Appendix of basic safety requirements for internal software of an IT application investment project using state budget capital in Vietnam

No

Technical requirements

Description of the request

Level of information system

1

2

3

4

5

1.

Accuracy

1.1

Having the function of user authentication when accessing, administering and configuring the Software.

a) Having a user account management interface.

x

x

x

x

x

b) User authentication is required when accessing the administration and configuration of the Software.

x

x

x

x

x

c) Require user authentication when accessing and using the Software.

x

x

x

x

x

1.2

Has functionality to allow encrypted storage of system credentials.

Credentials are stored encrypted on the Software using hash algorithms from SHA-256, SHA-512, SHA-3 and equivalent algorithms.

x

x

x

x

x

1.3

There is a function that allows setting the user password policy.

a) There is a function to ask users to set a new password when logging in for the first time using the default password.

x

x

x

x

x

b) There is a function that allows setting password rules on the number of characters and the type of characters.

x

x

x

x

x

c) There is a function that allows setting the time required to change the password.

x

x

x

x

d) There is a function that allows setting valid password time.

x

x

x

x

d) Lock the account and ask for a new password when the password of that account expires.

x

x

x

x

e) Unlock the account when successfully changing the password in case the password has expired.

x

x

x

x

1.4

There is a function that allows to limit the number of false logins in a certain period of time with a certain account.

a) There is an interface that allows setting a policy to limit the number of false logins within a certain period of time.

x

x

x

x

b) There is a function to warn users when violating the policy.

x

x

x

x

c) There is an automatic function to prevent automatic login when violating the above policy.

x

x

x

x

dd) There is a function to automatically disable the account if it violates the above policy.

x

x

x

1.5

There is a function that allows authentication information to be encrypted before sending over the network environment.

The function ensures that the password is encrypted before sending it over the network.

x

x

x

1.6

There is a function that allows the use of multi-factor authentication mechanism to authenticate users.

a) There is an interface that allows administrators to manage policies on multi-factor authentication.

x

x

b) Integrate multi-factor authentication steps when the policy for this case is enabled.

x

x

2.

Access control

2.1

There is a function that allows setting timeout limits (timeout).

a) There is a function that allows setting a timeout limit to close the connection session when the Software does not receive a request from the user.

x

x

x

x

x

b) Display a message, close the session, the timeout has expired, and ask to log in again.

x

x

x

x

2.2

There is a function that allows to limit the administrative network address allowed to access and administer the Software remotely.

a) There is an interface that allows administrators to manage policies on limiting administrative network addresses that are allowed to access and administer the Software remotely.

x

x

x

x

b) Having the function to enforce the policy on limiting the administrative network addresses allowed to access and administer the above Remote Software.

x

x

x

x

2.3

Having the function of allowing decentralization and granting minimum rights to access, administer and use different resources of the Software with users/user groups with different functions and business requirements.

a) There is an interface that allows administrators to manage the policy on account delegation according to each group of accounts.

x

x

x

b) Classify account groups according to at least 03 groups:

i. General user account;

ii. Usage administration account;

iii. Management account for development and operation level.

x

x

x

c) Having the function of enforcing the policy of decentralization and granting minimum rights to access, administer and use different resources above.

x

x

x

2.4

There is a function that allows to set the minimum permissions (access rights, administration) for the application administrator account according to the authority.

a) There is an interface that allows administrators to set permissions for accounts.

x

x

x

b) There is a function to enforce the authorization policy for the above accounts.

x

x

x

2.5

There is a function that allows to change and separate the application administration portal from the application service provider portal.

c) There is an interface that allows administrators to manage policies on application administration portals and application service provisioning portals.

x

b) There is a function to enforce the policy of separating the application administration port from the application service provider port above.

x

2.6

There is a function that allows to temporarily lock the application administration during the period outside of working hours.

a) There is an interface that allows administrators to manage the policy about the time period allowed to perform administrative operations.

x

b) There is a function to enforce the policy on the time period that is allowed to perform the above system administration operations.

x

3.

System Logs

3.1

There is a function that allows the system to be logged with information.

a) The software provides a system logging function.

x

x

x

x

x

b) System logs are classified into at least 05 groups:

i. Software access logs;

ii. Log journal when administering the Software;

iii. Log errors arising during operation;

iv. Account management log;

v. Software configuration change log

x

x

x

3.2

There is a function that allows to manage and store system logs on a centralized management system.

a) There is an interface that allows administrators to manage syslog policies.

x

x

x

b) Allows the administrator to configure the log storage period via the above interface.

x

x

x

c) Store log with at least 05 information:

i. Date of birth of the diary;

ii. Log grouping;

iii. Description of the operation/error;

iv. The object that performs the operation/generates the error;

v. Critical level.

x

x

x

3.3

It has the function of allowing permission to access and manage system log data for accounts with different system administration functions.

a) There is an interface that allows administrators to manage the policy on account delegation according to each group of administrative accounts.

x

b) Having the function to enforce the above authorization policy.

x

4.

Application and source code security

4.1

There is a function that allows checking the validity of information and input data before processing.

Has the function of checking the validity of input information and data before processing

x

x

x

x

x

4.2

Functions to allow application protection against common attacks: SQL Injection, OS command injection, RFI, LFI, Xpath injection, XSS, CSRF

The software is checked, evaluated, penetration tested according to OWASP standards and does not exist weaknesses that allow attackers to exploit through the following types of attacks: SQL Injection, OS command injection, RFI, LFI, Xpath Injection, XSS, CSRF.

x

x

x

4.3

There is a function that allows error control, error messages from the application.

a) Having an error control function, displaying only controlled error messages to users and not displaying errors inside the system.

x

x

x

b) Has the function of displaying error messages to the user.

x

x

x

4.4

There is a function that allows to ensure that authentication information and confidential information are not stored on the application source code.

a) Authentication and secret information must not be entered directly into the application source code, but must be established through the system configuration interface.

x

x

x

x

5.

Confidentiality of contact information

5.1

Having a function that allows information and data to be encrypted before being transmitted or exchanged over the network environment (for applications requiring the use of digital signatures).

Has the function of allowing data to be encrypted before being transmitted and exchanged through the network environment using digital signatures.

x

x

x

6.

Backups

6.1

There is a function that allows automatic backup.

a) There is an interface that allows administrators to set policies on database backup and system configuration.

x

x

x

b) There is a function to allow backup according to the above policy.

x

x

x

6.2

There is a function that allows to label the type of stored data according to established rules.

a) There is an interface that allows administrators to manage policies on the classification of data stored by data groups.

x

x

b) There is a function that allows storing data according to the format name for each data type in the above section.

x

x

6.3

There is a function that allows configuration to send backup data to a centralized storage system.

a) There is an interface that allows administrators to configure to send backup data to the centralized storage system.

x

b) There is a function that allows manual backup of the database and system configuration to a centralized storage system.

x

c) Having a function that allows automatic backup of the database and system configuration to a centralized storage system.

x

d) Having the function to allow data recovery, system configuration from data stored on the centralized storage system.

x