2. 2019 Flowserve Corporation :: Proprietary & Confidential
Project Name
Purpose of the project
Sponsoring organization
App/Solution Owner
Submitter
Date
2
Type
of
Solution
Custom Developed – Flowserve DC X
Licensed Solution – Flowserve DC ⎕
Licensed Solution - Vendor Hosted ⎕
Licensed Solution – Desktop ⎕
Subscription - SaaS ⎕
Level 1 Support Org
Level 2 Support Org
Level 3 Support Org
3. 2019 Flowserve Corporation :: Proprietary & Confidential
ARB Questionnaire
ARB Questionnaire Yes- X
No-
X
Is this a new business capability? X
Is this a new application? < ivms 4200 client software> X
Does the application integrate with other applications? X
Is the application hosted at OneNeck? X
* Have you identified affected Business process ? <Please provide Business Process here> X
* Enterprise Architecture Principles and Solution guidelines are followed ? (link)
Will your project/application involve
• Military or government data,
• Credit Card transactions (PCI),
• Personally Identifiable Information (PII),
• changes to financially relevant systems,
• public websites,
• new roles within existing systems or any other involvement from Information Security?
X
Do you have the Software Vendor’s Completed Security & Privacy Questionnaire? X
3
NOTE:
* Items are mandatory to be marked as Yes.
If ANY of the above answers are yes(other than *), please be
prepared to answer more detailed questions from the Office of
Enterprise Architecture. Please be aware of below tone of discussion:
Review team encouraged to be professional, with no personal bias.
Project team strongly encouraged to present facts, and not
preferences.
(No verbal approvals for critical decisions are accepted by Review
team. Please have documented proof or email approvals ready)
You must be prepared to provide below documents
during the review meeting:
• Business requirement Document
• Data Flow Document
• Technical Architecture Diagram
• Security & Privacy Document
• Data classification/sensitivity
4. 2019 Flowserve Corporation :: Proprietary & Confidential
• Please provide a high level business process flow diagram
-Proposed
4
Business Process Flow
5. 2019 Flowserve Corporation :: Proprietary & Confidential
• Please provide an overview of the technology – Application Platform, Programming Language, Operating System, Database type and the security protocols
implemented.
5
Technology Overview
Presentation Tier Logic Tier Data Tier
The Layer that provides
security, esp important for
external partner facing
applications.
Security Tier
aka User Interface, the top
level of the application.
Does this require a
pc/desktop install required?
Ie Thick/Thin Client?
The Logical layer where all
logical decisions are
implemented .
The Data layer is where all
data is stored.
Reporting Tier
What is the reporting
tool/platform? Is it PowerBI,
Alteryx, Custom SQL
Report, etc
• N/A
The NVR does
not require a
client to function,
playback, or
record for daily
operations.
• On the NVR’s
embedded OS
• The NVR’s
software
(embedded
OS) provides
security for the
hardware. No
cloud
functions.
• On NVR’s
local
storage
drives
6. 2019 Flowserve Corporation :: Proprietary & Confidential
• Please provide an integration diagram highlighting the applications used in the business solution and
means of integration, internal and external.
• Please see the first network diagram on slide 4.
6
Systems Integration
7. 2019 Flowserve Corporation :: Proprietary & Confidential
• Please provide the names of the servers if you are planning on hosting on existing servers.
• If you will be requesting new servers, please identify the number of servers, where will they be hosted,
and who will be managing them. Please work with the IT Manager responsible for your department to
identify these.
• N/A
7
Servers
8. 2019 Flowserve Corporation :: Proprietary & Confidential 8
Detailed Check-List
Please answer to the best of your knowledge. These are not mandatory
questions but to assist you in performing the due diligence
9. 2019 Flowserve Corporation :: Proprietary & Confidential
System Element Function Responsible Team
Application Technical Support Technical support of the APP itself. How is it
configured and how is it maintained and Change
Management, license compliance
[Name the team]
Application Functional Support How to support, functional queries. SME’s ,
training, defining Queries. Configuring UI. ECC
compliance .
[Name the team]
Request Access How are users granted access to this application.
What approvals are needed.
[Unisys]
Data Access How to request , who to approve. Combination of App owner, OneNeck and
Nsight support teams depending where that
data resides.
Hosting Support Depending where the application is deployed , DC.
Cloud or Edge, support for the servers needs to be
provided. Backup/Restore. Health of server(s)
OneNeck and Nsight support teams
depending where the servers resides.
Network Infrastructure that connects Servers to Client Network Services
Browser Support Support for PC config and issues Deskside services
Commercial and Contract Renewal , disputes, Vendor Management
Support Matrix
10. 2019 Flowserve Corporation :: Proprietary & Confidential
Key Question Yes/No/NA Comments
Will the solution contain employee user data? No
Will the solution contain customer data? No
Will the solution contain confidential or sensitive information such as Military or
Government?
No
Will the solution contain financial data? No
Will the solution contain personally identifiable information (PII)? No
Does the solution provide the ability to enforce data retention policies? Yes
Does the solution provide the ability to encrypt data in transit? Yes
Does the solution provide the ability to encrypt data at rest? Yes
Does the solution provide the ability to view or export historical data? Yes
Does the solution provide the ability to extract our data? Describe the various
methods.
