Search in ISMS Guides


Tuesday, July 24, 2007

9. Information systems acquisition, development and maintenance (ISO)

Security requirements of information systems

The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.

Security requirements analysis and specification • Statements of business requirements for new information systems, or enhancements to existing information systems should include specification of the requirements for security controls. Control includes:

  • consideration of business value of and legal-regulatory-certificatory standards for information assets affected by the new/changed system(s);
  • consideration of administrative, technical and physical controls available to support security for the system(s);
  • integration of these controls early in system design and requirements specification; and
  • a formal plan for testing and acceptance, including independent evaluation where appropriate.

Authorities: ISO-27002:2005 12.1.1.

Correct processing in applications

This category aims to prevent errors, loss, unauthorized modification or misuse of information in applications.

Authorities: HIPAA 164.312(c)(1)

Input data validation • Data input in applications should be validated to ensure that the data is correct and appropriate. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.1.

Control of internal processing • Validation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.2.

Message integrity • Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.

Authorities: ISO-27002:2005 12.2.3.

Output data validation • Data output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. Control includes:

  • use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
  • defined responsibilities and processes for responding to detected errors.

Authorities: ISO-27002:2005 12.2.4.

Cryptographic controls

This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.

Policy on the use of cryptographic controls • Policies on the use of cryptographic controls for protection of information should be developed and implemented. Control includes:

  • statement of general principles and management approach to the use of cryptographic controls;
  • specifications based on a thorough risk assessment, that considers appropriate algorithm selections, key management and other core features of cryptographic implementations;
  • consideration of legal restrictions on technology deployments;
  • application, as appropriate, to data at rest and fixed-location devices, data transported by mobile/removable media and embedded in mobile devices, and data transmitted over communications links; and
  • specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy

Authorities: ISO-27002:2005 12.3.1.; HIPAA 164.312(a)(2)(iv); HIPAA 164.312(e)(2)(ii); PCI-DSS:2005 3.4, 4;

Key management • Key management policies and processes should be implemented to support an organization's use of cryptographic techniques. Control includes procedures for:

  • distributing, storing, archiving and changing/updating keys;
  • recovering, revoking/destroying and dealing with compromised keys; and
  • logging all transactions associated with keys.

Authorities: ISO-27002:2005 12.3.2.; PCI-DSS:2005 3.5;

Security of system files

Control objective: To ensure the security of system files.

Control of operational software • Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions in or corruption of information services. Control includes:

  • updating performed only with appropriate management authorization;
  • updating performed only by appropriately trained personnel;
  • only appropriately tested and certified software deployed to operational systems;
  • appropriate change management and configuration control processes for all stages of updating;
  • appropriate documentation of the nature of the change and the processes used to implement it;
  • a rollback strategy in place, including retention of prior versions as a contingency measure; and
  • appropriate audit logs maintained to track changes.

Authorities: ISO-27002:2005 12.4.1.

Protection of system test data • Test data should be selected carefully and appropriately logged, protected and controlled.

Authorities: ISO-27002:2005 12.4.2.

Access control for program source code • Access to program source code should\ be restricted. Control includes:

  • appropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans; and
  • maintenance and copying of these materials subject to strict change management and other controls.

Authorities: ISO-27002:2005 12.4.3.

Security in development and support processes

This category aims to maintain the security of application system software and information.

Change control procedures • The implementation of changes should be controlled by the use of formal change control procedures. Control includes:

  • a formal process of documentation, specification, testing, quality control and managed implementation;
  • a risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls required;
  • a budgetary or other financial analysis to assess adequacy of resources;
  • formal agreement to and approval of changes by appropriate management; and
  • appropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changes;
  • scheduling of changes to minimize the adverse impact on business processes.

Authorities: ISO-27002:2005 12.5.1.

Technical review of applications after operating system changes • When operating systems and processes are changed, critical business processes should be reviewed and tested to ensure that there has been no adverse impact.

Authorities: ISO-27002:2005 12.5.2.

Restrictions on changes to software packages • Modifications to software packages should be discouraged, limited to necessary changes, and all changes shall be strictly controlled.

Authorities: ISO-27002:2005 12.5.3.

Information leakage • Opportunities for information leakage should be appropriately minimized or prevented. Control includes:

  • risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures;
  • regular monitoring of likely information leak mechanisms and sources; and
  • end-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files).

Authorities: ISO-27002:2005 12.5.4.

Outsourced software development • Outsourced software development should be appropriately supervised and monitored by the organization.

Authorities: ISO-27002:2005 12.5.5.

Technical vulnerability management

This category aims to reduce risks resulting from exploitation of published technical vulnerabilities.

Control of technical vulnerabilities • Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken. Control includes:

  • a complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability;
  • procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk;
  • defined roles and responsibilities for implementation of countermeasures and other mitigation procedures.

Authorities: ISO-27002:2005 12.6.1.

Article By :

No comments: