms and condition accepts/declines  by usersLogging when a user accepts or declines the terms and conditions for the application
Do you foresee any application specific events being raised to SIEM?Does your system log specific security events which should be captured by SIEM? This is particularly relevant for systems which answered yes to question 19 (Provide security enabling functions) . Please enumerate answers