ISO/IEC 27002:2013 Control | TSS-WEB | ||||||
---|---|---|---|---|---|---|---|
12.1.4 Separation of development, testing and operational environments Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. |
Control met by 3. Operational Requirements, “separation of environments” | ||||||
14.2 Security in development and support processes | |||||||
14.2.1 Secure development policy Control: Rules for the development of software and systems should be established and applied to developments within the organization. |
TSS-WEB provides a template for such a policy: a) See 4. Secure Development Environment b)
|
“Security approvals” e) See 4. Secure Development Environment f) See 5. Security within Software Development Process , “Defect tracking” g) See 1.4 Roles h) See “developer tests” in 6. Security Tests | |||||||
14.2.2 System change control procedures Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. |
Control met by 5. Security within Software Development Process, “Assessment of functional requirements and changes”. | ||||||
14.2.3 Technical review of applications after operating platform changes Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
Not relevant for web-based applications. | ||||||
14.2.4 Restrictions on changes to software packages Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. |
|
Not relevant for web-based applications. | |||||||
14.2.5 Secure system engineering principles Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. |
| ||||||
14.2.6 Secure development environment Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering: |
See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets | ||||||
14.2.7 Outsourced development Control: The organization should supervise and monitor the activity of outsourced system development. |
| ||||||
14.2.8 System security testing Control: Testing of security functionality should be carried out during development. |
See “custom security & developer tests” at 6. Security Tests | ||||||
14.2.9 System acceptance testing Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. |
See “custom security & developer tests” at 6. Security Tests | ||||||
14.3 Test data | |||||||
14.3.1 Protection of test data Control: Test data should be selected carefully, protected and controlled. |
See “general requirement” at6. Security Tests |