Appendix E: ISO/IEC 27002:2013 Mapping (Draft)
12.1.4 Separation of development, testing and operational environments Control: Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. | Yes Control met by https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305/3.+Secure+Operation, “separation of environments” |
14.2 Security in development and support processes | |
14.2.1 Secure development policy Control: Rules for the development of software and systems should be established and applied to developments within the organization. | Yes TSS-WEB provides a template for such a policy: a) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment b)
d) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process, “Security approvals” e) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment f) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process , “Defect tracking” g) See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/335675582/1.4+Roles h) See “developer tests” in https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests
|
14.2.2 System change control procedures Control: Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. | Yes Control met by https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338/5.+Security+within+Software+Development+Process, “Assessment of functional requirements and changes”. |
14.2.3 Technical review of applications after operating platform changes Control: When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. | No Not relevant for web-based applications. |
14.2.4 Restrictions on changes to software packages Control: Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. | No Not relevant for web-based applications. |
14.2.5 Secure system engineering principles Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. | Yes Seehttps://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327729/8.1+General+Design+Principles |
14.2.6 Secure development environment Control: Organizations should assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering: | Yes See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Protection+of+Code+and+Secrets |
14.2.7 Outsourced development Control: The organization should supervise and monitor the activity of outsourced system development. | Yes See https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/294930/7.+Outsourced+Development |
14.2.8 System security testing Control: Testing of security functionality should be carried out during development. | Yes See “custom security & developer tests” at https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests |
14.2.9 System acceptance testing Control: Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. | Yes See “custom security & developer tests” at https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests |
14.3 Test data | |
14.3.1 Protection of test data Control: Test data should be selected carefully, protected and controlled. | Yes See “general requirement” athttps://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98368/6.+Security+Tests |