...
ISO/IEC 27002:2013 Control | TSS-WEB | ||||||
---|---|---|---|---|---|---|---|
12.1.4 Separation of development, testing and operational environments Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. |
Control met by 3. Operational Requirements, “separation of environments” | ||||||
14.2 Security in development and support processes | |||||||
14.2.1 Secure development policy Control: Rules for the development of software and systems should be established and applied to developments within the organization. |
TSS-WEB provides a template for such a policy: a) See 4. Secure Development Environment b)
c) See 5. Security within Development Process d) See 5. Security within Development Process, “security “Security approvals” e) See 4. Secure Development Environment f) See 5. Security within Development Process , “Defect tracking” g) See 1.4 Roles h) See “developer tests” in 6. Security Tests | ||||||
14.2.2 System change control procedures Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. |
Control met by 5. Security within Development Process, “Assessment of functional requirements and changes”. | ||||||
14.2.3 Technical review of applications after operating platform changes Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
Not relevant for web-based applications. | ||||||
14.2.4 Restrictions on changes to software packages Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. |
Not relevant for web-based applications. | ||||||
14.2.5 Secure system engineering principles Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. |
| ||||||
14.2.6 Secure development environment Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering: |
See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets | ||||||
14.2.7 Outsourced development Control: The organization should supervise and monitor the activity of outsourced system development. |
| ||||||
14.2.8 System security testing Control: Testing of security functionality should be carried out during development. |
See “custom security & developer tests” at 6. Security Tests | ||||||
14.2.9 System acceptance testing Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. |
See “custom security & developer tests” at 6. Security Tests | ||||||
14.3 Test data | |||||||
14.3.1 Protection of test data Control: Test data should be selected carefully, protected and controlled. |
See “general requirement” at6. Security Tests |