If you are interviewing a vendor or issuing an RFP to develop custom software for the Enterprise, there are numerous program, training, support, architecture, and security requirements that any Enterprise-grade system should have. Here is a checklist of questions to probe any vendor about the maturity of their enterprise software development approach end-to-end.
Support and Training
Transition and Decommissioning
User Experience and Usability
Application Auditing and Logging
Customization and Configuration
Availability, Resilience and Disaster Recovery
The client expects the IT system to adhere to the following availability and resilience metrics:
Recovery Time Objective (RTO): 24 hours
Recovery Point Objective (RPO): When data loss has occurred, the recovery point will be from the last available backup: 24 hours
Retention of Backup: 30 days
The client requires evidence that you are recording security events occurring on your technology components (wired or wireless) including:
* Servers (Database, Web and Midtier (‘web/app’), DNS, Proxy, File, etc…)
* Network Infrastructure (Storage, Switch (physical and virtual), Router, Software Defined Network Devices (‘SDN’), network appliances, etc…)
* Security Infrastructure (Firewall, Central Security Log Management solution, etc…)
Operational Security requires oversight of functional mechanisms related to security within the IT system and the related technical infrastructure supporting it. The client is expecting a plan for responding to a cybersecurity incident methodically.
A technical flaw or weakness (‘vulnerability’) in the hardware, software, or firmware required by technology-based solutions can compromise the IT security measures if accidentally triggered or intentionally exploited. Technical vulnerabilities must be continuously mitigated to ensure the IT security controls are effective, and to prevent the loss of the client’s digital information assets.
Encryption and Integrity Protection
Secure Component Configuration
The Client’s expectation is that this solution will use fully patched, up-to-date operating systems, BIOS, and firmware; disable unnecessary services; use Endpoint protection (ie anti-virus / anti-malware); change default passwords; and use Network Time Protocol.
Secure Code Development