A.14 System acquisition, development and maintenance
Version: 3.0
Valid until: 2024-04-10
Classification: Low
Version Management
Version | Author(s) | Change(s) | Date approved |
1.0 | Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen | Initiation document | 2022-07-07 |
1.1 | Edward Robinson Johanna Hakonen | Additions/changes as part of the periodic review and improvement.
Renamed to A.14 System acquisition, development and maintenance from B19 Secure Development. | 2022-12-21 |
2.0 | Edward Robinson | Additions/changes as part of the annual review.
No changes were made.
| 2023-05-19 |
3.0 | Edward Robinson | Additions/changes as part of the annual review.
Added a link to 12.1.1 under 14.2.2.
| |
Purpose & background
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the system acquisition, development and maintenance policy of anDREa and the associated controls, checks and administrations.
Annex controls that are considered not-applicable are:
This document will be reviewed at least annually and when significant change happens.
Objectives
The objectives of this control are:
To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks (A.14.1).
To ensure that information security is designed and implemented within the development lifecycle of information systems (A.14.2).
To ensure the protection of data used for testing (A.14.3).
Scope
The scope of this document corresponds to Clause 4 Context of the organisation.
Availability
This document is:
Norm elements
A.14.1.1 Information security requirements analysis and specification
“The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.”
Secure development is described in A.14.2.1 Secure development policy. anDREa has implemented a DevOps sprintboard to register (information security) requirements of the code to be developed. Designs are created to support the desired solution. The (information security) requirements are given a priority during the sprint planning.
A.14.1.2 Securing application services on public networks
“Information involved in application services passing over public networks shall be protected from the fraudulent activity, contract dispute and unauthorised disclosure and modification.”
A.14.1.3 Protecting application services transactions
“Information involved in application service transactions shall be protected to prevent incomplete transmission, miss-routing, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.”
A.14.2 Security in development and support processes
A.14.2.1 Secure development policy
“Rules for the development of software and systems shall be established and applied to developments within the organisation.”
A.14.2.2 System change control procedures
“Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.”
A.14.2.3 Technical review of applications after operating platform changes
“When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security.”
A.14.2.4 Restrictions on changes to software packages
“Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.”
anDREa only allows changes being made to SaaS applications which are developed in-house, such as the myDRE environment in accordance with A.12.1.2 Change management. Modifications to other SaaS applications used by anDREa are discouraged.
A.14.2.5 Secure system engineering principles & A.14.2.6 Secure development environment
“Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.”
“Organisations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.”
A.14.2.8 System security testing & A.14.2.9 System acceptance testing
“Testing of security functionality shall be carried out during development.”
“Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.”
A.14.3 Test data
A.14.3.1 Protection of test data
“Test data shall be selected carefully, protected and controlled.”
The data which is used for testing is not derived from the production environment nor from customers/users.
Administrations
Related Articles
Virtual Machine maintenance
Introduction Workspaces on myDRE typically consist of one or more Virtual Machines (VMs). VMs on myDRE can have two different operating systems (CentOS and Windows Server 2019; Ubuntu coming soon). Moreover, a plethora of software can be installed on ...
A.14.2.5 Secure system engineering principles
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Initiation document 2022-07-07 1.1 Edward Robinson Additions/changes as part of ...
A.14.2.1 Secure development policy
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...
A.8.29: Security testing in development and acceptance
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Initiation document 2022-07-07 1.1 Edward Robinson Johanna Hakonen Sayali Shitole Additions/changes as part of ...
anDREa feature development plan
Roadmap Version: 2022-09-02 Update: 2024-02-23 anDREa is committed to transparency and the best interest of the research ecosystem. We are and will always be developing by, for, and with stakeholders in the research ecosystem. The following ...