Accessible vehicles and equipment: scheme rules

Minimum technical requirements

Information will be shared automatically and securely between the accredited provider and Social Security Scotland using an Application Programming Interface (API).

Applicants must be able to show that they can deliver a technical solution which complies with all of the following:

1. is compatible with an Application Programming Interface (API)

2. ensures all data transfers are routed through the Scottish Government file transfer platform

3. uses Secure Shell (SSH) protocol for authentication during remote connection and file transfer

4. uses a Secure Sockets Layer (SSL) for its front end website

5. uses OpenPGP File Encryption on all files being transferred

6. implements tiered access permissions for all users

7. uses the latest release operating system with patches and updates applied at the recommended frequency

8. has a test environment separate from live environment for testing and integration purposes

9. uses a network and connecting systems with a high level of security control, such as DDoS Protection, Web Application firewall and network firewall

10. mediates API interface connections from untrusted networks by an API gateway that perform access control and threat protection

11. ensures all user and system interfaces introduced by the solution must enforce access control via authentication and authorisation

12. integrates with the Social Security Scotland or SCOTS Identity Provider (IdP) platform for authentication of internal/staff users

13. adheres to the Social Security Scotland Password Management standards regarding strength, handling and storage

14. complies with the relevant legal and regulatory requirements

15. uses an internet connection layer that provides web gateway security controls

16. uses either federated identity authentication (preferred) or Multi Factor Authentication (MFA)

17. ensures data in transit uses encrypted channels for internal and external communications using secure cryptographic protocols

18. ensures data at rest is be protected by using encryption or hashing using secure cryptographic protocols

19. ensures the platform processing Social Security Scotland information must have defined security hardened configuration baselines and associated measures must be in place to manage compliance

20. ensures all ingress file transfers undergo content threat inspection, filtering and, where appropriate, sanitisation

21. audits and logs all user, security and system events to provide an attributable account of all activity in order to support business, systems and security monitoring use cases defined specifically for the solution

22. considers data backup requirements and, where appropriate, uses a backup and restore capability that is both secure and routinely tested

23. ensures solution Information Security risks are identified, assessed and under management before service go-live