ISO IEC 17799 2000*TRANSLATED INTO PLAIN ENGLISHSection 10: Systems Development and MaintenanceFREE DETAILED STANDARD |
||
| MAIN MENU | TO SECTION 11 | |
|
* ISO
17799 2000 is now OBSOLETE. |
||
![]()
|
ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD |
|
|
10.1 IDENTIFY SYSTEM SECURITY REQUIREMENTS |
|
|
|
Identify the security requirements that your
information systems |
|
|
Identify the security requirements that
infrastructure applications |
|
|
Identify the security requirements that
business applications |
|
|
Identify the security requirements that
user‑developed applications |
|
|
Document the security requirements that |
|
|
Make sure that your documentation justifies
and |
|
10.1.1 SPECIFY SECURITY CONTROLS AND REQUIREMENTS |
|
|
|
Specify the security requirements that |
|
|
Specify the security requirements that |
|
|
Specify the security requirements that all |
|
|
Specify the security controls that new |
|
|
Specify the security controls that |
|
|
Specify the controls that enhancements to |
|
|
Make sure that your security specifications
identify the |
|
|
Make sure that your security specifications
identify |
|
|
Make sure that your security controls and
requirements |
|
ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD |
|
|
10.2 BUILD SECURITY INTO APPLICATION SYSTEMS |
|
|
|
Prevent the loss of user data in your application systems. |
|
|
Prevent the misuse of user data in application systems. |
|
|
Prevent the modification of user data in application systems. |
|
|
Design security controls into your application systems. |
|
|
Design security controls into user‑written application systems. |
|
|
Design audit trails or activity logs into application systems. |
|
|
Design audit trails or activity logs into user‑written systems. |
|
|
Design additional security controls into
systems that |
|
|
Design additional security controls into
systems that |
|
|
Use risk assessments to select controls |
|
10.2.1 BUILD INPUT DATA VALIDATION INTO YOUR SYSTEMS |
|
|
|
Build input data validation controls into application systems. |
|
|
Make sure that your validation controls are
able to |
|
|
Make sure that validation controls are used to
verify that the |
|
|
Make sure that validation controls are used to
verify |
|
|
Use input validation controls to detect out‑of‑range values. |
|
|
Use input validation controls to detect missing or incomplete data. |
|
|
Use input validation controls to detect invalid characters in data fields. |
|
|
Use input validation controls to detect when
upper |
|
|
Review periodically the content of key fields
|
|
|
Review periodically the content of data files
|
|
|
Inspect hardcopy input documents in order |
|
|
Develop procedures to respond to data validation errors. |
|
|
Develop procedures to test the plausibility of input data. |
|
|
Define the responsibilities of all data input personnel. |
|
10.2.2 BUILD PROCESSING CONTROLS INTO YOUR SYSTEMS |
|
|
10.2.2.1 DESIGN PROCESSING CONTROLS TO MINIMIZE RISK |
|
|
|
Build internal processing controls into application systems. |
|
|
Make sure that processing controls can detect data corruption. |
|
|
Make sure that restrictions are built into
your applications |
|
|
Make sure that add‑and‑delete functions in
programs are |
|
|
Make sure that procedures are built into your
applications |
|
|
Make sure that procedures are built into your
applications |
|
|
Make sure that you ensure
that the correct programs |
|
10.2.2.2 INCORPORATE PROCESSING CHECKS AND CONTROLS |
|
|
|
Detect and prevent data corruption by
incorporating |
|
|
Detect corrupt data by using session
or batch controls
|
|
|
Detect corrupt data by using
balancing controls to
check |
|
|
Detect data corruption by using run‑to‑run controls. |
|
|
Detect data corruption by using file update totals. |
|
|
Detect corruption by using program‑to‑program controls. |
|
|
Detect corruption by using system‑generated validation data. |
|
|
Detect corruption by using hash totals of records and files. |
|
|
Detect corruption by checking the integrity
|
|
|
Detect corruption by checking the integrity
|
|
|
Prevent data corruption by ensuring that all |
|
|
Prevent corruption by ensuring that
application |
|
|
Prevent corruption by ensuring that
application |
|
|
Prevent corruption by ensuring that
application |
|
