Item | Value |
Organization | Information Dynamics |
Document Name | Application Development Policy |
Classification | Internal |
Compliance Reference To: | ISO 27001:2013 |
Date | Version | Prepared By |
1st November 2018 | 1.1 | Information Dynamics |
10th June 2019 | 1.2 | Information Dynamics |
29th Dec 2019 | 1.3 | Added ISO 27001 Controls reference |
24th Dec 2020 | 1.4 | Review of policy |
24th Dec 2021 | 1.5 | Review of policy |
29th Dec 2022 | 1.6 | Annual Review |
Reviewed By | Version | Date | Signature |
Shibin | 1.3 | 29-Dec-2019 | |
Shibin | 1.4 | 26-Dec-2020 | |
Shibin | 1.5 | 26-Dec-2021 | |
Shibin | 1.6 | 29-Dec-2022 |
The purpose of this policy is to define the security controls to be implemented in the application development environment.
ISO27001:2013 Domain Reference: A.14 – System Acquisition Development and Maintenance
ISO 27001:2013 Reference | |
A.14.1. 1 | Information security requirements analysis and specification |
A.14.1. 2 | Securing application services on public networks |
A.14.2. 1 | Secure development policy |
A.14.2. 2 | System change control procedures |
A.14.2. 3 | Technical review of applications after operating platform changes |
A.14.2. 4 | Restrictions on changes to software packages |
A.14.2. 5 | Secure system engineering principles |
A.14.2. 6 | Secure Development Environment |
A.14.2. 8 | System Security Testing |
A.14.2. 9 | System Acceptance Testing |
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
Information Security requirements need to be gathered during the initial phase of the project.
Security requirements shall be implemented in all architecture layers( business data, applications
and technology). New technology should be analysed for risks prior to development.
There must be separate Development, Test and Production environments
There must be proper and defined segregation of duties between personnel assigned to development/ test environment and personnel assigned to production environment.
Production data (e.g.: live PANs) must not used for testing and development, or must be sanitized before use.
Test data and accounts must be removed before a production system becomes active.
Custom application accounts, usernames and/or passwords must be removed before system goes
into production or is released to customers.
Access to source code needs to be provided on a need to know basis only.
Access to source code shall be reviewed as per the access control policy
Custom Code reviews must be performed by individuals other then originating code author prior
to release to production or customers in order to identify any potential coding vulnerability.
Code reviews for custom software development, as part of the System Development Life Cycle
(SDLC) can be conducted by internal personnel.
Code reviews must be assessed from a security perspective to ensure there are no backdoors or
malicious code added.
Change control procedures must be followed for all system and software configuration changes.
For each change there must be management sign-off by appropriate parties.
Operational functionality testing must be performed for each change.
Back-out procedure must be defined for each change.
All web applications must be developed based on secure coding guidelines such as the Open Web
Application Security Project Guidelines. This is to prevent common coding vulnerabilities in software development processes.
All web-facing applications must be protected against known attacks by either of the following
methods:
Having all custom application code reviewed for common vulnerabilities by an
organization that specializes in application security or
Installing an application-layer firewall in front of web-facing applications.