Security in Development and Support Processes
Any software development at CX Index will utilise formal change control procedures for any changes to software. This process shall be integrated with the operational change control procedures. The purpose of this policy is to ensure that the security, availability and integrity of system software, systems and information are not compromised when there are changes to software.
The application owners shall be responsible for overseeing the security and control procedures of all changes to their applications. All software changes require formal approval by the application owner. All changes to software will be documented.
Application owners and the Senior Management shall be responsible for ensuring that programmers are only given access to areas of the application that are necessary for the approved work.
Application owners shall oversee the entire application change process prior to change including:
- Maintaining a record of agreed upon authorisation levels
- Ensuring changes are submitted by authorised users
- Performing risk assessment to assure that controls and integrity procedures will not be compromised by changes, that business interruption is kept to an acceptable minimum and that the timing is appropriate for the change
- Identifying all software, information, databases and hardware that require change
- Obtaining formal and detailed proposals and specifications before work commences
- Obtaining formal approval prior to work commencing
Application owners shall oversee the entire application change process during the change including:
- Ensuring change minimized business interruption
- Documentation is updated and old documentation is archived
- Version control is maintained
- Maintaining an audit log of all change requests
- Updating all user procedures
- Ensuring that users accept all changes prior to implementation
Application owners shall oversee the entire application change process after the change including:
- Ensuring that testing is done securely (in a test environment that is segregated from development and operational systems)
- Ensuring that implementation does not disrupt business processes
Patch Management Process
CX Index’s Senior Management will institute a Patch Management process for operating systems and commercial software that will include the following elements:
- Identification of new patch availability
- Assessment of applicability and criticality of patches
- Patching effort timing and methods
- Effects of patches on existing applications
- Testing of patches before deployment
- Documentation of patch levels for various systems and applications
Technical Review of Operating System Changes
CX Index shall review and test all new operating system changes or updates prior to installing them in an operation environment. This will ensure that operational integrity is maintained and that CX Index’s security requirements are met by any new operating system release.
A risk assessment shall be performed prior to the change of any of CX Index’s operating systems that shall include:
- Application control and integrity procedures – will they be compromised by operating system changes?
- Annual support plan and budget – will this cover testing of the new operating system?
- Timing of change – is there enough time to thoroughly test and review new operating system changes?
- Business continuity plans – have they been modified to accommodate changes.
Whenever possible, operating systems shall be maintained at a level supported by the vendor.
Restrictions on Changes to Software Packages
To ensure integrity and security of vendor supplied software packages, as well as to minimise the expense and support issues associated with modified products, CX Index will use standard, unmodified vendor supplied software programs whenever possible.
If modifications must be made, CX Index shall do a risk assessment to clarify and control the following issues:
- Compromise of built in controls and integrity processes
- Vendor requirements for consent
- Impact of future maintenance (Is vendor support still available or will CX Index be responsible?)
Whenever possible CX Index shall request that the vendor makes changes part of a future standard release.
If changes must be made, an original copy of standard software shall be retained and the changes clearly documented in the operational copy.
All changes shall be thoroughly tested prior to use.
All changes shall be clearly documented in case there is a need to reapply the changes.
Covert Channels and Trojan Code
To prevent damage to CX Index systems and applications, CX Index will actively protect its information assets from covert channels and Trojan code.
CX Index will follow the following procedures when acquiring software:
- All programs will be a acquired from reputable sources
- All programs will be acquired in source code (if available)
- All programs that are acquired will have source code verified
- All products shall have source code inspected prior to operational use
- All programs that are acquired shall be evaluated products
Access shall be that which is allowed in CX Index’s access control policy.
Modification to code, if necessary, shall be controlled, monitored, inspected, and only done by those staff clients that have proven their trustworthiness to work on key systems.