No
Does the solution provide the ability to bulk load data? Describe the various
methods.
No
Can the solution generate reports? What reporting does this solution provide? No
10
Data
11. 2019 Flowserve Corporation :: Proprietary & Confidential
Key Question Yes/No/NA Comments
Does the solution provide the ability to integrate with SAML 2.0, for Single Sign-On? List
the identity providers your solution integrates with.
No
Does the solution have account management capabilities? Describe the user provisioning
& de-provisioning and role modification & permissions, single user additions and bulk
loads.
Yes
Does the solution provide integration with Web Services APIs? (i.e. SOAP, REST) Please
describe and provide documentation for the APIs.
No
Does the solution provide the transfer of Flowserve’s data via a secure transfer
method?.(i.e. secure FTP, https, etc.). Describe the various secure integration methods.
No
Does the solution provide the ability to filter data retrieval via web services by attributes? No
Does the solution provide the ability to retrieve data as single records or as batches via
web services for those solutions that contain high volumes (1M plus) of data?
No
11
Integrations
12. 2019 Flowserve Corporation :: Proprietary & Confidential
Key Question Yes/No/NA Comments
Will this be hosted within the Flowserve network at one of Flowserves existing physical
or private cloud locations?
No
Will this be hosted by a third party outside of Flowserve network (outside of Flowserve
data centers and private cloud)?
No
What will be the method of accessing this application? Client Application via LAN TCP/IP
What tier will this application be, tier 1, 2, 3 or 4? Tier 1
Does the solution provide high-availability and fault-tolerance that can recover from
events within a datacenter? Please describe. (Events to include: High load, hardware,
software or network failure)
No
Does the solution provide a backup and recovery plan that at a minimum must include
full weekly backups and daily incremental backups?
No
Do you have a business continuity and disaster recovery plan? Describe how you would
recover from a natural disaster.
Yes
Pull NVR hardware/drives and test. Replace if
needed. Exchanges HDDs too if needed.
Does the solution provide additional development, testing, and/or staging
environments in addition to the production environments?
No
Does the cloud solution provide documentation on the segregation of infrastructure
from other customers or other environments? Please provide and describe.
N/A
12
Infrastructure – Hosting & Networking
13. 2019 Flowserve Corporation :: Proprietary & Confidential
Key Question Yes/No/NA Please Explain
Does the solution have or the security utilities with best practices in place? Yes
Does the solution support multi-factor authentication? Describe what methods
are available.
YES user name/password login, login via email, or pattern login.
Does the solution provide the ability to control network access to the application
by named IPs or IP ranges, also referred to as restricting access by IP, or control
network access to the application by device?
Yes
Does the solution provide the ability to enforce Flowserve specified password
policies?
Yes
Does the solution provide the ability to control application functionality access
by roles for all users, also referred to as Roles Based Access Control (RBAC), via
methods such as by attribute or based on a hierarchy?
Yes
Does the solution provide the ability to audit and export user accounts and
historical user activity?
Yes
Does the solution provide the ability to log user activity for security monitoring? Yes
What type and level of encryption does the solution support?
AES (Advanced Encryption
Standard)
13
Security
14. 2019 Flowserve Corporation :: Proprietary & Confidential
Key Question Yes/No/NA Please Explain
Does the solution comply with United States federal and (fifty) states data privacy laws? (i.e. SB1386, MA201,
Nevada597)
Yes
Does the solution comply with international data privacy laws? (i.e. European Privacy Laws, Safe Harbor, bi-lateral
agreements between countries, ITAR)
Yes
Does the vendor promptly notify Flowserve of any non-compliance by solution with such laws (in 1. and 2. above)
related to Flowserve’s data?
Yes
Can the vendor provide supporting documentation / information regarding compliance with such laws (in 1. and 2.
above)?
Yes
Does the vendor notify Flowserve of any 3rd Party requests for our data or information, including but not limited to,
those related to legal or other administrative proceedings?
Yes
Does the vendor obtain Flowserve’s authorization for any release of our data or information to any 3rd Party? Yes
Can the vendor provide their policies on customer’s rights for request to audit and audit rights? Yes
Does the solution provide options for opting out of secondary use of Flowserve’s data to 3rd parties, partners, etc? No
Does the solution provide the ability to retrieve or export Flowserve’s data upon termination of service? No
Does the solution provide the ability / requirement to destroy all Flowserve data upon termination of service after
retrieval / export, including data stored on backups?
Yes
Does the solution provide remedies for breach of SLA compliance and other requirements? Yes
Does the vendor use any 3rd party OEM embedded in the product? Can the vendor provide a list of all 3rd party
vendors and their relationships?
No
14
Compliance
Contact: Deepak Shukla(Integrations), John Breen(Security)
Contact: Phil Miller (Hosting), Nick Paine (Networks)
Tier 1 – The loss of the application affects more than 50% of the enterprise AND directly impacts business operations
Tier 2 – The loss of the application affects 25% to 50% of the enterprise AND directly impacts business operations
Tier 3 – The loss of the application affects less than 25% of the enterprise AND impacts business operations
Tier 4 – The loss of the application affects one or more sites AND impacts business operations only at those sites (localized impact)