A.14 System acquisition, development and maintenance

A.14 System acquisition, development and maintenance

Version: 3.0

Valid until: 2024-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson
Sarang Kulkarni

Johanna Hakonen

Initiation document

2022-07-07

1.1

Edward Robinson

Johanna Hakonen

Additions/changes as part of the periodic review and improvement.


Renamed to A.14 System acquisition, development and maintenance from B19 Secure Development.

2022-12-21

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes were made.
2023-05-19
3.0
Edward Robinson
Additions/changes as part of the annual review.

Added a link to 12.1.1 under 14.2.2.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the system acquisition, development and maintenance policy of anDREa and the associated controls, checks and administrations.


Annex controls that are considered not-applicable are:


  • A.14.2.7 Outsourced development

    • Because: anDREa does not outsource software development.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks (A.14.1).

  • To ensure that information security is designed and implemented within the development lifecycle of information systems (A.14.2).

  • To ensure the protection of data used for testing (A.14.3).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.14.1 Security requirements of information systems

A.14.1.1 Information security requirements analysis and specification


“The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.”


Secure development is described in A.14.2.1 Secure development policy. anDREa has implemented a DevOps sprintboard to register (information security) requirements of the code to be developed. Designs are created to support the desired solution. The (information security) requirements are given a priority during the sprint planning.

A.14.1.2 Securing application services on public networks


“Information involved in application services passing over public networks shall be protected from the fraudulent activity, contract dispute and unauthorised disclosure and modification.”


anDREa uses access and cryptographic controls as described in A.9 Access control and A.10 Cryptography to secure data passing over public networks.

A.14.1.3 Protecting application services transactions


“Information involved in application service transactions shall be protected to prevent incomplete transmission, miss-routing, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.”


anDREa uses access and cryptographic controls as described in A.9 Access control and A.10 Cryptography to protect information involved in application service transactions.

A.14.2 Security in development and support processes

A.14.2.1 Secure development policy


“Rules for the development of software and systems shall be established and applied to developments within the organisation.”


The secure development policy is described in A.14.2.1 Secure development policy.

A.14.2.2 System change control procedures


“Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.”


anDREa uses the DevOps sprintboard for the several stages of the development cycle: New, Approved, Committed, Peer Review, Testing, Ready for Acceptance, Acceptance, Ready for Production, Done. A full description can be found in A.12.1.1 Documented operating procedures.

A.14.2.3 Technical review of applications after operating platform changes


“When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security.”


anDREa uses anti-user story testing which are registered in the ticket. Next to that anDREa uses review of code by other developers where the code is verified against the requirements, followed by extensive testing in accordance with A.14.2.8 System security testing & A.14.2.9 System acceptance testing

A.14.2.4 Restrictions on changes to software packages


“Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.”


anDREa only allows changes being made to SaaS applications which are developed in-house, such as the myDRE environment in accordance with A.12.1.2 Change management. Modifications to other SaaS applications used by anDREa are discouraged.

A.14.2.5 Secure system engineering principles & A.14.2.6 Secure development environment


“Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.”


“Organisations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.”


Principles for engineering secure systems are described in A.14.2.5 Secure system engineering principles.

A.14.2.8 System security testing & A.14.2.9 System acceptance testing


“Testing of security functionality shall be carried out during development.”


“Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.”



A.14.3 Test data

A.14.3.1 Protection of test data


“Test data shall be selected carefully, protected and controlled.”


The data which is used for testing is not derived from the production environment nor from customers/users.

Administrations


    • Related Articles

    • Virtual Machine maintenance

      Introduction Workspaces on myDRE typically consist of one or more Virtual Machines (VMs). VMs on myDRE can have two different operating systems (CentOS and Windows Server 2019; Ubuntu coming soon). Moreover, a plethora of software can be installed on ...
    • A.14.2.5 Secure system engineering principles

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Initiation document 2022-07-07 1.1 Edward Robinson Additions/changes as part of ...
    • A.14.2.1 Secure development policy

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...
    • A.8.29: Security testing in development and acceptance

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Initiation document 2022-07-07 1.1 Edward Robinson Johanna Hakonen Sayali Shitole Additions/changes as part of ...
    • anDREa feature development plan

      Roadmap Version: 2022-09-02 Update: 2024-02-23 anDREa is committed to transparency and the best interest of the research ecosystem. We are and will always be developing by, for, and with stakeholders in the research ecosystem. The following ...