3.3.6 Application Security
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve and implement cyber security standards for application systems. The compliance with these standards should be monitored and the effectiveness of these controls should be measured and periodically evaluated.
Objective
To ensure that sufficient cyber security controls are formally documented and implemented for all applications, and that the compliance is monitored and its effectiveness is evaluated periodically within the Member Organization.
Control considerations
| 1. | The application cyber security standards should be defined, approved and implemented. | |
| 2. | The compliance with the application security standards should be monitored. | |
| 3. | The effectiveness of the application cyber security controls should be measured and periodically evaluated. | |
| 4. | Application development should follow the approved secure system development life cycle methodology (SDLC). | |
| 5. | The application security standard should include: | |
| a. | secure coding standards; | |
| b. | the cyber security controls implemented (e.g., configuration parameters, events to monitor and retain [including system access and data], identity and access management); | |
| c. | the segregation of duties within the application (supported with a documented authorization matrix); | |
| d. | the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); | |
| e. | vulnerability and patch management; | |
| f. | back-up and recovery procedures; | |
| g. | periodic cyber security compliance review. | |