MIS and Computerization Functional Specifications

Capacity Development of
Civil Aviation Authority of Nepal
MIS and Computerization

Functional Specifications
MAY2013
Index
1
Functional Specifications Introduction .............................................................................. 4
Requirements gathering ................................................................................................... 5
Requirement Definition ..................................................................................................... 6

3.1
Functional requirements ........................................................................................... 7
3.1.1
MIS Functional Requirements............................................................................. 9
3.1.1.1
Airport Operational Data Base ..................................................................... 9
3.1.1.1.1
AODB Access ...................................................................................... 10
3.1.1.1.2
AODB Update ...................................................................................... 11
3.1.1.1.3
AODB Historical Data Conservation ..................................................... 12
3.1.1.2
Lightweight Directory Access Protocol ....................................................... 13
3.1.1.2.1
LDAP Access ....................................................................................... 14
3.1.1.2.2
LDAP Exceptions ................................................................................. 15
3.1.1.2.3
LDAP Groups Management ................................................................. 16
3.1.1.2.4
LDAP Update ....................................................................................... 17
3.1.1.2.5
LDAP Users Management ................................................................... 18
3.1.1.3
Records Management ............................................................................... 19
3.1.1.3.1
Documents Access .............................................................................. 21
3.1.1.3.2
Documents Creation ............................................................................ 22
3.1.1.3.3
Documents Sharing ............................................................................. 23
3.1.1.3.4
Documents update/delete .................................................................... 24
3.1.1.4
Web Publications ....................................................................................... 25
3.1.1.4.1
3.1.1.5
E-mail adoption.......................................................................................... 27
3.1.1.5.1
3.1.1.6
Corporate e-mail establishment ........................................................... 28
CAAN web site .......................................................................................... 29
3.1.1.6.1
3.1.1.7
Web publication on demand ................................................................. 26
Web site powered by CMS System ...................................................... 30
New organization web site ......................................................................... 31
3.1.1.7.1
New organization web site powered by CMS System .......................... 32
3.1.1.8
Historical Operations Registry ................................................................... 33
3.1.1.9
Corporate Tables ....................................................................................... 34
3.1.2
Other Functional Requirements ........................................................................ 35
3.1.2.1
Enterprise Resource Planning ................................................................... 36
3.1.2.1.1
ERP Access ......................................................................................... 37
3.1.2.1.2
ERP Reporting ..................................................................................... 38
3.1.2.2
New structured cabling for CAAN Offices at Babar Mahal (1) .................... 39
3.1.2.3
New structured cabling for CAAN Offices at Babar Mahal (2) .................... 41
3.1.2.4
Networking infrastructure for CAAN Offices at Babar Mahal ...................... 43
3.1.2.5
Data Center for CAAN Offices at Babar Mahal .......................................... 45
MIS and Computerization Functional Specifications
Page 2 of 71
3.2
3.1.2.6
Internet Service Provision for CAAN Offices at Babar Mahal ..................... 46
3.1.2.7
Computing Equipment for CAAN Offices at Babar Mahal .......................... 47
3.1.2.8
Implement the Help Desk Function at CAAN Offices at Babar Mahal ........ 49
Non-functional requirements or technical requirements .......................................... 50
3.2.1
Availability ........................................................................................................ 51
3.2.2
Backup ............................................................................................................. 52
3.2.3
IT service continuity (ITIL procedure) ................................................................ 53
3.2.4
Extensibility ...................................................................................................... 54
3.2.5
Fault tolerance .................................................................................................. 55
3.2.6
Interoperability .................................................................................................. 56
3.2.7
Licensing .......................................................................................................... 57
3.2.8
Maintainability ................................................................................................... 58
3.2.9
Performance ..................................................................................................... 59
3.2.10
Platform compatibility .................................................................................... 60
3.2.11
Scalability ...................................................................................................... 61
3.2.12
Security ......................................................................................................... 62
3.2.13 ............................................................................................................................. 62
3.2.13.1
Security controls (1): Access management ............................................... 63
3.2.13.2
Security controls (2): Awareness & training ............................................... 64
3.2.13.3
Security controls (3): Audit & Accountability .............................................. 65
3.2.13.4 Security controls (4): Certification, Accreditation, and Security

Assessment................................................................................................................ 66
3.2.13.5
Security controls (5): Physical and Environmental Protection.................... 67
3.2.13.6
Security controls (6): System and Communications Protection ................. 68
3.2.13.7
Security controls (7): System and Information Integrity ............................. 69
Functional Description .................................................................................................... 70

4.1
Record management .............................................................................................. 71
4.2
Web sites ............................................................................................................... 71
4.3
Airport operational software .................................................................................... 71
Page 3 of 71
1 Functional Specifications Introduction
In this document, Ineco MIS team will detail the functional requirements
detected for the future Nepal CAAN and the proposed NAANSA.
These requirements will be listed and explained, in order to get a better understanding
of what the real needs of both organizations are. Understanding of this document by
the responsible officials in this area is a critical point, because this will be the base for
the future MIS infrastructure.
After that, the functionalities of the main parts in MIS infrastructure will be explained,
and the scope of the applications and concepts as access, tasks and functions will be
determined.
This document will be constantly under review to reflect the current situation.
Page 4 of 71
2 Requirements Gathering
The requirements gathering process is the first phase of software development,

collecting all the information necessary to improve the organization procedures.
Requirements establishment is the first step to agree on and visualise the right
product. A requirement gathering is a vital part of the systems engineering process. At
the beginning, it defines the problem scope and after that, it links all the relative
information to them through their functional analysis.
The Requirements gathering task is critical to the success of any project. Any
requirement must be collected clearly and all stakeholders in the project must be
involved in this task.
This kind of tasks are open while the project is alive, and frequently new requirements
will appear in any phases of the project (definition, analysis, develop, test,
maintenance, etc.). In other words, requirements gathering belongs to life cycle
workflow of projects and never finishes completely.
Page 5 of 71
3 Requirement Definition
A common Requirement definition drawn from IEEE-STD-1220-1998 (IEEE 1998):
Requirement is a statement that identifies a product or process operational, functional,
or design characteristic or constraint, which is unambiguous, testable or measurable,
and necessary for product or process acceptability (by stakeholders).
Requirements are the basis of any project, defining what the stakeholders users,
customers, suppliers, developers, businesses in a new (or legacy) potential system
need from it, and also what the system must do in order to satisfy that need.
One of the goals of this document is to present a standardized template to collect
requirements and the MIS team will use it to collect all requirements orderly.
There are two kinds of requirements: functional and non-functional. The Definitions and
main differences between them will be discussed in further sections of this document.
Page 6 of 71
3.1 Functional Requirements

To simplify the collection of MIS project requirements, two different kinds of
requirements will be used, as described below:
First level requirements: this kind of requirements defines high level

necessities. In other words, one first level requirement will identify business
requirements to improve tasks, productivity or enhance workflows. Every first
level requirement will match with a whole application to solve a business
necessity. In fact, they will be "the product vision process" for a new tool. These
types of requirements have to be detected and have to be estimated roughly in
time and budget by CAAN staff.
Second level requirements: through an analysis of "product vision" these

kinds of requirements will appear. Stakeholders of a new application must
collect requirements of any functionality that they need, to cover their functional
necessities. Every one of these requirements must satisfy the following list of
features:
o Complete
o Specific, unambiguous.
o Testable or measurable
o Prioritized
o Achievable, realistic
o Connected
o Signed off by the client
It is not mandatory that all requirements must be considered as a new application (first
level requirements) or they must be included in the final product (second level
requirements). All of them must be analysed and estimated in cost and effort to
determinate if they are affordable. However, only a few requirements show up
intentionally with a must, these are the mandatory ones.
To maintain minimum traceability between requirements is very important to highlight
any dependence between requirements. This approach allows maintaining a
requirements hierarchy.
Page 7 of 71
This is the template to fill up in order to define a new functional requirement.

