From ad19e47bcf16bd3e6416628761cc3c5f66175772 Mon Sep 17 00:00:00 2001 From: "Bozawglanian, Hagop (hb755d)" Date: Mon, 17 Sep 2018 18:02:14 +0000 Subject: VNFRQTS - Reword and Move Security Batch 2 Including changes for VNFRQTS-335, 375, 376 Issue-ID: VNFRQTS-335 Change-Id: I1a41cfe71cc8adba322368490f8368e2ae64d65a Signed-off-by: Bozawglanian, Hagop (hb755d) --- docs/Chapter4/Security.rst | 79 +++++++++++++++++++++++----------------------- 1 file changed, 40 insertions(+), 39 deletions(-) (limited to 'docs/Chapter4/Security.rst') diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst index f35d4c7..2c3c47d 100644 --- a/docs/Chapter4/Security.rst +++ b/docs/Chapter4/Security.rst @@ -208,19 +208,6 @@ the product’s lifecycle. The VNF **MUST** support encrypted access protocols, e.g., TLS, SSH, SFTP. -.. req:: - :id: R-79107 - :target: VNF - :keyword: MUST - - The VNF **MUST**, if not using the NCSP's IDAM API, enforce - a configurable maximum number of Login attempts policy for the users. - VNF provider must comply with "terminate idle sessions" policy. - Interactive sessions must be terminated, or a secure, locking screensaver - must be activated requiring authentication, after a configurable period - of inactivity. The system-based inactivity timeout for the enterprise - identity and access management system must also be configurable. - .. req:: :id: R-35144 :target: VNF @@ -229,24 +216,6 @@ the product’s lifecycle. The VNF **MUST**, if not using the NCSP's IDAM API, comply with the NCSP's credential management policy. -.. req:: - :id: R-46908 - :target: VNF - :keyword: MUST - - The VNF **MUST**, if not using the NCSP's IDAM API, comply - with "password complexity" policy. When passwords are used, they shall - be complex and shall at least meet the following password construction - requirements: (1) be a minimum configurable number of characters in - length, (2) include 3 of the 4 following types of characters: - upper-case alphabetic, lower-case alphabetic, numeric, and special, - (3) not be the same as the UserID with which they are associated or - other common strings as specified by the environment, (4) not contain - repeating or sequential characters or numbers, (5) not to use special - characters that may have command functions, and (6) new passwords must - not contain sequences of three or more characters from the previous - password. - .. req:: :id: R-39342 :target: VNF @@ -308,6 +277,15 @@ the product’s lifecycle. testing tools or programs included in the VNF, e.g., password cracker, port scanner. +.. req:: + :id: R-21819 + :target: VNF + :keyword: MUST + :updated: casablanca + + The VNF **MUST** provide functionality that enables the Operator to comply + with requests for information from law enforcement and government agencies. + VNF Identity and Access Management Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -441,6 +419,37 @@ Identity and Access Management Requirements Access Management system, support Role-Based Access Control to enforce least privilege. +.. req:: + :id: R-46908 + :target: VNF + :keyword: MUST + :updated: casablanca + + The VNF **MUST**, if not integrated with the Operator's Identity + and Access Management system, comply with "password complexity" + policy. When passwords are used, they shall be complex and shall at + least meet the following password construction requirements: (1) be a + minimum configurable number of characters in length, (2) include 3 of + the 4 following types of characters: upper-case alphabetic, lower-case + alphabetic, numeric, and special, (3) not be the same as the UserID + with which they are associated or other common strings as specified + by the environment, (4) not contain repeating or sequential characters + or numbers, (5) not to use special characters that may have command + functions, and (6) new passwords must not contain sequences of three + or more characters from the previous password. + +.. req:: + :id: R-79107 + :target: VNF + :keyword: MUST + :updated: casablanca + + The VNF **MUST**, if not integrated with the Operator's Identity + and Access Management system, support the ability to disable the + userID after a configurable number of consecutive unsuccessful + authentication attempts using the same userID. + + VNF API Security Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -843,14 +852,6 @@ Security Analytics Requirements types of attacks, or integrate with tools that implement anomaly and abuse detection. -.. req:: - :id: R-21819 - :target: VNF - :keyword: MUST - - The VNF **MUST** support requests for information from law - enforcement and government agencies. - .. req:: :id: R-04492 :target: VNF -- cgit 1.2.3-korg