Required Artifacts

Security Requirements Status Responsible

Security Artifacts
Need Data Clean Room for testing and Migration?
API's VAPT Result - (No medium Findings and above)

Security Attestation/Report - both for Application and

Platform (for SaaS)
Access Integrated with Bank's AD
User and Admin Access to Systems
System Local/Native Access - Break Glass
System Access via VPN (Admin and user access)
Approved User Access Matrix
Secure System Integration
Reviewed Firewall Policies
Private Link Artifacts
Site-to-Site VPN Artifacts
Data Security and Protection
Data in transit encryption
Data at rest encryption
PCI-DSS Requirements - Data Masking
Logging Requirements (Access log etc.)

Access Logs
Application Logs
Audit Logs
SIEM Integration
All resources provisioned are installed with the
standard golden images and required security tools
(i.e. EC2, S3, RDS, etc)
Security Incident Management Procedure
Requirements Before Go-live? Remarks

Yes If yes, need separate DCR vetting

Yes

Yes
Yes

Yes
Yes
Yes

Yes

Yes

Yes Please see the worksheets for the

requirements for different resources

Yes
 SECURITY REQUIREMENT

S3 should be managed from Unionbank’s network and AWS control tower, not exposed to the Internet

Implement least privilege access. Access Management will be based on our IAM and Bucket Policy
standard
Ensure proper permissions reflected in policy, without wildcard (*)
User/Service accounts or IAM user/roles used by Partner can only access specific directory/ folder
assigned to them.
User/Service accounts IAM user/roles used used by specific UBP user/admin can only access specific
directory assigned to them

Service accounts used by any non-human S3 account can only access specific directory assigned to them

Only allow/enable specific actions to specific user/account to specific resources/folder

Implement access control list (ACL) to each bucket and each object
Management Access to S3 bucket should be protected by MFA

Data and files in S3 should be encrypted at-rest and in-transit

If handling cardholder information The 16-digit credit or debit card number should not be readable
anywhere. Ensure PCIDSS compliant
AES256 for data transmission and storage
SHA512 for hashing

S3 shall allow only encrypted connections over HTTPS (TLS 1.2 or higher) using the aws:SecureTransport condition on Amazon S3 bucket policies. Disable l

Implement encryption using Banks AWS KMS; Partner account will only be allowed to point to the banks
AWS KMS and decrypt
Ensure access keys used by systems renews regularly, 90 days.
Logging and alert via Cloud Trail and CloudWatch are enabled
Implement IP address whitelisting between:
UB AWS S3 and destination1
 REQUIRED ARTIFACTS

screenshots users with management privileges on the S3 or AWS account

Screenshots of users, roles, permissions and policies

Screenshots permissions and policies

Screenshots permissions and policies

Screenshots permissions and policies

Screenshots permissions and policies

Screenshots permissions and policies
Screenshots permissions/ACL and policies
screenshot of user settings with MFA enabled
Screenshots settings of bucket-level encryption (data at rest) and encrypted protocol used e.g. TLS 1.2 (in
transit)

Screenshot of encryption settings pointing/referring to Bank KMS

Screenshot of encryption settings pointing/referring to Bank KMS
screenshots of logs forwarded to S3 bucket for Centralized logging

screenshot of IP/URL filtering and whitelisting both for S3 and firewall

 STATUS OF ARTIFACTS
(COMPLETED/NOT COMPLETED)
QUESTIONS
 SECURITY REQUIREMENT

EC2 (UAT & PROD)

A. File Server Hardening
a. Ensure security controls must be in place
1. Use golden image and hardened OS
2. Install Crowd Strike, Splunk, McAfee DLP
3. Logging must be configured to push logs to SIEM (Splunk) for
auditing
4. Authentication – use keypair authentication
5. Ensure connectivity to Patch Management System

6. Server has no pending vulnerabilities

B. Secured Connection

C. IP and service whitelisting – nominate static IPs for whitelisting

D. Data and File Encryption – files/ data with PII will be encrypted
from source and decrypted on target
a. If handling cardholder information The 16-digit credit or debit card
number should not be readable anywhere , ENSURE PCI DSS
COMPLIANCE
A. AES256 for data transmission and storage
B. SHA512 for hashing
E. Full audit logging/visibility of the file transfers
F. Access Management

1. user and/ or service accounts used by Exus Servers-- it should

only access specific directory/ folder assigned to them.

2. service accounts used by other systems i.e. TSYS, Finacle

3. management account for infrastructure/servers must be coming

from UB network. Management of infra/servers should not be
available from anyone in the public internet

4. Management access should be protected by MFA

G. Logging – install splunk agent on server or forward syslog on splunk

log collector. There will also be logging on application/ file-level by RPA.

H. Server backup
 STATUS OF ARTIFACTS
REQUIRED ARTIFACTS
(COMPLETED/NOT COMPLETED)

Screenshot of installed image

Screenshot of Crowdstrike, Splunk and DLP

Screenshot of syslog config or splunk agent

Screenshot

VA scan reports
Proof of remediation of vulnerabilities
screenshot of allowed policies via HTTPS
Screenshot of allowed policies in Firewall and Network
Security groups

walkthrough on how the files were encrypted/redacted

screenshot of encryption setting
screenshot of encryption setting
screenshots of logs

screenshot of directory access list/config

screenshot of directory access list/config

demo/walkthrough
screenshot of admin access SAML config

screenshot of installed splunk agent or syslog config

screenshots of backup config
QUESTIONS
RDS Security Artifacts
SECURITY REQUIREMENT

RDS should be managed from Unionbank’s network, not exposed to the Internet.

