A.12 Information systems acquisitio

A.12 Information systems acquisition, development and maintenance
A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems. 16
A.12.1.1 Security requirements analysis and specification
Control
Statements of business requirements for new information systems, or enhancements to
existing information systems shall specify the requirements for security controls.
A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in
applications.
A.12.2.1
Input data validation
Control
Data input to applications shall be validated to ensure that this data is correct and
appropriate.
A.12.2.2 Control of internal processing
Control
Validation checks shall be incorporated into applications to detect any corruption of
information through processing errors or deliberate acts.
A.12.2.3
Message integrity
Control
Requirements for ensuring authenticity and protecting message integrity in applications
shall be identified, and appropriate controls identified and implemented.
A.12.2.4
Output data validation
Control
Data output from an application shall be validated to ensure that the processing of stored
information is correct and appropriate to the circumstances.
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by
cryptographic means.
A.12.3.1 Policy on the use of cryptographic controls
Control
A policy on the use of cryptographic controls for protection of information shall be
developed and implemented.
A.12.3.2
Key management
Control
Key management shall be in place to support the organization’s use of cryptographic
techniques. 17
A.12.4 Security of system files
Objective: To ensure the security of system files.
A.12.4.1 Control of operational software
Control
There shall be procedures in place to control the installation of software on operational
systems.
A.12.4.2 Protection of system test data
Control
Test data shall be selected carefully, and protected and controlled.
A.12.4.3 Access control to program source code
Control
Access to program source code shall be restricted.
A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.
A.12.5.1
Change control procedures
Control
The implementation of changes shall be controlled by the use of formal change control
procedures.
A.12.5.2 Technical review of applications after operating system changes
Control
When operating systems are changed, business critical applications shall be reviewed and
tested to ensure there is no adverse impact on organizational operations or security.
A.12.5.3 Restrictions on changes to software packages
Control
Modifications to software packages shall be discouraged, limited to necessary changes,
and all changes shall be strictly controlled.
A.12.5.4
Information leakage
Control
Opportunities for information leakage shall be prevented.
A.12.5.5 Outsourced software development
Control
Outsourced software development shall be supervised and monitored by the organization. 18
A.12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical
vulnerabilities.
A.12.6.1 Control of technical vulnerabilities
Control
Timely information about technical vulnerabilities of information systems being used
shall be obtained, the organization's exposure to such vulnerabilities evaluated, and
appropriate measures taken to address the associated risk