...
ISO/IEC 27002:2013 Control | TSS-WEB | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
12.1.4 Separation of development, testing and operational environments Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. |
Control met by 3. Operational Requirements, “separation of environments” | |||||||||||
14.2 Security in development and support processes | ||||||||||||
14.2.1 Secure development policy Control: Rules for the development of software and systems should be established and applied to developments within the organization.
|
TSS-WEB provides a template for such a policy: a) See 4. Secure Development Environment b)
c) See 5. Security within Development Process d) See 5. Security within Development Process, “security approvals” e) See 4. Secure Development Environment f) See 5. Security within Development Process , “Defect tracking” g) See 1.4 Roles h) See “developer tests” in 6. Security Tests | |||||||||||
14.2.2 System change control procedures Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. expand | ||||||||||||
| ||||||||||||
This process should include a risk assessment, analysis of the impacts of changes and specification of a) maintaining a record of agreed authorization levels; |
Control met by 5. Security within Development Process, “Assessment of functional requirements and changes”. | |||||||||||
14.2.3 Technical review of applications after operating platform changes Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
| |||||||||||
14.2.4 Restrictions on changes to software packages Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. Expand | | |||||||||||
| b) whether the consent of the vendor should be obtained; c) the possibility of obtaining the required changes from the vendor as standard program updates; d) the impact if the organization becomes responsible for the future maintenance of the software as a result of changes; e) compatibility with other software in use. If changes are necessary the original software should
| |||||||||||
14.2.5 Secure system engineering principles Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. |
| |||||||||||
14.2.6 Secure development environment Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:
|
See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets | |||||||||||
14.2.7 Outsourced development e) provision of evidence that security thresholds were used to establish minimum acceptable levels ofsecurity and privacy quality; f) provision of evidence that sufficient testing has been applied to guard against the absence of both intentional and unintentional malicious content upon delivery; g) provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities; h) escrow arrangements, e.g. if source code is no longer available; i) contractual right to audit Control: The organization should supervise and monitor the activity of outsourced system development. Expand | | |||||||||||
|
| |||||||||||
14.2.8 System security testing Control: Testing of security functionality should be carried out during development. |
See “custom security & developer tests” at 6. Security Tests | |||||||||||
14.2.9 System acceptance testing Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. |
See “custom security & developer tests” at 6. Security Tests | |||||||||||
14.3 Test data | ||||||||||||
14.3.1 Protection of test data a) the access control procedures, which apply to operational application systems, should also apply to test application systems;b) there should be separate authorization each time operational information is copied to a test environment; c) operational information should be erased from a test environment immediately after the testing is complete; d) the copying and use of operational information should be logged to provide an audit trail Control: Test data should be selected carefully, protected and controlled. Expand | | |||||||||||
|
See “general requirement” at6. Security Tests |