Readiness Standard, Provisioning and De-Provisioning Policy
Security Classification: Public
Version: 1.1 (May 2025)
Security Readiness Criteria
The Security readiness criteria are based on our ISMS policies for KX and our Secure Engineering best practices.
The following table has some supporting detail of Security readiness criteria.
| Security Readiness Criteria | Responsibility | Development | Staging | Production |
|---|---|---|---|---|
| KX Information Security policy: Must be applied to new environments | All / Everyone | Partial as long as mitigation steps exist for any non-compliance | Yes | Yes |
| Asset Inventory: new assets (internal and cloud) must be added to inventory | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Access Controls: must be applied based on the least privilege needs approach | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Vulnerability Scanning: of device / application / networks must be applied per requirements. This includes installing any vulnerability scanning agent to the new device / environment | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Integrated Environment Solution: integrated to the overall environment | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Monitoring & Logging: requirements applied for the device / application to help verify security compliance status. This includes installing any monitoring / logging agent to the new device / environment | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Patching: all existing patch levels to be applied for the device / application to help verify security compliance status. This includes installing any patching agent to the new device / environment | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Health checking: requirements applied for the device / application to help verify security compliance status. This includes installing any Health Checking agent to the new device / environment | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Static and Dynamic Scanning: application and source code scanning to have been performed on any application software. | Development Team | Yes | Yes | Yes |
| Penetration testing and vulnerability scanning: to be completed or planned as defined in policy. Results to be known and accepted. | IT team and Security Team for review and validation | Must be complete or planned | Must be complete or planned | Must be complete or planned |
| Encryption and Key Management: to be in place as per policy | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Malicious Code Management: Antivirus software to be installed and managed for patching / updates | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Clock synchronization: NTP shall be configured using trusted time sources within KX environment and when not feasible shall use trusted external sources (government or military sources) | KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
| Capacity Planning: should cover all critical IT and Cloud resources including the following: Server resources Network resources Application software Critical PCs/laptopsCapacity of information processing facilities shall be monitored continuously, and the data gathered shall be used for projecting future capacity requirements and identifying potential bottlenecks. Resources to monitor include but are not limited to the following: |
KX Data Center(s) / IT and CloudOps teams | Yes | Yes | Yes |
Provisioning and Deprovisioning
The following process applies to provisioning or de-provisioning of any systems in KX and in cloud environments managed by KX.
It applies to development, staging and production environments.
Provisioning
Every system shall be adequately tested before being implemented in the production environment. The following security controls shall be monitored during acceptance testing:
- All of the above Security Readiness criteria have been met
- Agreed performance and computer / system capacity
- Error recovery, restart, and contingency plans and procedures
- Effective manual operating procedures
- Training for the users in the operation or use of new system
New systems shall not have any impact on existing systems.
There shall be active involvement of the actual users and application owners in the system acceptance process.
Deprovisioning
Every system shall be deprovisioned using a controlled approach. The following security controls shall be monitored during deprovisioning:
- All data considerations have been assessed prior to removal
- Risk / Impact assessment has been done prior to removal
- No impact will occur for existing systems during or after deprovisioning
- Verify the remaining environment is operating as expected
- Take action to resolve any impact of the above Security Readiness criteria (asset removal, no further reporting, etc.).
- Verify asset has been removed from the asset inventory