Functional requirement
First Level
Second Level
Dependent requirement
id
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information
Page 8 of 71
3.1.1
MIS Functional Requirements
3.1.1.1 Airport Operational Data Base
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information
id
Airport Operational Data Base (AODB)
F-0001
Air Operational database (AODB) is a type of database in
which all the air operations of a concrete area are
recorded.
It is known that in TIA Airport there is a kind of this type of
software, installed by a Dutch company. This database
might be enough to cover this software requirement.
It must be taken into account that this information might
increase its size rapidly. This data model should be
evaluated in order to determine if it is only valid for the TIA
airport, or it could be expanded to entire model information
of air operations in Nepal.
This operational information is crucial to make reports and
predictions. The airport master plans are based on
historical information, and this information must be stored
in a single place, centralised and easy to access to
allowed users.
Operational mistakes and non-coordinated information will
be reduced if an AODB is created and used. The
information stored on that database might be exploited in
very different ways, giving information to create new
routes, total passengers amounts, companys information
and so on.
In order to facilitate the queries to this kind of database,
some queries might be stored, and executed during the
night or in low loaded periods. Reports and graphs could
be generated using this information.
This data base will be one of the key of the IT
infrastructure, it will be interoperable with the purpose of all
of the CAAN applications can connect with it.
The solution proposed must write down all airport
operations and their associate information, and AODB
must contain with methods to be interoperable.
TBD
MIS team was informed that TIA airport has already
installed a similar solution in their IT systems to show real
time arrivals and departures to passengers, which
probably could be analysed and reused in order to improve
it and built a full solution to both problems.
Page 9 of 71
3.1.1.1.1 AODB Access

First Level
Second Level
Name
Id
Date
Dependent requirement F-0001

id
AODB Access
F-0001-01
The Air Operations database (AODB) must be accessible
from other applications as Flight Information Displays
(FIDs) inside the TIA airport, web sites, or even any other
if required.
Description
Acceptance Measure
Tester
Extra information
To get this goal, it is important that the AODB design

covers this requirement, and to create formal and secure
ways to access to this data.
An Access Public Interface (API) is the key concept to get
the information accessible to the granted entities.
AODB data must be accessible through an API to granted
entities.
TBD
Page 10 of 71
3.1.1.1.2 AODB Update
First Level
Second Level
Name
Id
Date

id
AODB Update
F-0001-02
The Air Operations database (AODB) must be updated on
time and its information must be up to date in the same
real-time approach as now.
Description
Acceptance Measure
Tester
Extra information
To get this goal, it is important that the AODB allows to the

current responsible to this task, to enter the flight data and
its updates in a friendly interface avoiding data replication
and failures.
There will be just some users who should be allowed to
update the information gathered in the AODB.
AODB data must be updated in a real time approach.
TBD
Page 11 of 71
3.1.1.1.3 AODB Historical Data Conservation
First Level
Second Level
Name
Id
Date

id
AODB Historical Data Conservation
F-0001-03
The Air Operations database (AODB) must keep the
historical operations information.
Description
Acceptance Measure
Tester
Extra information
This is crucial to build reports and statistics information to

make studies and traffic forecast.
This information must be storaged in secondary storage
units, but the processes to extract the AODB information
and to store in the secondary unit must be taken into
account
AODB data must be kept.
TBD
Page 12 of 71
3.1.1.2 Lightweight Directory Access Protocol
First Level
Second Level
Name
Id
Date
id
Lightweight Directory Access Protocol (LDAP)
F-0002
The Lightweight Directory Access Protocol (LDAP) is an
application protocol for accessing and maintaining
distributed directory information services over a network.
Directory services may provide any organized set of
records, often with a hierarchical structure, such as a
corporate email directory.
LDAP is required in order to maintain the security access
to information. This is a transversal requirement in all the
teams, in order to guarantee the data protection. LDAP is
an electronic representation of the corporate structure.
This structure is currently being defined and will determine
roles and grants.
Description
Anyway, it is possible to assign special permissions to
concrete information or document to a single user. These
exceptions are defined over the standard hierarchical
definition of the entire organization, and must be
continuously reviewed in order to keep the information
control access up to date.
LDAP is a key concept in any sharing information system,
and must be defined carefully. Ineco offers its experience
to CAAN staff to show how it works, and how to define the
different roles and permissions.
Acceptance Measure
Tester
Extra information
All the systems that are going to be installed will delegate

its access rules to the LDAP.
All security policies defined will be able to be implemented
in the corporate LDAP System.
TBD
LDAP is specified using the description language. This
language is well-documented in several places, and is
easy to learn.
Page 13 of 71
3.1.1.2.1 LDAP Access
First Level
Second Level
Name
Id
Date

id
LDAP Access
F-0002-01
LDAP must be accessible from any corporate application
in the CAAN new organization and in the future air
navigation organization. LDAP must to be the tool to grant
any access to any resource, and it must work in a
transparent way for final users.
Description
Acceptance Measure
Tester
Extra information
In order to get this goal, any corporate application must

have LDAP compatibility, and restricted access
configuration.
The configuration and/or modifications to these access
policies must be access restricted to specific users groups.
LDAP will be the way to grant the access to any corporate
resource
TBD
Page 14 of 71
3.1.1.2.2 LDAP Exceptions
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
LDAP Exceptions
F-0002-02
LDAP must be able to accept exceptions in its
configuration to allow single users to access to any
resource in any application configured with it.
LDAP will be able to grant single users to single resources.
TBD
Page 15 of 71
3.1.1.2.3 LDAP Groups Management
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
LDAP Groups Management
F-0002-03
LDAP must be able to accept groups management in
order to facilitate the initial configuration of a group of
users. These users can belong to the same department, or
just have common features that, using groups, would be
configured just once.
LDAP will be able to configure groups of users.
TBD
Page 16 of 71
3.1.1.2.4 LDAP Update
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
LDAP Update
F-0002-04
LDAP must be configured and updated any time the task
must be required. This action will be restricted to granted
users.
It will be possible to update the LDAP configuration.
TBD
Page 17 of 71
3.1.1.2.5 LDAP Users Management
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
LDAP Users management
F-0002-05
LDAP must be able to configure single user permissions to
enter to the different applications or resources in the
network. These users will be configured and updated any
time the task must be required. This action will be
restricted to granted users.
LDAP will be able to configure single users.
TBD
Page 18 of 71
3.1.1.3 Records Management
First Level
Second Level
Name
Id
Date
id
Records management (RM)
F-0003
Records management is the practice of maintaining the
records of an organization from the time they are created
up to their eventual disposal. This may include classifying,
storing, securing, and destruction (or in some cases,
archival preservation) of records and reports in any kind of
format (doc, xls, pdf, ect.).
A more concrete definition of an EDRM (Electronic
document and records management system) would be an
automatic system that is used to create original or
versioned documents, track and store them through an
organization.
These kind of systems are used to keep documents in an
organization that has the need of sharing and updating
documents through different agents. During this process,
the document is created, updated, reviewed, versioned or
just read.
Description
This kind of system is always based on a hierarchical

