Guideline 33. Security in application development

Submitted by Anonymous (not verified) on Tue, 07/10/2018 - 09:46

The institution implements security measures in software application development, especially for Internet-based applications.

Guideline code

ICT_04200

Mechanism

In elaborating and implementing the software application security system, the ICT unit should:

Develop and issue an internal manual to enforce information security in software applications, especially those accessed through the Internet;
Ensure the implementation of preventive measures prior to application development; the measures should pay special attention to the separation of application execution environments (development, testing and operation) and the assignment of staff responsibilities;
Ensure that security rules to be included in application development and maintenance processes are specified and, especially, oriented to reduce risks of intrusion and disruption of services;
Implement security measures concerning the configuration and administration of web servers, especially those providing access to internal and critical information systems.

The internal audit office, and specialized units if they exist, should establish standard procedures to monitor compliance with security protection rules in business applications.

Parent

Structure

The board and management, with the assistance of specialized units, should establish internal security policies for software applications, especially those accessed through the Internet.
The ICT unit should design and implement an internal guide to enforce the systematic application of information security practices in software applications.
The contracts administration office should include these internal regulations and specifications in requests for proposals and contract documents.
The internal audit office should monitor compliance with the established internal regulations.
Policies and procedures on security in application development should be based on the institutional information security management framework, the international standard ISO/IEC 27002:2005 Information technology – Security techniques, and recommendations issued by the National Institute of Standards and Technology (NIST).