1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Asset acquisition, development and maintenance

Objective • Security should be an integral part of asset acquisition, development/deployment and maintenance processes.

Requirements analysis and specification • Statements of business requirements for new information systems, or enhancements to existing information systems, should include specification of the requirements for security controls. This could include:

consideration of legal-regulatory-certificatory standards and business value of information assets affected by the new/changed systems;
consideration of administrative, technical and physical controls available to support security for the systems;
integration of these controls early in the system design and requirements specification; and
a formal plan for testing and acceptance, including independent evaluation where appropriate.

Correct processing in applications • Systems should be validated with respect to their handling of input data, internal processing, inter-process messaging and output data to prevent errors, loss, unauthorized modification or misuse of information. This could include:

certification (rating) of asset performance prior to acquisition by external parties;
audit/review of asset performance after acquisition;
on-going automatic or manual methods of data verification and cross-checking; and
defined responsibilities and processes for responding to errors detected by these automatic or manual methods.

Use of cryptographic controls • Appropriate cryptographic controls should be developed and implemented protect the confidentiality, integrity and authenticity of information. This could include:

statement of general principles and management approach to the use of cryptographic controls;
a thorough risk assessment to determine cryptographic implementation, that considers appropriate algorithm selections, key management and other core features of the implementation;
consideration of legal restrictions on technology deployments;
application, as appropriate, of the cryptographic controls to data at rest and fixed-location devices, data transported by mobile/removable media and embedded in mobile devices, and data transmitted over communications links; and
specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy.

Cryptographic key management • Key management policies and processes should be implemented to support an organization's use of cryptographic techniques. This could include standards for:

distributing, storing, archiving and changing/updating keys;
recovering, revoking/destroying and dealing with compromised keys; and
logging all transactions associated with keys.

Security of operational software • Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions to or corruption of information services. This could include:

ad hoc modifications to software packages discouraged (or prohibited), limited to necessary changes, and all changes strictly controlled;
updating performed only with appropriate management authorization;
updating performed only by appropriately trained personnel;
only appropriately tested and certified software deployed to operational systems;
appropriate change management and configuration control processes for all stages of updating, including documentation of the nature of the change and the processes used to implement it;
a rollback strategy in place, including retention of prior versions as a contingency measure; and
appropriate audit logs maintained to track changes.

Security of software code and test data • Access to software source code should be appropriately restricted. This could include:

appropriate administrative, physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans;
test data appropriately logged, protected and controlled; and
maintenance and copying of these materials subject to strict change management and other controls.

Controls against malicious code • Appropriate controls should be implemented for prevention, detection and response to malicious code. This could include:

formal policies prohibiting the use or installation of unauthorized software, including a prohibition of obtaining data and software from external networks;
formal policies requiring protective measures, such as installation of anti-virus and anti-spyware software, and for the regular (automatic) updating of such software;
periodic reviews/scans of installed software and the data content of systems to identify and, where possible, remove any unauthorized software;
defined procedures for response to identification of malicious code or unauthorized software;
continuity/recovery plans to deal with system interruptions and failures caused by malicious code; and
user awareness training on these policies and methods.

Change control procedures • Implementation of changes should be documented and controlled through the use of formal change control procedures. This could include:

formal processes for specification, testing, quality control and managed implementation;
risk assessments, analyses of actual and potential impacts of changes, and specifications of any security controls required;
budgetary or other financial analyses to assess adequacy of resources;
formal agreements to and approvals of changes by appropriate management;
requirements for appropriate notifications of all affected parties prior to implementations, on the nature, timing and likely impacts of the changes;
scheduling of changes to minimize the adverse impact on business processes; and
review and testing of critical business processes after implementation to ensure that there have been no adverse effects.

Outsourced software development • Outsourced software development should be appropriately supervised and monitored by the organization, using controls similar to those for internal development.

Information leakage • Opportunities for information leakage should be appropriately minimized or prevented. This could include:

risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures;
regular monitoring of likely information leak mechanisms and sources; and
end-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files).

Control of technical vulnerabilities • Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken. This could include:

a complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability;
procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk; and
defined roles and responsibilities for implementation of countermeasures and other mitigation procedures.

SOURCES: ISO-27001/27002:2005 sects. 12.1.1 – 12.1.6.