permissions system that only allows the access to a
document to users that are granted to do.
In CAAN there is a need of sharing information. One of the
big problems of the current organization is the duplicity of
the same information because the information is not
centralised. With this kind of software, all the different
versions of the same document will be tracked. All the
changes done by a user might be reviewed and the same
file will be distributed through the system in order to
reduce to zero the loss of information.
IT security programs will include procedures for storing,
handling and destroying information media, supporting the
record life-cycle, including sanitization of the information
system media, both digital and non-digital, prior to disposal
or release for reuse.
These programs will be aligned with the Record Retention
Policy.
Page 19 of 71
Acceptance Measure
Tester
Extra information
All kind of reports, records, documents, etc. generated,

must be managed by this system, and all of them must be
available to be shared with someone else (distributed
document) or whoever has been allowed (working
document).
All the teams involved in the future organization design will
demand this software to guarantee the information integrity
and the access control.
TBD
With this kind of system, it is guaranteed always that the
latest and the most updated information are checked in all
the times that this piece of information is needed.
Page 20 of 71
3.1.1.3.1 Documents Access
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
F-0003-01
The system must be accessible from any computer inside
the organization. This access will be granted through an
identification login page.
Using the LDAP configuration, this access will be
configured and restricted to single users or groups.
The system must be accessible to the members of staff,
and the access to the different sections and actions must
be granted separately.
TBD
Page 21 of 71
3.1.1.3.2 Documents Creation
First Level
Second Level
Name
Id
Date

id
F-0003-02
Users must be able to create documents in the sections
where they are allowed to.
Description
Acceptance Measure
Tester
Extra information
This documents must be uploaded from their hard disk and

will be kept in the system since this moment
The system must allow users to create documents.
TBD
Page 22 of 71
3.1.1.3.3 Documents Sharing
First Level
Second Level
Name
Id
Date

id
F-0003-03
Users must be able to share documents in the sections
where they are allowed to.
Description
Acceptance Measure
Tester
Extra information
These documents may be shared with single users or with

groups.
Users will be allowed to share their own documents, and
the documents in which they are allowed to
The system must allow users to share documents.
TBD
Page 23 of 71
3.1.1.3.4 Documents update/delete
First Level
Second Level
Name
Id
Date

id
F-0003-04
Users must be able to update or delete documents in the
sections where they are allowed to.
Description
Acceptance Measure
Tester
Extra information
Updates will be versioned. Each version will save the

author, date, changes done and comments.
Users will be allowed to update or delete their own
documents, and the documents in which they are allowed
to.
The system must allow users to update or delete
documents.
TBD
Page 24 of 71
3.1.1.4 Web Publications
First Level
Second Level
Name
Id
Date
id
Web publications
F-0004
Nowadays, websites are the public face in front of the
world.
This websites represent the image that an organization
wants to show to the rest of the world.
The CAAN website is not only this image. CAAN website
must be the place where important information about
Nepal and its air navigation must be collected and shared
with the general public.
Description
In concrete, there is some information that must be shared

and published by law. Following the indications of air
navigation experts, Ineco encourage to public AIS
information on the website firmly and regularly.
Therefore, there is a need to create channels to public
information on the current or future websites.
Not only general information must be shown on these
websites, but technical information might be required.
Acceptance Measure
Tester
Extra information
Some of the reports based on AODB data could be shared

too, in order to give accuracy information to the potential
visitors or air navigation experts around the world.
AIS documents will be published under the laws related,
with the purpose to enforce the law.
TBD
Some technique to do publications in real time can be
implemented to publish in CAAN or TIA websites, but AIS
publication won't be necessary to be real time.
Page 25 of 71
3.1.1.4.1 Web publication on demand
First Level
Second Level
Name
Id
Date

id
Web publication on demand
F-0004-01
Web publication mechanisms must be developed.
Description
Acceptance Measure
Tester
Extra information
Some information must be published automatically to the

official web sites on demand. These mechanisms could be
directly implemented on the Document Management, or in
other application.
This publication must be a robust mechanism and
transparent to final users
Documents can be published to the officials websites
through an automatic mechanism on demand
TBD
Page 26 of 71
3.1.1.5 E-mail adoption
First Level
Second Level
Name
Id
Date
id
E-mail adoption
F-0005
The e-mail communication is the way that modern
enterprise communication works. It is so crucial that
sometimes the e-mail address is the authentication token
in internal systems, and the corporate systems identify
users by their id.
Description
Acceptance Measure
Tester
Extra information
CAAN and the new air navigation organization must adapt

to this way of communication and distribute information:
not only text but files and events or meetings must be
distributed by e-mails across their staff and with any other
professional of any other part of the world.
These e-mail addresses must belong to the CAAN and the
new air navigation organization, and their technical staff
must administer them. Nowadays, there is no reason to
not use it, and adapt it as the corporate way of working.
Members of the staff of the CAAN and new air navigation
with their e-mail address distributed and working properly,
and adopting the e-mail as the corporate way of
communication.
TBD
Task on progress
Page 27 of 71
3.1.1.5.1 Corporate e-mail establishment
First Level
Second Level
Name
Id
Date

id
Corporate e-mail establishment
F-0005-01
Corporate e-mail addresses must be distributed through
the staff.
Description
Acceptance Measure
Tester
Extra information
E-mail client and reader must be installed on each

