Security Fields

Your solution may only need one security model profile.

Alternatively, if you have multiple environments, services, or more complicated requirements, you can create may security profiles.

Security is a cross-cutting concern. If you have different profiles, you can assign the relevant profile to specific items.

Authentication Methods
- What to enter: Specify the methods to verify the identity of users, devices, or systems (e.g., OAuth 2.0, SAML, OpenID Connect).
- Examples: "OAuth 2.0 and OpenID Connect for user authentication"
- References: OAuth , OpenID Connect .
Authorization Mechanisms
- What to enter: Define how user permissions are managed (e.g., Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC)).
- Examples: "RBAC for application roles, ABAC for database queries"
- References: NIST RBAC Guide .
Encryption At Rest
- What to enter: Confirm whether data is encrypted when stored.
- Examples: true (encryption is enabled).
- Guidance: Use AES-256 or similar standards.
Encryption In Transit
- What to enter: Confirm if encryption is enabled for data transmission.
- Examples: true (SSL/TLS is enabled).
- References: TLS Best Practices .
Encryption Algorithm
- What to enter: Specify the algorithm used for encryption.
- Examples: . "AES-256, RSA-2048"
Key Management Service
- What to enter: Identify the key management provider.
- Examples: "AWS KMS, Azure Key Vault, HashiCorp Vault".

Known Vulnerabilities
- What to enter: List any existing vulnerabilities affecting the system.
- Examples: ["CVE-2023-1234: SQL Injection in Service X"].
- References: National Vulnerability Database (NVD) .
Vulnerability Assessment Tools
- What to enter: List tools used to assess system vulnerabilities.
- Examples: "Nessus, OpenVAS, Acunetix".
Penetration Testing Frequency
- What to enter: Specify how often penetration tests are conducted.
- Examples: . "Quarterly, Annually"
Last Penetration Test Date
- What to enter: Enter the date the last penetration test was completed.
- Examples: "2023-06-15".
Threat Modelling Process
- What to enter: Describe how threats are identified and mitigated.
- Examples: "Adopted STRIDE approach for web applications."
- References: Microsoft’s STRIDE methodology: Threat Modelling .
Known Threats
- What to enter: List identified threats for the solution.
- Examples: "DDoS attacks, insider threats, credential stuffing".

Compliance Standards
- What to enter: Specify standards the system complies with.
- Examples: . ["ISO 27001", "PCI-DSS", "GDPR"]
- References: ISO 27001 , GDPR .
Data Masking Enabled
- What to enter: Indicate if sensitive data is masked in logs or databases.
- Examples: true.
Audit Trails Enabled
- What to enter: Confirm whether audit trails and logging are enabled.
- Examples: true.
Audit Log Retention Period
- What to enter: State how long logs are retained.
- Examples: . "90 days, 1 year"
& Firewall Enabled WAF Firewall Enabled
- What to enter: Confirm whether traditional firewalls and web application firewalls (WAFs) are in place.
- Examples: true.
- References: OWASP Guidance: OWASP Top Ten Risks .
Secure Software Development Lifecycle
- What to enter: Indicate whether security best practices are integrated into development.
- Examples: true.
- References: What is SSDLC .
Security Training Programme
- What to enter: Confirm if employees receive regular security awareness training.
- Examples: true.

Privileged Access Management
- What to enter: Describe how administrator privileges are managed.
- Examples: "Just-In-Time Access Management with Azure AD Privileged Identity Management."
Session Timeout Duration
- What to enter: Specify session expiration durations.
- Examples: "15 minutes of inactivity".
Multi Factor Authentication Required
- What to enter: Indicate if MFA is enforced for all users.
- Examples: true.
Is Access Granted With Least Privilege
- What to enter: Confirm whether users or systems are only granted the minimum access needed to perform their roles.
- Examples: true.

Incident Response Plan
- What to enter: Indicate if the organisation has a documented and rehearsed incident response plan.
- Examples: true.
Incident Response Last Tested
- What to enter: State the last date the incident response plan was tested.
- Example: "2023-06-30".
Monitoring Tools
- What to enter: List monitoring tools in use (e.g., for logs, alerts, or threats).
- Examples: "Splunk, Datadog, ELK Stack".

Data Classification
- What to enter: Categorise the data according to its sensitivity and security requirements.
- Examples: "Official, Official Sensitive, Public, Top Secret".
- References: UK’s classifications: Gov Data Classifications .
Holds PII Data
- What to enter: Confirm if the system stores Personally Identifiable Information (PII).
- Examples: true.
- Guidance: Ensure compliance with GDPR or equivalent local regulations.
PII Data Handling Policies
- What to enter: Describe policies for how PII is managed and protected.
- Examples: "PII data encryption at rest and anonymisation after 30 days."

Logging Standards
- What to enter: Identify logging standards (e.g., JSON format, ISO compliance).
- Examples: "Logs are ISO 27001 compliant and formatted in JSON."
Log Encryption Enabled
- What to enter: Confirm whether logs are encrypted.
- Examples: true.

API Security Standards
- What to enter: Specify security standards for APIs.
- Examples: . "OWASP API Security Top 10 compliance"
- References: OWASP API Security .
API Access Restrictions
- What to enter: Describe restrictions (e.g., IP allowlists, access tokens).
- Examples: "APIs accessible only via IP allowlists and secured using OAuth tokens."