ISO/IEC 27002:2013 Control
TSS-WEB
12.1.4 Separation of development, testing and operational environments
Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.
Control met by 3. Operational Requirements, “separation of environments”
14.2 Security in development and support processes
14.2.1 Secure development policy
Control: Rules for the development of software and systems should be established and applied to developments within the organization.
TSS-WEB provides a template for such a policy:
a) See 4. Secure Development Environment
b)
Not covered, see our Security Guidelines for Confluence if you need them.
c) See 5. Security within Software Development Process
d) See 5. Security within Software Development Process, “Security approvals”
e) See 4. Secure Development Environment
f) See 5. Security within Software Development Process , “Defect tracking”
g) See 1.4 Roles
h) See “developer tests” in 6. Security Tests
14.2.2 System change control procedures
Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.
Control met by 5. Security within Software Development Process, “Assessment of functional requirements and changes”.
14.2.3 Technical review of applications after operating platform changes
Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
Not relevant for web-based applications.
14.2.4 Restrictions on changes to software packages
Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.
Not relevant for web-based applications.
14.2.5 Secure system engineering principles
Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.
14.2.6 Secure development environment
Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:
See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets
14.2.7 Outsourced development
Control: The organization should supervise and monitor the activity of outsourced system development.
14.2.8 System security testing
Control: Testing of security functionality should be carried out during development.
See “custom security & developer tests” at 6. Security Tests
14.2.9 System acceptance testing
Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.
See “custom security & developer tests” at 6. Security Tests
14.3 Test data
14.3.1 Protection of test data
Control: Test data should be selected carefully, protected and controlled.
See “general requirement” at6. Security Tests