computer in order to facilitate its establishment.
This e-mail address may be the user id to access to the
different systems.
Any staff member must have a corporate email address.
TBD
Page 28 of 71
3.1.1.6 CAAN web site
First Level
Second Level
Name
Id
Date
id
CAAN web site
F-0006
The CAAN web site must be rebuilt.
A new analysis and redesign must be carried out in order
to obtain a better public image of the organization, and
covering all the information needs.
Description
Acceptance Measure
Tester
Extra information
The new web site must take into account the new
tendencies on internet, trying to give to the organization a
new look and feel, well in keeping with the Nepal efforts to
modernize its aeronautical sector.
A deep study of the information structuration should be
carried out as well, trying to cover all information needs in
a well-structured web site. This is crucial in order to get a
better user experience that guarantees the visitors
satisfaction and the access to the proper information fast
and with accuracy.
New modern web page with a full redesign, that will offer
the current information and will cover the future needs. It
must support web publications.
TBD
Page 29 of 71
3.1.1.6.1 Web site powered by CMS System
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
Web site powered by Content Management System
F-0006-01
In order to improve the maintenance and the functionality
of the CAAN's web site, it is critical to have a wellsupported Content Management System like Joomla,
Drupal, etc.
Web site developed using a Content Management
System.
TBD
Page 30 of 71
3.1.1.7 New organization web site
First Level
Second Level
Name
Id
Date
id
New organization web site
F-0007
The new organization must have a web site.
An exhaustive analysis must be carried out in order to
obtain all the information needs and its structuration.
Description
Acceptance Measure
Tester
Extra information
The new web site must take into account the new
tendencies on internet, trying to give to the organization an
appropriate look and feel, well in keeping with the Nepal
efforts to modernize its aeronautical sector.
As the CAAN web site, this is crucial in order to get a good
user experience that guarantees the visitors satisfaction
and the access to the proper information fast and with
accuracy.
Web page with an attractive and modern design, covering
the information needs. It must support web publications.
TBD
Page 31 of 71
3.1.1.7.1 New organization web site powered by CMS System
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
New organization web site powered by CMS System
F-0007-01
In order to improve the maintenance and the functionality
of the new organization's web site, it is critical for the web
site to be powered by a well-supported Content
Management System.
Web site developed using a Content Management System.
TBD
Page 32 of 71
3.1.1.8 Historical Operations Registry
First Level
Second Level
Name
Id
Date
id
Historical Operations Registry
F-0008
The Historical Operations Registry is the place where all
the operational information will be stored once the flight
operation has been occurred.
This information must be stored in order to obtain custom
reports about any business analyses in future.
Description
These reports are used to obtain important information

about routes, companies, passengers and so on, and are
the starting point to get the overview of the current
situation, and the previsions to the future.
This historical information must to feed from the AODB,
and it must take into account that the information size will
increase a lot during the years. In order to solve this size
problem, large storage devices must to be purchased and
the staff will have to learn to manage them.
Acceptance Measure
Tester
Extra information
Historical information will be stored and used to generate

custom reports.
TBD
Page 33 of 71
3.1.1.9 Corporate Tables
First Level
Second Level
Name
Id
Date
id
Corporate Tables
F-0009
The corporate tables are the place to stored common
information about the airport daily work, as companies,
airports and so on.
Description
This information must be centralised in order to reduce

redundant information, minimize the typing mistakes and
to create a unique place where every department can
access and get update and official information, avoiding
paperwork and keeping the key information inside the
company.
These tables must be allocated in an internal data base
installed in the Data Center, and accessible through the
internal MIS system.
Acceptance Measure
Tester
Extra information
This information must be kept by the technical IT staff, and

the historical evolution of any information must be tracked.
Common corporate information must be stored in a
centralised data base.
TBD
Page 34 of 71
3.1.2
Other Functional Requirements
Although there are lot of applications already detected by the MIS infrastructure, other
software requirements have been detected.
The main application of this type is the ERP. ERP (Enterprise Resource Planning)
software is the specific software used to billing clients and economic control issues that
it belongs to financial field.
Obviously, there is a need of this kind of software on both organizations, and they must
to be taken into account although they do not belong to MIS field.
Besides that, there are infrastructure necessities that have been collected and
explained on this section.
Page 35 of 71
3.1.2.1 Enterprise Resource Planning
First Level
Second Level
Name
Id
Date
id
Enterprise Resource Planning
F-0010
Enterprise resource planning (ERP) systems integrate
internal and external management information across an
entire
organization,
embracing
finance/accounting,
manufacturing, sales and service, customer relationship
management, etc.
ERP systems automate this activity with an integrated
software application. The purpose of ERP is to facilitate
the flow of information between all business functions
inside the boundaries of the organization and manage the
connections to outside stakeholders.
Description
It was previously mentioned that this software is not part of

the MIS itself. This software has to be used just by the
financial department, and the concept of MIS architecture
does not cover this part, but it has to be taken into account
as other piece of software that has to be integrated with
MIS does not exist currently.
In concrete, this software is demanded by the financial
Team in order to organize the accounting tasks of the
future organization. Not only providers expenses but also
company taxes are included on this software requirement.
Acceptance Measure
Tester
Extra information
This system has to be accessible only by the financial

department of the new organization. There will be some
information just accessible by certain members of the staff,
so in addition, LDAP is demanded.
The solution proposed allows managing the accounting of
both organizations separately.
TBD
An important task in this requirement will be inquiry and
choose the suitable commercial product.
Page 36 of 71
3.1.2.1.1 ERP Access
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
ERP Access
F-0010-01
The ERP must be accessible from any computer inside the
Accounting department. This access will be granted
through an identification login page.
Using the LDAP configuration, this access will be
configured and restricted to single users or groups.
ERP must be accessible to the members of the accounting
staff, and the access to the different sections and actions
must be granted separately.
TBD
Page 37 of 71
3.1.2.1.2 ERP Reporting
First Level
Second Level
Name
Id
Date
Description
Acceptance Measure
Tester
Extra information

id
ERP Reporting
F-0010-02
The information storage inside the ERP must be
accessible in order to generate automatic reports about
accounting department activities. These reports must be
defined by the appropriate users and they must be flexible
and dynamic enough to satisfy the business needs.
The ERP reports generation must be possible.
TBD
Page 38 of 71
3.1.2.2 New structured cabling for CAAN Offices at Babar Mahal (1)
First Level
Second Level
Name
Id
Date
id
New structured cabling for CAAN Offices at Babar
Mahal: Rooms & conduits
F-0011
The CAAN organization office at Babar Mahal requires a
new structured cabling, which will provide a
comprehensive
telecommunications
networking
infrastructure.
This infrastructure serves a wide range of uses, allowing
workstations, laptops and smartphones to connect to
network and business application services, residing in the
computing facilities available in the Data Center Room,
and data, voice and video transmission.
The structured cabling is one of the most complex and
expensive installations of a building, comprising different
construction spaces, fixtures, electronics, etc.
Regarding construction requirements, the six prominent
construction elements/spaces required are:
Description
Entrance facility, where the telecommunications

service connects to the building network.
Equipment room in the Data Center Room,
located close to the main backbone pathway to
allow for easier connection. Data Center Room will
be defined in another functional requirement.
Backbone pathway (intrabuilding), use to place
backbone cables between the equipment room and
the entrance facility, the entrance facility and the
telecommunications room or the equipment room
and the telecommunications room.
Telecommunication rooms, spaces that act as
the common access point between backbone and
horizontal distribution pathways, one per floor.
Horizontal pathways, facilities used in the
installation of horizontal cabling from the work area
outlet to the telecommunications room.
Work areas, locations where occupants interact
with telecommunications devices. Those work
areas will have to be renovated in order to provide
the appropriate telecommunication outlets.
Being the CAAN current offices an ancient building at

