Information Systems Acquisition, Development & Maintenance
Control objective: to ensure that security is an integral party of information systems
12.1 Security Requirements of Information Systems
12.1.1 Security requirements analysis and specification
Statements of business requirements for new information systems, or enhancements to existing information systems, specify the requirements for security controls.
12.1.1.1 The Organisation carries out a risk assessment (in line with DOC 4.4, and see sub section 4.4) at the requirements stage of specifying any new information systems, or enhancements to existing systems (irrespective of whether they will be bespoke systems or commercial off the shelf systems). Required controls are identified and the [Head of Procurement] is responsible for ensuring that these controls are integrated into the [purchase decision], specification and purchase contract. The Information Security Manager is responsible for ensuing that required manual controls are designed and implemented.
12.1.1.2 Application controls that ensure correct processing are also (where appropriate) considered at the design stage.
12.1.1.3 Software is subject to testing and formal approval in line with DOC 10.10; non-compliant products are not accepted.
12.1.1.4 The Organisation accepts products tested and evaluated in line with Appendix V.
12.2 Correct Processing in Applications
Control objective: to prevent errors, loss, unauthorized modification or misuse of information in applications
12.2.1 Input data validation
Data input to applications is provided from an external source and the responsibility of its accuracy is outside this ISMS.
12.2.2 Control on internal processing
Validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts.
12.2.3 Message integrity
Requirements for ensuring authenticity and protecting message integrity in applications have been identified, and appropriate controls identified and implemented
12.2.4 Output data validation
Data output from an application is validated to ensure that the processing of stored information is correct and appropriate to the circumstances
12.3 Cryptographic Controls
Control objective: to protect the confidentiality, authenticity or integrity of information by cryptographic means
12.3.1 Policy on the use of cryptographic controls
The Organisation has a policy on its use of cryptographic controls for protection of its information, as set out below
12.3.1.1 The Organization applies cryptographic controls to secure its confidential communications and information carried beyond its secure logical perimeter, to secure connections from beyond its logical perimeter, and to secure its online business (as required in DOC 10.17). The Information Security Manager is responsible for maintaining DOC 12.1, which sets out, for each situation in which cryptographic controls are required under this policy, the type and length of the encryption algorithm required, and identifies the precise instructions required to use that cryptographic control. He is responsible for key management and [key generation as set out in DOC 12.1. Each asset Owner, whose information asset falls within the scope of this policy, is responsible for ensuring that the required cryptographic control is applied. The Information Security Manager is responsible for configuration of devices as required by this policy.
12.3.2 Key management
Key management, as documented in DOC 12.2, supports the Organization use of cryptographic techniques
Control objective: to ensure the security of system files
12.4 Security of System Files
12.4.1 Control of operational software
The installation of software on operational systems is controlled by DOC 12.3
12.4.2 Protection of system test data
Test data is selected, protected and controlled in line with DOC 10.10.
12.4.3 Access control to program source code
Access to program source code is restricted in line with DOC 10.15
12.5 Security in Development & Support Processes
Control objective: to maintain the security of application system software and information
12.5.1 Change control procedures
The implementation of changes is controlled by the use of the formal change control procedures set out in DOC 10.7.
12.5.2 Technical review of applications after operating system changes
When operating systems are changed, business critical applications are reviewed and tested in line with DOC 10.10 to ensure there is no adverse impact on organisational operations or security.
12.5.3 Restrictions on changes to software packages
The Organisation does not seek bespoke modifications to commercial software packages.
12.5.4 Information leakage
Controls are applied to limit the opportunities for information leakage
12.5.4.1 The Organisation regularly monitors personnel and system activities, as well as resource usage in computer systems, as described in sub section 5.1.1 of this manual.
12.5.4.4 Malware, that might give cause covert channels, is controlled through the anti-malware software (see 10.4) and User Agreements (see 11.2 and 11.3).
12.5.5 Outsourced software development
The Organization does not outsource software development
12.6 Technical Vulnerability Management
Control objective: to prevent the damage resulting from exploitation of published technical vulnerabilities
12.6.1 Control of technical vulnerabilities
Timely information about technical vulnerabilities of information systems used by the Organisation is obtained, the Organisation’s exposure to those vulnerabilities evaluated, and DOC 12.4 sets out the measures taken to address the associated risks.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue