Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Current »

ISO/IEC 27002:2013 Control

TSS-WEB

12.1.4 Separation of development, testing and operational environments

Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.

YES

Control met by 3. Operational Requirements, “separation of environments”

14.2 Security in development and support processes

14.2.1 Secure development policy

Control: Rules for the development of software and systems should be established and applied to developments within the organization.

YES

TSS-WEB provides a template for such a policy:

a) See 4. Secure Development Environment

b)

  1. 5. Security within Development Process

  2. Not covered, see our Security Guidelines for Confluence if you need them.

c) See 5. Security within Development Process

d) See 5. Security within Development Process, “Security approvals”

e) See 4. Secure Development Environment

f) See 5. Security within Development Process , “Defect tracking”

g) See 1.4 Roles

h) See “developer tests” in 6. Security Tests

14.2.2 System change control procedures

Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.

YES

Control met by 5. Security within Development Process, “Assessment of functional requirements and changes”.

14.2.3 Technical review of applications after operating platform changes

Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

NO

Not relevant for web-based applications.

14.2.4 Restrictions on changes to software packages

Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.

NO

Not relevant for web-based applications.

14.2.5 Secure system engineering principles

Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.

YES

See8.1 General Design Principles

14.2.6 Secure development environment

Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:

YES

See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets

14.2.7 Outsourced development

Control: The organization should supervise and monitor the activity of outsourced system development.

YES

See 7. Outsourced Development

14.2.8 System security testing

Control: Testing of security functionality should be carried out during development.

YES

See “custom security & developer tests” at 6. Security Tests

14.2.9 System acceptance testing

Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.

YES

See “custom security & developer tests” at 6. Security Tests

14.3 Test data

14.3.1 Protection of test data

Control: Test data should be selected carefully, protected and controlled.

YES

See “general requirement” at6. Security Tests

  • No labels