Babar Mahal, an analysis must be carried out to obtain all
the information about rooms, accessible shafts or
Page 39 of 71
passages through the floors and ceiling areas, free

sleeves, trays and conduits available, etc.
Acceptance Measure
Tester
Extra information
The aforementioned areas will have to be identified in the

building prior to refurbish them for the new functions.
Compliance with the ANSI/TIA/EIA-569B standard specs
and guidance, in terms of sizing, % space filling, etc.
TBD (Ineco QA)
Page 40 of 71
3.1.2.3 New structured cabling for CAAN Offices at Babar Mahal (2)
First Level
Second Level
Name
Id
Date
id
New structured cabling for CAAN Offices at Babar
Mahal: Cabling system
F-0011-01
new structured cabling, which will provide a
comprehensive telecommunications infrastructure.
This infrastructure serves a wide range of uses, allowing
workstations, laptops and smartphones to connect to
network and business application services, residing in the
computing facilities available in the Data Center Room,
and data, voice and video transmission.
Cable is the fabric that connects every LAN device, either
talker or listener:
-
Horizontal cabling, portion of the cabling system

with a star topology that extends from the work
area outlet, through the cabling in the
wall/ceiling/floor and then to the patch panel in the
telecommunications room.
The system will also include the patch cords at the
work area outlet to connect the user LAN
devices/adapters, and patch cords in the
telecommunications room.
Description
Backbone cabling, Multipair cables with a

thermoplastic insulating cover, assembled into
binder groups, or fiber cable, between the
equipment room and the entrance facility, the
entrance facility and the telecommunications room
or the equipment room and the telecommunications
room
Cables terminate in connecting hardware, which could also

be required, depending on the Office layout:
- Main cross connect in telecomm room
- Intermediate cross connect
- Horizontal cross connect
- Horizontal cabling transition points
- Consolidation points
- Telecommunications outlets in the work areas,
Page 41 of 71
close to the users
Acceptance Measure
Tester
Extra information
Compliance with the ANSI/TIA/EIA-568B standard specs

and guidance, in terms of resistance, attenuation, etc.
Most horizontal cabling will follow Cat 5e or 6a standards
TBD (Ineco QA)
Page 42 of 71
3.1.2.4 Networking infrastructure for CAAN Offices at Babar Mahal

First Level
Second Level
Name
Id
id
Networking infrastructure for CAAN Offices at Babar
Mahal
F-0012
new networking and telecommunications infrastructure,
with the following managed (thru a 3rd party)
or
unmanaged enabling elements:
Description
Local Area Network routers and switches, to

connect the different networks and workstations
and devices between them, the DMZ and the
outside world through Internet. They cover the
layers 1 to 3 in the Open Systems Interconnection
ISO standard and are the corner stone of the
communications realm.
Firewalls, sitting between routers and applications
servers and providing access control, with packet
or application filtering capabilities available.
Load balancing components to distribute overall
load on your Web or application servers, or to
distribute specific demand according to the kind of
task to be performed.
Name servers, to respond to naming queries and
identify the IP address of components and
services.
Storage Area Network elements to make storage
independent of the servers used in conjunction with
it. SAN can accelerate the time to recover, using a
non-functional server and without having to
relocate the storage drives.
CAAN Organization should also add a couple more

elements to comply with the Security Control
Requirements later stated:
-
Acceptance Measure
Demilitarized Zone, DMZ, which will separate the

corporate network or internal network from the
Internet. The DMZ is a tightly secured area into
which you place servers providing Internet services
and facilities e.g. web servers.
Proxies, to avoid any potential danger when
accessing to Internet, A machine requiring access
to the Internet can pass its request onto the proxy,
which in turn makes the request on the machines
behalf, shielding it.
For performance, using a stress test probe to evaluate

bottlenecks: maximum concurrent connections to high-
Page 43 of 71
impact information servers, traffic volume through the

proxy per second, etc.
Tester
Extra information
For Security Control, IT Continuity Services, please refer

to NF-0003 and NF-0012.6
TBD (Ineco QA)
Page 44 of 71
3.1.2.5 Data Center for CAAN Offices at Babar Mahal

First Level
Second Level
Name
Id
id
Data Center for CAAN Offices at Babar Mahal
F-0013
new Data Center with a minimum reliability of 99,671%
(Tier I Basic TIA 942 standard, based upon Uptime
Institute benchmarks):
Description
Susceptible
to
planned
or
unplanned
disruptions
Single path for power and cooling distribution,
without redundant Data Center components
(excluded network and computing infrastructure).
No need for raised floor or generator. UPS is
considered a must (not in Tier I).
Some measures for fire suppression: fire
detection, early warning smoke detection and water
leak detection.
Annual downtime of 29 hours.
Complete
shutdown
for
preventive
maintenance.
The Data Center will have enough room to distribute the

different network, computing and storage equipment,
meeting known and projected maximum requirements:
- Entrance pathways for cabling
- Main networking distribution area
- Racks with side mounting rails to which equipment
and hardware are mounted.
- Pathways to the main distribution area and horizontal
distribution
- Hot and cold aisles to optimize cooling provided
appropriate conditions for the installation.
Acceptance Measure
Tester
Extra information
Compliance with standard TIA 942 for Tier I Data Center

type, plus UPS availability
TBD (Ineco QA)
Page 45 of 71
3.1.2.6 Internet Service Provision for CAAN Offices at Babar Mahal

First Level
Second Level
Name
Id
Description
Acceptance Measure
Tester
Extra information
id
Internet Service Provision for CAAN Offices at Babar
Mahal
F-0014
The CAAN organization office at Babar Mahal must hire a
broadband access to Internet, together with a back-up
from a different provider, to enable access to the Internet
from the different Business Functions, as well as access to
the corporate web site from everywhere.
Response times and download times to measure the real
bandwidth, within acceptable limits of contract Service
Level Agreement.
TBD (Ineco QA)
Page 46 of 71
3.1.2.7 Computing Equipment for CAAN Offices at Babar Mahal

First Level
Second Level
Name
Id
id
Computing Equipment for CAAN Offices at Babar
Mahal
F-0015
The CAAN organization office at Babar Mahal must
acquire the hardware and software platform that suits their
needs for application and database services and end-user
workstations.
New servers (hardware + software) must be provided to
host all network services aforementioned, which integrate
with MIS applications e.g. DNS, and for the MIS
applications themselves.
Bearing in mind that the application architecture lies on the
Java Enterprise Edition or JEE this will restrict our options
in terms of application and database platform, to most
likely JBOSS and PostgreSQL. Both platforms will be
aimed to host a bunch of applications, particularly the highimpact ones. Fault-tolerant Clustering is not perceived as a
must for CAAN Offices at Babar Mahal.
Description
Storage will be provided via a Storage Area Network

infrastructure to allow for flexibility, scalability and
performance, provided managed SAN GBs annual prices
are reasonable.
Regarding workstations, CAAN must also renew a big
chunk of their workstations inventory. It will have to be
decided before the bidding process, whether the most
suitable platform is a Microsoft Windows one, which
integrates better with network services like LDAP
(Microsoft Active Directory) but requires a powerful
machine, or a user-friendly linux one, like the Long Term
Support edition of Ubuntu.
The biggest advantage of linux workstations are software
costs and the chance to reuse existing and cheaper
computer hardware, being linux usually a less demanding
platform.
Drivers for current printers and other small peripherals
devices may be an issue, and therefore we must provision
to renew part of the peripherals park.
Acceptance Measure
New platforms must integrate seamless in the new

network environment and the CAAN corporate domain,
Page 47 of 71
Tester
Extra information
provide suitable response times and run the entire

