12. Information Systems

Information Systems Acquisition, Development & Maintenance

Control objective: to ensure that security is an integral party of information systems

PDF12.1 Security Requirements of Information Systems

    12.1.1 Security requirements analysis and specification
    Statements of business requirements for new information systems, or enhancements to existing information systems, specify the requirements for security controls. The Organisation carries out a risk assessment (in line with DOC 4.4, and see sub section 4.4) at the requirements stage of specifying any new information systems, or enhancements to existing systems (irrespective of whether they will be bespoke systems or commercial off the shelf systems). Required controls are identified and the [Head of Procurement] is responsible for ensuring that these controls are integrated into the [purchase decision], specification and purchase contract. The Information Security Manager is responsible for ensuing that required manual controls are designed and implemented. Application controls that ensure correct processing are also (where appropriate) considered at the design stage. Software is subject to testing and formal approval in line with DOC 10.10; non-compliant products are not accepted. The Organisation accepts products tested and evaluated in line with Appendix V.

12.2 Correct Processing in Applications

Control objective: to prevent errors, loss, unauthorized modification or misuse of information in applications

    12.2.1 Input data validation

    Data input to applications is provided from an external source and the responsibility of its accuracy is outside this ISMS.

    12.2.2 Control on internal processing

    Validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts.

    12.2.3 Message integrity

    Requirements for ensuring authenticity and protecting message integrity in applications have been identified, and appropriate controls identified and implemented

    12.2.4 Output data validation

    Data output from an application is validated to ensure that the processing of stored information is correct and appropriate to the circumstances

12.3 Cryptographic Controls

Control objective: to protect the confidentiality, authenticity or integrity of information by cryptographic means

    12.3.1 Policy on the use of cryptographic controls

    The Organisation has a policy on its use of cryptographic controls for protection of its information, as set out below The Organization applies cryptographic controls to secure its confidential communications and information carried beyond its secure logical perimeter, to secure connections from beyond its logical perimeter, and to secure its online business (as required in DOC 10.17). The Information Security Manager is responsible for maintaining DOC 12.1, which sets out, for each situation in which cryptographic controls are required under this policy, the type and length of the encryption algorithm required, and identifies the precise instructions required to use that cryptographic control. He is responsible for key management and [key generation as set out in DOC 12.1. Each asset Owner, whose information asset falls within the scope of this policy, is responsible for ensuring that the required cryptographic control is applied. The Information Security Manager is responsible for configuration of devices as required by this policy.

    12.3.2 Key management

    Key management, as documented in DOC 12.2, supports the Organization use of cryptographic techniques

    Control objective: to ensure the security of system files

12.4 Security of System Files

    12.4.1 Control of operational software

    The installation of software on operational systems is controlled by DOC 12.3

    12.4.2 Protection of system test data

    Test data is selected, protected and controlled in line with DOC 10.10.

    12.4.3 Access control to program source code

    Access to program source code is restricted in line with DOC 10.15

12.5 Security in Development & Support Processes
Control objective: to maintain the security of application system software and information

    12.5.1 Change control procedures

    The implementation of changes is controlled by the use of the formal change control procedures set out in DOC 10.7.

    12.5.2 Technical review of applications after operating system changes

    When operating systems are changed, business critical applications are reviewed and tested in line with DOC 10.10 to ensure there is no adverse impact on organisational operations or security.

    12.5.3 Restrictions on changes to software packages

    The Organisation does not seek bespoke modifications to commercial software packages.

    12.5.4 Information leakage

    Controls are applied to limit the opportunities for information leakage The Organisation regularly monitors personnel and system activities, as well as resource usage in computer systems, as described in sub section 5.1.1 of this manual. Malware, that might give cause covert channels, is controlled through the anti-malware software (see 10.4) and User Agreements (see 11.2 and 11.3).

    12.5.5 Outsourced software development

    The Organization does not outsource software development

12.6 Technical Vulnerability Management
Control objective: to prevent the damage resulting from exploitation of published technical vulnerabilities

    12.6.1 Control of technical vulnerabilities
      Timely information about technical vulnerabilities of information systems used by the Organisation is obtained, the Organisation’s exposure to those vulnerabilities evaluated, and DOC 12.4 sets out the measures taken to address the associated risks.

      Adlin Hisyamuddin
      Information Security Manager



      08 November, 2007

      Change history

      Issue 1 08 November, 2007 Initial issue