10.2.3 BUILD MESSAGE AUTHENTICATION INTO YOUR SYSTEMS |
|
|
|
Protect the integrity of electronic messages
by building |
|
|
Protect the integrity of electronic messages
by building |
|
|
Assess your security risks before you decide
how |
|
|
Use message authentication to detect
unauthorized
changes |
|
|
Use message authentication to detect the |
|
|
Use message authentication techniques |
|
|
Use message authentication techniques to |
|
|
Use message authentication techniques to
protect the |
|
|
Use message authentication techniques to
protect |
|
|
Use message authentication techniques to
protect |
|
10.2.4 BUILD OUTPUT DATA VALIDATION INTO YOUR SYSTEMS |
|
|
|
Ensure that output data is correct by building
|
|
|
Validate your output by performing
plausibility checks |
|
|
Validate your output by performing
reconciliation control |
|
|
Validate your output by providing information
that allows |
|
|
Validate your output by providing information
that allows |
|
|
Develop procedures that describe how people
should |
|
|
Define the duties and responsibilities of the
people |
|
ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD |
|
|
10.3 USE CRYPTOGRAPHY TO PROTECT INFORMATION |
|
|
|
Use
cryptographic systems and techniques to
protect |
|
|
Use
cryptographic systems and
techniques |
|
|
Do a risk assessment to determine whether |
|
|
Use your risk assessment to determine what |
|
|
Use your risk assessment to determine what
level |
|
|
Use your risk assessment to help determine
what |
|
|
Use your risk assessment to help determine
what |
|
|
Use cryptographic systems and techniques to
protect |
|
10.3.1 DEVELOP A POLICY ON THE USE OF CRYPTOGRAPHY |
|
|
|
Develop a policy on the use of cryptography. |
|
|
Make sure that your cryptography policy helps
you to maximize |
|
|
Make sure that your cryptography policy helps you to avoid the incorrect or inappropriate use of cryptographic systems and techniques. |
|
|
Make sure that your cryptography policy
describes the approach |
|
|
Make sure that your cryptography policy
describes the |
|
|
Make sure that your cryptography policy
describes |
|
|
Make sure that your key management approach
describes methods |
|
|
Make sure that your cryptography policy
describes |
|
|
Make sure that your cryptography policy
specifies who |
|
|
Make sure that your cryptography policy
specifies |
|
|
Make sure that your cryptography policy
specifies who |
|
|
Make sure that your cryptography policy
specifies who |
|
|
Make sure that your cryptography policy
respects the |
|
|
Make sure that
your cryptography
policy addresses |
|
|
Make sure that your cryptography
policy discusses |
|
10.3.2 ENCRYPT SENSITIVE OR CRITICAL INFORMATION |
|
|
|
Encrypt your sensitive or critical information. |
|
|
Do a risk assessment to identify the
level of
protection |
|
|
Make sure that your risk assessment considers
|
|
|
Make sure that your risk assessment considers |
|
|
Use cryptography specialists to help you
identify the |
|
|
Use cryptography specialists to help you |
|
|
Use cryptography specialists to help you |
|
|
Use legal experts to help you to identify and
evaluate |
|
10.3.3 PROTECT DOCUMENTS WITH DIGITAL SIGNATURES |
|
|
|
Use digital signatures to protect the
integrity |
|
|
Make sure that your digital signature
algorithm |
|
|
Use digital signature technology to verify |
|
|
Use digital signature technology to verify
that the |
|
|
Use digital signatures to protect electronic payments. |
|
|
Use digital signatures to protect funds transfers. |
|
|
Use digital signatures to protect contracts. |
|
|
Use
uniquely related pairs of
keys to |
|
|
Use private keys to create digital signatures. |
|
|
Use public keys to verify digital signatures. |
|
|
Make sure that people cannot forge electronic
|
|
|
Protect the integrity of public keys |
|
|
Use keys to create and verify digital
signatures |
|
|
Make sure that you are clear about when
digital |
|
|
Make sure that you are familiar with the
legislation |
|
|
Use legal experts to help you to identify and
evaluate |
|
|
Use contracts to support digital signatures
whenever the |
|
10.3.4 USE NON‑REPUDIATION SERVICES TO RESOLVE DISPUTES |
|
|
|
Use non‑repudiation services to prove whether
|
|
|
Use non‑repudiation services to protect
against |
|
|
Use non‑repudiation services to resolve
disagreements |
|
|
|