corporate application portfolio, plus specific applications,
intended for certain end-users, according to the application
inventory.
TBD (Ineco QA)
Page 48 of 71
3.1.2.8 Implement the Help Desk Function at CAAN Offices at Babar Mahal
First Level
Second Level
Name
Id
id
Implement the Help Desk Function at CAAN Offices at
Babar Mahal
F-0016
The CAAN organization office at Babar Mahal should
implement the necessary IT Governance disciplines, to
successfully control the infrastructure and provide
managed IT services.
The first organizational change should be to implement a
Help Desk function that will act as a focal point for support
requests like access management, incidents, request for
change, etc.
Description
The Conceptual Plan will develop the Help Desk function

and the IT Governance disciplines. Policies and
procedures will be developed, training materials produced
and the IT Staff trained and getting coached.
A productivity tool to support the Help Desk operations will
be configured and deployed, allowing the Organization or
other collaborating entities to assign tickets to incoming
queries and track further communications.
It is a traceable mean of managing incoming inquiries,
complaints, support requests, defect reports, and other
communications. Every ticket will have persistence or a
"history" showing what happened to it within its life cycle.
The stored information will be the basis to produce key
performance indicators (KPIs).
Acceptance Measure
Tester
Extra information
Help Desk Organization in place, ready to perform the

roles defined by IT Governance good practices.
TBD (Ineco QA)
Page 49 of 71
3.2
Non-functional requirements or technical requirements
In computer engineering terms, a non-functional requirement is a requirement that

define the desired system behaviour rather than specific behaviour or functions. The
plan for implementing functional requirements is detailed in the system design and
determines what a system is supposed to do, whereas the plan for implementing nonfunctional requirements is detailed in the system architecture and determines how a
system is supposed to be.
Non-functional requirements are often called qualities of a system, and are defined
based on qualities like stability and portability. Non-functional requirements can be
divided into two main categories:
Execution qualities, such as security and usability, which are observable at run
time.
Evolution qualities, such as testability, maintainability, extensibility and
scalability, which are embodied in the static structure of the software system
This is the template to fill up in order to define a new non-functional requirement.
Non-functional requirement template

Name
Id
Date
Description
Acceptance Measure
Tester
Extra information
Page 50 of 71
3.2.1
Availability
Non-functional requirement
Availability
Name
Id
NF-0001
Date
The system availability is the feature to explain the amount
of time that a system has to be accessible and working in
a proper way. Availability is the proportion of time a system
Description
is in a functioning condition. This ratio between the total
time and the time that the system was available is the unit
to measure this capability.
The solution proposed must be 24 hours available, 7 days
a week. That means that the application must be alive and
working in any single moment. Therefore, deny of service
Acceptance Measure
periods must be avoided. To get this goal the entire
infrastructure must be replicated and the electricity supply
must be guaranteed in the DPC.
Tester
TBD
Extra information
Page 51 of 71
3.2.2
Backup
Backup
Name
Id
NF-0002
Date
CAAN should conduct backups of user-level and systemlevel information (including system state information)
contained in all information systems at least weekly.
System backups are automatic regular copies of highimpact information systems. All the key pieces of
information must be stored regularly, in order to have
recovery copies just in case an incident happened.
Description
These recovery copies must be storage in separate units,

and must be accessible by the system administrators.
These administrators will be in charge to recover the
system to the most updated state when the system fails.
Another reason to keep former security copies is for the
information integrity or forensic purposes. This past
information could be accessed to check the information
state and analyse a temporal incident or decision.
Alternate storage sites should be identified and the
necessary agreements initiated to permit the storage of
backup information for Moderate and High-impact
information systems.
The solution proposed must storage the DDBB and highimpact information systems daily, to reduce the risk of loss
of information.
Acceptance Measure
Tester
Extra information
In addition to that, the information must be kept during one

month in order to restore the system on a precise date and
analyse its behaviour.
TBD
Page 52 of 71
3.2.3
IT service continuity (ITIL procedure)
IT Service Continuity
Name
Id
NF-0003
Date
CAAN Organization should maintain a set of IT Service
Continuity Plans and IT recovery plans that will support the
overall Business Continuity Plans. (beyond the IT
boundaries)
Even if primarily IT Service Continuity considers the IT
assets and configurations that support the business
processes, following a contingency it will be also
necessary to relocate to an alternative working location,
provision may also be required for items such as office and
personnel accommodation, copies of critical paper
records, courier services and telephone facilities to
communicate with customers and third parties
Description
IT high-impact information systems should have the

capacity that enables a system to restore operations after
a system complete fail. Alternate telecommunications
services must support these high-impact information
systems to permit the resumption of system operations for
critical mission/business functions.
When an incident happens it is important to have a clear
protocol that explains what to do and how and what to
recover. This protocol must be accessible in any moment
(even with the system down), and the system
administrators and backups must know it.
The elapsed time since the system fail and the system
working again is important to define this protocol. Actually,
it is a QA (Quality assurance), and it is important to define
this time in order to determine subsequent measures
related to it, as back-up policies or the real reliability of the
system.
Personnel should also be trained in their contingency roles
and responsibilities with respect to all information systems
and a refresher should be provided annually.
Acceptance Measure
Tester
Extra information
The solution proposed must recover its proper state highimpact information system in less than 24 hour. The
optimal situation should require less time, but the SLA will
establish what the acceptable delay is and will be based
upon the Business Continuity Policy
TBD
Page 53 of 71
3.2.4
Extensibility
Extensibility
Name
Id
NF-0004
Date
The Extensibility principle is the feature that means that
the implementation takes into consideration future growth.
It is a systemic measure of the ability to extend a system
and the level of effort required to implement and fully
Description
integrate the extension. Extensions can be through the
addition of new functionality or through modification of
existing functionality. The central theme is to provide for
change while minimizing impact to existing system
functions.
The solution will be implemented following this principle,
Acceptance Measure
taking into account future improvements and product
integrations.
Tester
TBD
Extra information
Page 54 of 71
3.2.5
Fault tolerance
Fault tolerance
Name
Id
NF-0005
Date
The fault-tolerant design is a design that enables a system
to continue operation, possibly at a reduced level, rather
than failing completely, when some part of the system
fails. The term is most commonly used to describe
computer-based systems designed to continue more or
Description
less fully operational with, perhaps, a reduction in
throughput or an increase in response time in the event of
some partial failure. That is, the system as a whole is not
stopped due to problems either in the hardware or the
software.
The solution must be failure tolerant, and must be strong
enough to guarantee the service during the time the
application is on. To get this goal, this software should
Acceptance Measure
emit a signal when a potential problem was detected, in
advance, giving enough time to take preventives measures
to solve it without service interruption
Tester
TBD
Extra information
Page 55 of 71
3.2.6
Interoperability
Interoperability
Name
Id
NF-0006
Date
Interoperability is the feature that describes the facility to
interchange information between different systems, and
the capacity to use it.
Another definition to this principle is "Being able to
accomplish end-user applications using different types of
Description
computer systems, operating systems, and application
software, interconnected by different types of local and
wide area networks."
This feature must be taken into account when a system is
defined, knowing previously which type of devices are
going to access to the information and its capabilities.
The solution will be interoperable between the agreed
Acceptance Measure
devices, and the maximum number of functionalities will be
accessible from the less power devices.
Tester
TBD
Extra information
Page 56 of 71
3.2.7
Licensing
Licensing
Name
Id
NF-0007
Date
The license is the feature that any product has in order to
protect the intellectual property of its creators. With a
license, a licensor may grant a license under intellectual
property laws to authorise a use (such as copying software
or using a (patented invention) to a licensee, sparing the
Description
licensee from a claim of infringement brought by the
licensor. A license under intellectual property commonly
has several components beyond the grant itself, including
a term, territory, renewal provisions, and other limitations
deemed vital to the licensor.
The solution must be licensed and this license must be
Acceptance Measure
legal. That means that this software will be legal to be
used and distributed along the organization.
Tester
TBD
Extra information
Page 57 of 71
3.2.8
Maintainability
Maintainability
Name
Id
NF-0008
Date
In engineering, maintainability is the ease with which a
product can be maintained in order to isolate defects and
correct them, build up new requirements and make easier
its future maintenance, and cope with a changed
environment
Description
In some cases, maintainability involves a system of

