System Acquisition, Development & Maintenance Policy

Security Requirements for Information Systems

Information Security Requirements Analysis and Specification

During the requirements phase, Information Owners must:

• Identify security requirements to protect information systems prior to developing, implementing major changes to, or acquiring information systems
• Assign a security classification to the information and information system.

During the development and acquisition phase, Information Owners must:

• Ensure development or acquisition activities are performed in accordance with documented requirements, standards, and procedures
• Ensure testing of information systems to verify functionality
• Enforce change control processes to identify and document modification or changes which may compromise security controls or introduce security weaknesses.

Security Applications Services on Public Networks

Information Owners and Information Custodians must protect application services passing over public networks including the following:

• The level of confidence each party requires in each other’s claimed identity, for example, through authentication.
• Authorization processes associated with who may approve contents of, issue or sign key transactional documents.
• Ensuring that communicating partners are fully informed of their authorizations for provision or use of the service.
• Determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation of contracts, for example, associated with tendering and contract processes.
• The level of trust required in the integrity of key documents
• The protection requirements of any confidential information.
• The confidentiality and integrity of any order transactions, payment information, delivery address details and confirmation of receipts.
• The degree of verification appropriate to verify payment information supplied by a customer.
• Selecting the most appropriate settlement form of payment to guard against fraud.
• The level of protection required to maintain the confidentiality and integrity of order information
• Avoidance of loss or duplication of transaction information.
• Liability associated with any fraudulent transactions.

Protecting Application Services Transactions

Information Owners and Information Custodians are responsible for ensuring information systems containing on-line services implement security controls commensurate with the value and sensitivity of the information.

Security controls must be implemented to prevent incomplete transmission, misrouting, repudiation of transaction, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication and replay.  Security controls may include:

• Validating and verifying user credentials
• Using digital signatures
• Using cryptography to protect data and information
• Establishing secure communications protocols
• Storing on-line transaction details on servers within the appropriate network security zone

Security in Development and Support Processes

Secure Development Policy

Information Owners and Information Custodians are responsible for building secure services, architecture, software, Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Cloud environments and systems.  Within a secure development policy, the following aspects must be put under consideration:

• Security of the development environment
• Guidance on the security in the software development lifecycle
  • Security in the software development methodology
  • Secure coding guidelines for each programming language used
  • Security requirements in the design phase
  • Security checkpoints within the project milestones
  • Secure code repositories
  • Security in version control
  • Required application security knowledge
  • The capability of developers to avoid, find, and fix vulnerabilities

System Change Control Process and Procedures

KX change control process and procedures will be developed in compliance with the Change Control Standard and the Document Change Control Standard.

Technical Review of Applications after Operating System Changes

All changes will be subject to review and approval as defined by the Change Control Standard and the Document Change Control Standard.

Restrictions on Changes to Software Packages

Control and restrictions on changes will apply as defined in the Change Control standard.

Secure Systems Engineering Principles

Information Owners must establish secure engineering principles that are:

• Documented and applied to in-house information system engineering activities
• Designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility
• Analyzed for security risks and the design should be reviewed against known attack patterns

These system engineering principles and the established engineering procedures must be regularly reviewed and kept up to date to ensure that they are effectively contributing to enhanced standards of security within the engineering process.

Secure Development Environment

A secure development environment includes people, processes and technology associated with system development and integration.

Information Owners must assess risks associated with individual system development efforts and establish secure development environments for specific system development efforts, considering:

• The sensitivity of data to be processed, stored and transmitted by the system.
• Applicable external and internal requirements, for example, from regulations or policies.
• Security controls already implemented by the organization that supports system development.
• Trustworthiness of personnel working in the environment.
• The degree of outsourcing associated with system development.
• The need for segregation between different development environments.
• Control of access to the development environment(s).
• Monitoring of change to the environment(s) and code stored within
• Backups are stored at secure offsite locations
• Control over movement of data from and to the environment(s).

Outsourced Development

If outsourced development is leveraged in the future, the following controls should apply:

• Licensing arrangements, code ownership and intellectual property rights related to the outsourced content.
• Contractual requirements for secure design, coding and testing practices.
• Provision of the approved threat model to the external developer.
• Acceptance testing for the quality and accuracy of the deliverables.
• Provision of evidence that sufficient testing has been applied to guard against the absence of both intentional and unintentional malicious content upon delivery.
• Provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities.
• Escrow arrangements, for example, if source code or libraries are no longer available.
• Contractual right to audit development processes and controls.
• Effective documentation of the build environment used to create the deliverables.
• The organization remains responsible for compliance with applicable laws and control efficiency verification.

System Security Testing

Information Owners must ensure that new and updated systems, Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Cloud environments undergo thorough testing and verification during the development process, including the preparation of a detailed schedule of activities and test inputs and expected outputs under a range of conditions.  For in-house development such tests should initially be performed by the development team.  Independent acceptance testing should then be undertaken (both for in-house and for outsourced development) to ensure that the system works as expected and only as expected.

The extent of the testing must be in proportion to the importance and nature of the system.

System Acceptance Testing

Information Owners must ensure that:

• System acceptance testing includes testing of information security requirements and adherence to secure system development practices.
• Testing to be conducted on received components and integrated systems.
• KX leverages automated tools such as code analysis tools or vulnerability scanners and must verify the remediation of security related defects.
• Testing is performed in a realistic test environment to ensure that the system will not introduce vulnerabilities to the KX environment and that the tests are reliable.

Test Data

Protection of Test Data

Information Owners must implement procedures to ensure that:

• Sensitive or personal data from operational information systems is not used as test data.
• Using test data extracted from operational information systems must be authorized and logged to provide an audit trail.
• Test data is protected with controls appropriate to the security classification of the information and information system.
• Data from operational information systems is removed from the test environment once testing is complete.