Readiness Standard, Provisioning and De-Provisioning Policy

Security Classification: Public
Version: 1.1 (May 2025)

Security Readiness Criteria

The Security readiness criteria are based on our ISMS policies for KX and our Secure Engineering best practices.

The following table has some supporting detail of Security readiness criteria.

Security Readiness Criteria Responsibility Development Staging Production
KX Information Security policy: Must be applied to new environments All / Everyone Partial as long as mitigation steps exist for any non-compliance Yes Yes
Asset Inventory: new assets (internal and cloud) must be added to inventory KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Access Controls: must be applied based on the least privilege needs approach KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Vulnerability Scanning: of device / application / networks must be applied per requirements. This includes installing any vulnerability scanning agent to the new device / environment KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Integrated Environment Solution: integrated to the overall environment KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Monitoring & Logging: requirements applied for the device / application to help verify security compliance status. This includes installing any monitoring / logging agent to the new device / environment KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Patching: all existing patch levels to be applied for the device / application to help verify security compliance status. This includes installing any patching agent to the new device / environment KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Health checking: requirements applied for the device / application to help verify security compliance status. This includes installing any Health Checking agent to the new device / environment KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Static and Dynamic Scanning: application and source code scanning to have been performed on any application software. Development Team Yes Yes Yes
Penetration testing and vulnerability scanning: to be completed or planned as defined in policy. Results to be known and accepted. IT team and Security Team for review and validation Must be complete or planned Must be complete or planned Must be complete or planned
Encryption and Key Management: to be in place as per policy KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Malicious Code Management: Antivirus software to be installed and managed for patching / updates KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Clock synchronization: NTP shall be configured using trusted time sources within KX environment and when not feasible shall use trusted external sources (government or military sources) KX Data Center(s) / IT and CloudOps teams Yes Yes Yes
Capacity Planning: should cover all critical IT and Cloud resources including the following:
Server resources
Network resources
Application software
Critical PCs/laptopsCapacity of information processing facilities shall be monitored continuously, and the data gathered shall be used for projecting future capacity requirements and identifying potential bottlenecks.

Resources to monitor include but are not limited to the following:
Processors
Primary memory (RAM)
Secondary memory (hard disk)
Backup media
Printers and other output devices
Communication systems

KX Data Center(s) / IT and CloudOps teams Yes Yes Yes

Provisioning and Deprovisioning

The following process applies to provisioning or de-provisioning of any systems in KX and in cloud environments managed by KX.
It applies to development, staging and production environments.

Provisioning

Every system shall be adequately tested before being implemented in the production environment.  The following security controls shall be monitored during acceptance testing:

  • All of the above Security Readiness criteria have been met
  • Agreed performance and computer / system capacity
  • Error recovery, restart, and contingency plans and procedures
  • Effective manual operating procedures
  • Training for the users in the operation or use of new system

New systems shall not have any impact on existing systems.

There shall be active involvement of the actual users and application owners in the system acceptance process.

Deprovisioning

Every system shall be deprovisioned using a controlled approach. The following security controls shall be monitored during deprovisioning:

  • All data considerations have been assessed prior to removal
  • Risk / Impact assessment has been done prior to removal
  • No impact will occur for existing systems during or after deprovisioning
  • Verify the remaining environment is operating as expected
  • Take action to resolve any impact of the above Security Readiness criteria (asset removal, no further reporting, etc.).
  • Verify asset has been removed from the asset inventory