continuous improvement - learning from the past in order
to improve the ability to maintain systems, or improve
reliability of systems based on maintenance experience.
Maintainability will be subjected to Security Policy, to be
developed.
Acceptance Measure
Tester
Extra information
The solution proposed will be easy to maintain. The

software designed will follow maintenance patterns to
reduce the impact of new requirements and isolate the
potential bugs.
TBD
Page 58 of 71
3.2.9
Performance
Performance
Name
Id
NF-0009
Date
The system performance is the capacity to keep the
optimal behaviour of the system components at any time,
and any physical or logical circumstances (load,
temperature, disk occupation, network concurrence)
Description
Acceptance Measure
Tester
Extra information
This performance level must be constant in any

concurrence and situation. This goal can be prevented
using enough resources to cover all these situations, or
adding resources dynamically when an overload situation
is happening, in advance.
The solution will keep the performance in the agreed
situations. When an overload situation is detected, the
solution will emit a signal to the application administrators
to alert about an overload situation.
TBD
Page 59 of 71
3.2.10 Platform compatibility

Platform compatibility
Name
Id
NF-0010
Date
The platform compatibility feature is the system capability
Description
of run into different platforms without penalties in
performance neither extra configuration.
All the software needed to the CAAN and the future
organization staff will be runnable in the chosen platform,
Acceptance Measure
without any extra performance penalties. The platform will
be transparent to final MIS users.
Tester
TBD
Extra information
Page 60 of 71
3.2.11 Scalability
Scalability
Name
Id
NF-0011
Date
The scalability feature is the ability of a system to handle a
growing amount of work in a capable manner or its ability
to be enlarged to accommodate that growth. It may refer to
the capability of a system to increase total throughput
under an increased load when hardware resources are
added.
Description
Acceptance Measure
Tester
Extra information
Scalability, as a property of systems, is generally difficult to

define and in any particular case it is necessary to define
the specific requirements for scalability on those
dimensions that are deemed important. A system, whose
performance
improves
after
adding
hardware,
proportionally to the capacity added, is said to be a
scalable system.
The solution proposed will be scalable. If a lack of
resources is detected, it will be easy to solve this problem
just adding new resources to the bottle neck.
TBD
Page 61 of 71
3.2.12 Security
Security
Name
Id
NF-0012
Date
The Security in the field of computer science is a very
broad concept. It may be defined as the ability to
guarantee the integrity of the information providing by the
system, and the access control to it.
The CAAN organization will employ security controls to
meet security requirements defined by laws, executive
orders, directives, policies, or regulations.
Description
Acceptance Measure
Tester
Extra information
Current assumption and going-in position: No matter

how well the environment is defended, attacks are
inevitable and eventually there will be a breach, being
people the weakest link. CAAN should therefore be ready
for incident response, business continuity and digital
forensics
.
The solution will guarantee the information confidentiality,
integrity, providing a mechanism to grant access to the
information, based upon discrete access lists and users
groups or roles.
TBD
3.2.13
A Security schema for Information Assurance (IA):
By Barbara Endicott, University of Washington
Page 62 of 71
3.2.13.1 Security controls (1): Access management

First Level
Second Level
Name
Id
Date
Dependent requirement NF-0012

id
Access Management controls
NF-0012-1
Minimum requirements presume a clear cut procedure to
manage information system accounts, inactive accounts,
conditions for group memberships, assignment of
associated authorizations, etc.
Appropriate divisions of responsibility and separated duties
as needed, to eliminate conflicts of interest, should be
implemented.
Description
Access control requires that the system be able to identify

and differentiate among users through accounts. Other
account management policies for information system
accounts passwords enforcement, lockouts, account
termination, etc. should be implemented as well.
Wifi access usage and portable and mobile devices
access should be restricted, monitored and controlled.
If remote access is allowed (employees), Bureaus and
Offices shall authorize, monitor, and control all methods of
remote access e.g. multi-factor authentication.
Access from external systems shall be prohibited.
Acceptance Measure
Tester
Extra information
Audit by inspection that information systems restrict

access to security functions (deployed in hardware,
software, and firmware) and security-relevant information
to explicitly authorized personnel: policies & procedures
and logs.
Check policies have been implemented and/or applied to
information system accounts
TBD (Ineco QA)
Page 63 of 71
3.2.13.2 Security controls (2): Awareness & training

First Level
Second Level
Name
Id
Date

id
Awareness and training controls
NF-0012-2
Awareness and training will pursue to focus the users
attention on IT security in the users daily routine,
whenever there are important threats and weaknesses in a
security control, changes in the IT Security Program policy
or procedures or simply an incident has occurred.
Description
Awareness programs should be developed according to

desktop productivity tools employed and the business
applications portfolio.
Training should be organized, training records maintained,
and people should attend security training events at least
once per year.
Training may be followed by certification.

Acceptance Measure
Tester
Extra information
Check policy has been implemented: documentation,

training plan, etc.
TBD (Ineco QA)
Page 64 of 71
3.2.13.3 Security controls (3): Audit & Accountability

First Level
Second Level
Name
Id
Date

id
Audit & Accountability controls
NF-0012-3
A record of system activity by the system, application
processes and by user activities should be maintained to
log, monitor, and investigate possible security violations
from activity involving access to and modification of files.
Description
Audit trails and event logs will help to reconstruct events,
detect intrusions, and identify problems.
Acceptance Measure
Tester
Extra information
Check policy has been implemented: documentation, audit

trails and logs available per workstation, server & MIS
system.
TBD (Ineco QA)
Page 65 of 71
3.2.13.4 Security controls (4): Certification, Accreditation, and Security

Assessment
First Level
Second Level
Name
Id
Date

id
Certification, Accreditation, and Security Assessment
F-0012-4
CAAN shall designate in writing a responsible for ensuring
adequate planning and compliance with respect to the
relevant policies, standards and guidelines issued by TBD
(provided such authority exists).
System security plans should be developed for highimpact systems. Each plan shall include a description and
diagram of the IT system boundary which identifies
servers, network resources, and network devices included
within this boundary. System Security Plans must contain
at least:
Description
- Business Impact Assessment

