T7 Information System Acquisition, Development & Maintenance

Dozuki System Automated Release

08/17/2022 by Dozuki System

Printed Copies Are Uncontrolled

Wiki ID: 88

Author: Dozuki System

Release: Dozuki System Automated Release [Minor]

Revision ID: 1409

Revision Date: 07-26-19

Author: Petr Roupec (and 2 other contributors)

T7.1 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY

OBJECTIVE

To maintain an information systems acquisition, development and maintenance policy covering the security of information systems throughout its lifecycle.

PERFORMANCE INDICATOR

Extent of information systems acquisition, development and maintenance policy deployment and adoption across the entity.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

Unsuitable information systems acquisition, development and maintenance policy
Partial information systems acquisition, development and maintenance policy not covering the entire asset lifecycle

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To ensure that security requirements are established and functionally integrated into information systems

PERFORMANCE INDICATOR

Percentage of systems implementations accepted into service with all security requirements implemented

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

Equipment malfunction
Abuse of functionality

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To prevent errors, loss, unauthorized modification or misuse of information in applications

PERFORMANCE INDICATOR

Percentage of systems for which data validation controls have been adequately defined, implemented, and proven effective by thorough testing

AUTOMATION GUIDANCE

Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software, along with manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The Common Weakness Enumeration (CWE) initiative is used by many such tools to identify the weaknesses that they find. Entities can also use CWE to determine which types of weaknesses they are most interested in addressing and removing. When evaluating the effectiveness of testing for these weaknesses, MITRE’s Common Attack Pattern Enumeration and Classification can be used to organize and record the breadth of the testing for the CWEs and to enable testers to think like attackers in their development of test cases.

RELEVANT THREATS AND VULNERABILITIES

Software malfunction
Illegal processing of data
Injection flaws, such as SQL, OS, and LDAP
Broken Authentication and Session Management
Cross-Site Scripting (XSS)

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To protect the confidentiality, authenticity or integrity of information by cryptographic means.

PERFORMANCE INDICATOR

Percentage of systems containing valuable/sensitive data for which suitable cryptographic controls have been fully implemented

AUTOMATION GUIDANCE

Cryptography can only be performed through the use of automated cryptographic systems. These systems should automate all processes, including key generation, distribution, revocation, restoration, etc.

RELEVANT THREATS AND VULNERABILITIES

Weak cryptography used for sensitive data
Eavesdropping / Packet sniffing Sensitive Data Exposure

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To ensure the security of system files.

PERFORMANCE INDICATOR

Percentage of systems assessed as fully compliant with the information systems acquisition, development and maintenance policy

AUTOMATION GUIDANCE

Security of system files can only be achieved through the use of automated controls, including but not limited to file permission restrictions, file access log, and file hashing for integrity check.

RELEVANT THREATS AND VULNERABILITIES

Unauthorized access to system files
Corruption of data

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To maintain the security of application system software and information

PERFORMANCE INDICATOR

Number of cases where the change management processes have not been executed correctly

AUTOMATION GUIDANCE

Entity should adopt technical solutions to monitor application and program changes/updates

RELEVANT THREATS AND VULNERABILITIES

Unsuitable security for development and support processes
Lack of proper technical review of applications after operating system changes
Leakage of information

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

OBJECTIVE

To protect against supply chain threats and secure the supply of information systems

PERFORMANCE INDICATOR

Percentage of information systems received within the acceptable time frame and validated as genuine

Number of vendors/third parties compliant with the policy for acquisition of products and services

AUTOMATION GUIDANCE

An automated support system should be used to support tracking of products and services received and verification of compliance to

entity policies

RELEVANT THREATS AND VULNERABILITIES

Unsuitable supply chain strategy
Use of counterfeit or copied software

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

Release Notes

T7 Information System Acquisition, Development & Maintenance

T7.1 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY

T7.2 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS

T7.3 CORRECT PROCESSING IN APPLICATIONS

T7.4 CRYPTOGRAPHIC CONTROLS

T7.5 SECURITY OF SYSTEM FILES

T7.6 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

T7.8 SUPPLY CHAIN MANAGEMENT