Guidelines for auditing include: obtaining management approval for access and scope of tests, limiting them as read-only documents, verifying security requirements for devices used to access systems, only permitting system file copies be available, formulating and agreeing to special requests, running tests outside business hours to minimize impact, and reviewing and recording … [Read more...] about 8.34 Protection of information systems during audit testing
8.33 Test information
Test information must be chosen carefully to ensure test results' reliability and confidentiality. No one should copy sensitive information into development or testing environments. To protect operational information copies, protocols to control access, authorization, logging, masking, and proper deletion should be applied. Testing data should be securely stored and used solely … [Read more...] about 8.33 Test information
8.32 Change management
New and major system changes should follow necessary procedures and a managed implementation process, with planning, authorization, testing, and contingency plans in place. Any changes should be preserved as records, and the organization should update operating documentation and user protocols accordingly. Procedures to change any controls should cover the whole system … [Read more...] about 8.32 Change management
8.31 Separation of development, test and production environments
To prevent production problems, separate development and production systems, implement deployment rules and test changes before deployment. Organizations should protect all development and testing areas with protected configuration, access control, monitoring and backups. A sole user cannot be able to change production and development outside of previous inspection and … [Read more...] about 8.31 Separation of development, test and production environments
8.30 Outsourced development
For outsourced system development, organizations should display and agree to requirements and continually review if the externally sourced work adheres to expectations. Considerations should include licensing agreements, contractual standards for safe design and testing, provision of threat models, acceptance testing, evidence of security and privacy potentiality, sufficient … [Read more...] about 8.30 Outsourced development
8.29 Security testing in development and acceptance
Any newly acquired information system should undergo security testing during development. Testing should cover security functions, secure coding, and secure configurations. Test plans should be proportionate and include criteria for evaluation. Automated tools can be used for testing, and outsourced development should follow a process for acquiring contracts addressing security … [Read more...] about 8.29 Security testing in development and acceptance
8.28 Secure coding
Establish org-wide processes for secure coding; monitor threats and vulnerabilities. Plan for secure coding with specific expectations, tools, and qualifications. During coding, use secure programming and testing practices. After deployment, handle reported vulnerabilities and log errors. Manage external tools and libraries, consider modifications carefully. … [Read more...] about 8.28 Secure coding
8.27 Secure system architecture and engineering principles
Establish and document security engineering guidelines for information system engineering. Design security on each level and analyze new technology for security purposes. Principles should include safe session controls, valid data, and authentication techniques. Analyze each security control, their capabilities, any needed controls required by business processes, places needing … [Read more...] about 8.27 Secure system architecture and engineering principles
8.26 Application security requirements
Identify and specify app security needs, determined through risk assessment with InfoSec experts. Requirements include trust, information type, access segregation, resilience, legal/regulatory requirements, privacy, data protection/encryption, input/output controls, error handling. For transactional and payment applications, consider identity/integrity trust, authorization, … [Read more...] about 8.26 Application security requirements
8.25 Secure development life cycle
To achieve secure development of a service, software or system, consider:nn- Separating developmental, testing, and production areasn- Providing security guidance during all events during software developmentn- Implementing security standards during design and specification phasesn- Including checkpoints to secure projectsn- Conducting security testing for systemsn- Using … [Read more...] about 8.25 Secure development life cycle
8.24 Use of cryptography
Consider the following for using cryptography: organizational policy on cryptography, identifying level of protection and classification, key management, standards, and impact on inspecting content. Adhere to regulations and nation-specific requirements, and address cross-border transfers of encrypted data. Service agreements should cover liability, reliability, and response … [Read more...] about 8.24 Use of cryptography
8.23 Web filtering
Reduce risk of personnel accessing illegal, virus-infected or phishing websites by blocking their IP/domain. Identify the sites personnel should not access (e.g. malicious, illegal content) and follow rules for safe and work-appropriate online resource use. Train personnel on secure and work-appropriate online resource use, including not overriding browser advisories and … [Read more...] about 8.23 Web filtering
8.22 Segregation of networks
Large networks can be secured by separating domains based on trust, criticality, sensitivity, and organizational units. Every domain perimeter should be precisely defined, and organizations should control access between domains with a gateway based on security requirements. WiFi networks needing particular attention, and adjusting radio coverage should be considered for … [Read more...] about 8.22 Segregation of networks
8.21 Security of network services
Implement security measures for specific services, ensure providers implement them, and monitor providers. Formulate and implement rules on network use, including authentication and authorization procedures. Consider security features, like encryption and authentication, for network services. Also, consider caching and usage procedures for restricting access to applications. … [Read more...] about 8.21 Security of network services
8.20 Networks security
Secure information networks and connected applications from unauthorized use. Consider information classification, device management procedures, network documentation, separating network and ICT system activities, safeguarding data confidentiality, monitoring, logging, coordinating network administration, authenticating systems, restricting and reviewing connections, detecting … [Read more...] about 8.20 Networks security
8.19 Installation of software on operational systems
Guidelines for secure change and software installation on operating systems:nn- Trained admins update operational software with management authorizationn- Have approved usable code installed, after extensive testingn- Rollback strategy defined beforehandn- Audit log maintained for updatesn- Outdated software is archived with required info and supporting softwaren- Consider … [Read more...] about 8.19 Installation of software on operational systems
8.18 Use of privileged utility programs
It is advisable to restrict using utility programs for dependable, sanctioned users, along with identity verification, authentication, approval protocols, and designated levels of authorization. Users with different duties for application access should possess access to utility programs. Eliminate redundant programs, and keep utility programs away from applications and other … [Read more...] about 8.18 Use of privileged utility programs
8.17 Clock synchronization
Document and implement standards for time, synchronization, and correctness from legal, regulatory, contractual, and in-house observation needs. Define the specific reference time for each system, and use clocks linked to radio time broadcasts or GPS for logging systems. Use NTP or PTP to synchronize networked systems with the reference clock. Use two outside time references to … [Read more...] about 8.17 Clock synchronization
8.16 Monitoring activities
Monitoring should follow business and security needs, and applicable legal requirements and regulations. Monitoring systems should involve networks, systems, application traffic, system access and critical applications, configuration files, security tool logs, event logs, and resource use. The organization should create a profile of expected behavior, configure the monitoring … [Read more...] about 8.16 Monitoring activities
8.15 Logging
Organizations should create a logging policy that includes event log requirements, protection, and handling of log data. Event logs include user IDs, system activities, dates, times, relevant events and their details, device IDs, system identifiers, locations, network addresses, and agreements. Users should not delete logs of their activities, and controls should protect … [Read more...] about 8.15 Logging