- Risk Assessment
- Boundary Hardware/Software
- Interconnection Security Agreements
- Contingency Plan
- Configuration Management Plan & Change
Management Plan
Security Test and Evaluation Plans should document
the scope and procedures for testing the systems control
baseline. The Security Test and Evaluation Plan will
provide relevant test cases for all devices included within
the documented accreditation boundary.
Bureaus and offices should employ an independent
certification agent or certification team to conduct an
assessment of the security controls in the information
system.
Acceptance Measure
Tester
Extra information
Bureaus and offices shall monitor the security controls in

all information systems on an ongoing basis.
Check System Security Plans are in place for applications
and systems defined as high-impact, check security tests
results and evaluation plans.
TBD (Ineco QA)
Page 66 of 71
3.2.13.5 Security controls (5): Physical and Environmental Protection

First Level
Second Level
Name
Id
Date

id
Physical and Environmental Protection
NF-0012-5
CAAN should document physical and environmental
protection controls in the IT System Security Plan.
Offices should develop and keep current a list of personnel
with authorized access to the facilities where information
systems reside and issue appropriate authorization
credentials. Personnel no longer requiring access to the
facility will be removed from the list.
Description
Offices shall ensure that badges, keys, combinations, and

other access devices are secured and inventoried
regularly.
CAAN should ensure that the physical access controls for
computer and communications rooms, containing large
concentrations of information system components, are
independent of the physical access controls for the facility.
Acceptance Measure
Tester
Extra information
Check implementation of the measures, and assess

compliance via appropriate control records e.g. audit trails
and logs.
TBD (Ineco QA)
Page 67 of 71
3.2.13.6 Security controls (6): System and Communications Protection

First Level
Second Level
Name
Id
Date

id
System and Communications Protection
NF-0012-6
CAAN must ensure that information systems physically
separate public user interface services e.g. public web
pages, from information storage and management
services e.g. database management.
It should be accomplished through the use of different
computers, different central processing units, different
instances of the operating system, network addresses, etc.
CAAN should ensure the monitoring and control of
communications at the external boundary of the
information system and at key internal boundaries within
the system.
Description
Any connection to Internet should pass through managed

interfaces consisting of appropriate boundary protection
devices e.g. proxies, routers, firewalls, etc., arranged in an
effective architecture i.e. routers protecting firewalls and
application gateways residing on a protected sub-network,
the DMZ or demilitarized zone.
A defense-in-depth protection strategy should be
developed for high-impact informations systems and
communications.
CAAN must employ cryptographic mechanisms to prevent
unauthorized disclosure of sensitive information and
prevent information integrity data during transmission,
unless appropriate security control are provided by the
data carrier.
CAAN should establish and manage cryptographic keys
using automated mechanisms with supporting procedures
or manual procedures when cryptography is required and
employed within high-impact information systems, in
compliance with laws, directives, policies, regulations,
standards, etc. by Nepal Government, IATA and other
international regulators.
Acceptance Measure
Tester
Extra information

and logs.
TBD (Ineco QA)
Page 68 of 71
3.2.13.7 Security controls (7): System and Information Integrity

First Level
Second Level
Name
Id
Date

id
System and Information Integrity
NF-0012-7
CAAN shall identify, report, and correct all information
system flaws, identifying any information system
containing software affected with potential vulnerabilities
resulting from those flaws.
A comprehensive patch management and asset
management program should be established, including
periodic vulnerability scanning.
CAAN shall ensure that flaws discovered during security
assessments, continuous monitoring, incident response
activities or information system error handling are also
addressed expeditiously, following the philosophy already
outlined on the eventuality of a breach.
Description
CAAN must use malicious code protection mechanisms to

detect and eradicate malicious code like viruses, worms,
Trojan horses, spyware transported by electronic mail and
attachments, Internet accesses, removable media, or by
exploiting information system vulnerabilities.
CAAN must employ tools and techniques to monitor
events on Moderate and High-impact information systems,
detect attacks, and provide identification of unauthorized
use of the systems. CAAN must also ensure that highimpact information systems are configured to detect and
protect against unauthorized changes to software and
information.
Acceptance Measure
Tester
Extra information
CAAN must receive information system security

alerts/advisories on a regular basis, issue alerts/advisories
to appropriate personnel, and take appropriate actions in
response.
and logs.
TBD (Ineco QA)
Page 69 of 71
Functional Description
Each one of the two organizations will have their own systems. These two systems
architecture are being designed in a very similar way. Their own working methods
based on workflows are also being considered.
The goal of this new working method is to achieve the information sharing between
colleagues, therefore every worker will be able to share or get any information,
document or report needed in their project.
It is important to highlight that from these new working methods several new more
efficient working processes will emerge. Besides all the information will be stored in a
place, anybody will lost information and every data will have a backup.
Every worker (or user) and all departments will be configured in the LDAP System, in
other words, every level of organization chart of each organization will be represented
in that system. LDAP system will have all the information that exists of each items
designed in the organization chart.
A permissions policy must be defined in the LDAP System in both organizations,
separately. Not every worker or department will be able to get all the available
information, thanks to a custom permission policy the IT department will be able to
grant or reject accesses.
Every system designed in MIS will be able to connect with LDAP system and evaluate
if a specific user profile has permission to get into an application.
The key of acceptance to the new paradigm of working processes will be the e-mail
system adoption. Every official communication will be by e-mail and all workers must
have an e-mail address to communicate with their colleagues
Page 70 of 71
4.1
Record management
The record management will be a transversal system. Every application will be able to
access to it to store or get any digitalized document. All documents may be stored in
that system and due to the LDAP integration and the access policy, not everybody will
access to any stored information, depending on the user level access.
This software will be a key system in the new software platform and it will be able to
store, share or search in all kind of documents.
It is important to highlight that every document may be classified in folders or tagged
with meta-information to simplify the searching or accessing tasks to them.
In addition, it will be able to create workflows to distribute the documents between
reviewers or recipients, if necessary.
4.2
Web sites
As mentioned earlier, web sites are the public face of an organization in front of the
world.
These web sites must to be updated and the look and feel of them must to be attractive
enough to show how modern the company is and the appropriate image that this
organization wants to have.
In order to get this goal, some information has to be published automatically from the
daily working tools to the web sites. These web sites must to be powered by CMS
systems that have these publication mechanisms in order to facilitate this information
publication and management.
4.3
Airport operational software
In order to collect all the information about operations, a special data base must be
implanted in the TIA and the rest of the airports in Nepal. This information is critical to
manage the airport operations, but it is also the source to build up master plans and
prediction studies about the current and the future situation in an airport.
With this goal in mind, one of this data bases must be installed in the CAAN
organization.
In addition of that, external software should be used to extract the information collected
on that data base and automatize the reports generation. These reports will extract the
consolidated information and create custom reports depending on the necessities on
each moment.
The corporate tables are the place to stored common information about the airport daily
work, as companies, airports and so on.
This information must to be centralised in order to reduce redundant information,
minimize the typing mistakes and to create a unique place where every department can
access and get update and official information, avoiding paperwork and keeping the
key information inside the company.
Page 71 of 71

MIS and Computerization Functional Specifications

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

MIS and Computerization Functional Specifications

Enviado por

Direitos autorais:

Formatos disponíveis

Capacity Development of

Civil Aviation Authority of Nepal