Access Management will be based on our IAM and DB policy standard

Ensure proper permissions reflected in policy, without wildcard (*)
Management Access to RDS should be protected by MFA
Service accounts used by UB/CITI/Vendor can only access specific directory/ folder assigned to
them.

Service accounts used by any RDS can only access specific directory assigned to them
DB/RDS Account Inventory
actively manage the life cycle of accounts - creation, use, dormancy, deletion - in order to
minimize opportunities for attackers to leverage them.
Identify admin and users via user access matrix. Include role-based access, access to be approved
by the product owner
Management access for RDS must be coming from UB network. Management of infra/servers
should not be available from anyone in the public internet

Secured Connection – allow only encrypted connections over HTTPS (TLS 1.2 or higher) with DB
instances
Encryption
Use/enable Amazon RDS encryption to secure your DB instances and snapshots at rest
Use network encryption and transparent data encryption with Oracle DB instances

Ensure access keys used by systems (e.g. EC2, RDS) utilizing DBs renews regularly

Implement IP and service address whitelisting:

Use security groups/firewall to control IP addresses or Amazon EC2 instances can connect to
databases on a DB instance.
Data and Files in RDS should be encrypted-enabled at-rest and in-transit
If handling cardholder information The 16-digit credit or debit card number should not be
readable anywhere. Ensure PCIDSS compliant
AES256 for data transmission and storage
SHA512 for hashing
Logging and alert via Cloud Trail and CloudWatch are enabled
Ensure RDS back-up is implemented
 REQUIRED ARTIFACTS

screenshots users with management privileges on the RDS

Screenshots of users, roles, permissions and policies

Screenshots of policies/permissions of RDS
screenshot of user settings with MFA enabled

Screenshots of RDS users, roles, permissions and policies

Screenshots of RDS users, roles, permissions and policies

Screenshot of IAM settings per user

Copy of UAM
screenshots users with management privileges on the RDS should be integrated to
AD

Screenshot settings of secure connection

Screenshot of encryption settings

Screenshot of encryption settings
Screenshot of encryption settings pointing/referring to Bank KMS or secrets
manager

Copy of Network Security Groups and firewall policies

Screenshot of encryption settings

Screenshot of encryption settings

Screenshot of encryption settings
Screenshot of encryption settings
Screenshots of cloudtrail and cloudwatch settings
Screenshot of back-up settings
 STATUS OF ARTIFACTS
(COMPLETED/NOT COMPLETED)
REMARKS
 SECURITY REQUIREMENT

SFTP Server (UAT & PROD)

A. File Server Hardening
a. Ensure security controls must be in place
1. Use golden image and hardened OS
2. Install Crowd Strike, Splunk, McAfee DLP
3. Logging must be configured to push logs to SIEM (Splunk) for
auditing
4. Authentication – use keypair authentication
5. Ensure connectivity to Patch Management System

6. Server has no pending vulnerabilities

B. Secured Connection – file transfer will only use secure protocol,

HTTPS or SFTP

C. IP and service whitelisting – nominate static IPs for whitelisting

D. Data and File Encryption – files/ data with PII will be encrypted
from source and decrypted on target
a. If handling cardholder information The 16-digit credit or debit card
number should not be readable anywhere , ENSURE PCI DSS
COMPLIANCE
A. AES256 for data transmission and storage
B. SHA512 for hashing
E. Full audit logging/visibility of the file transfers
F. Access Management

1. user and/ or service accounts used by eXUS -- it should only

access specific directory/ folder assigned to them.

2. user and/ or service accounts used by UBP RPA can only access
specific directory assigned to them

3. service accounts used by other systems i.e. TSYS, Finacle

6. management account for infrastructure/servers must be coming

from UB network. Management of infra/servers should not be
available from anyone in the public internet

7. Management access should be protected by MFA

G. File Server Account Inventory
1. actively manage the life cycle of accounts - creation, use,
dormancy, deletion - in order to minimize opportunities for attackers
to leverage them.

2. Identify admin and users via user access matrix. Include role-
based access, access to be approved by the product owner

H. File Archive/ Purging – as indicated in the solution, the File Server

will only store files for a specific time (to also save hardware/ storage
space).

I. Logging – install splunk agent on server or forward syslog on splunk

log collector. There will also be logging on application/ file-level by RPA.

J. SFTP Server backup

 STATUS OF ARTIFACTS
REQUIRED ARTIFACTS
(COMPLETED/NOT COMPLETED)

Screenshot of installed image

Screenshot of Crowdstrike, Splunk and DLP

Screenshot of syslog config or splunk agent

Screenshot

VA scan reports
Proof of remediation of vulnerabilities

screenshot of allowed policies via HTTPS or SFTP only)

Screenshot of allowed policies in Firewall and Network
Security groups

walkthrough on how the files were encrypted/redacted

screenshot of encryption setting
screenshot of encryption setting
screenshots of logs

screenshot of directory access list/config

screenshot of directory access list/config

screenshot of directory access list/config

demo/walkthrough
screenshot of admin access SAML config

screenshot of config that all users are integrated to AD/O365

Provide UAM

screenshot of purging config/policy

screenshot of installed splunk agent or syslog config

screenshots of backup config
REMARKS