ISO IEC 17799 2000*

TRANSLATED INTO PLAIN ENGLISH

Section 10: Systems Development and Maintenance

FREE DETAILED STANDARD

TO SECTION 9

 MAIN MENU TO SECTION 11

* ISO 17799 2000 is now OBSOLETE.
Please see ISO IEC 27002 2005!

ISO 17799

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

10.1 IDENTIFY SYSTEM SECURITY REQUIREMENTS

 

Identify the security requirements that your information systems
must meet before you start the systems development process.

 

Identify the security requirements that infrastructure applications
must meet before you start the application development process.

 

Identify the security requirements that business applications
must meet before you start the application development process.

 

Identify the security requirements that user‑developed applications
must meet before you start the application development process.

 

Document the security requirements that
your information systems must meet.

 

Make sure that your documentation justifies and
explains why security requirements must be met.

10.1.1 SPECIFY SECURITY CONTROLS AND REQUIREMENTS

 

Specify the security requirements that
new information systems must meet.

 

Specify the security requirements that
new software packages must meet.

 

Specify the security requirements that all
enhancements to existing systems must meet.

 

Specify the security controls that new
information systems should have.

 

Specify the security controls that
new software packages should have.

 

Specify the controls that enhancements to
existing information systems should have.

 

Make sure that your security specifications identify the
automated controls that should be built into the system.

 

Make sure that your security specifications identify
the manual controls that should support the system.

 

Make sure that your security controls and requirements
consider how valuable your information assets are and
how much damage a security failure could cause.

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

10.2 BUILD SECURITY INTO APPLICATION SYSTEMS

 

Prevent the loss of user data in your application systems.

 

Prevent the misuse of user data in application systems.

 

Prevent the modification of user data in application systems.

 

Design security controls into your application systems.

 

Design security controls into user‑written application systems.

 

Design audit trails or activity logs into application systems.

 

Design audit trails or activity logs into user‑written systems.

 

Design additional security controls into systems that
process valuable, sensitive, or critical information.

 

Design additional security controls into systems that
have an impact on valuable, sensitive, or critical assets.

 

Use risk assessments to select controls
for your application systems.

10.2.1 BUILD INPUT DATA VALIDATION INTO YOUR SYSTEMS

 

Build input data validation controls into application systems.

 

Make sure that your validation controls are able to
verify that your input data is correct and appropriate.

 

Make sure that validation controls are used to verify that the
input of business transactions is correct and appropriate.

 

Make sure that validation controls are used to verify
that input of standing data and parameter tables
is correct and appropriate.

 

Use input validation controls to detect out‑of‑range values.

 

Use input validation controls to detect missing or incomplete data.

 

Use input validation controls to detect invalid characters in data fields.

 

Use input validation controls to detect when upper
and lower data volumes have been exceeded.

 

Review periodically the content of key fields
in order to verify their integrity and validity.

 

Review periodically the content of data files
in order to verify their integrity and validity.

 

Inspect hardcopy input documents in order
to detect unauthorized changes to input data.

 

Develop procedures to respond to data validation errors.

 

Develop procedures to test the plausibility of input data.

 

Define the responsibilities of all data input personnel.

10.2.2 BUILD PROCESSING CONTROLS INTO YOUR SYSTEMS

10.2.2.1 DESIGN PROCESSING CONTROLS TO MINIMIZE RISK

 

Build internal processing controls into application systems.

 

Make sure that processing controls can detect data corruption.

 

Make sure that restrictions are built into your applications
that are designed to minimize the risk of data processing
failures and the loss of integrity.

 

Make sure that add‑and‑delete functions in programs are
designed so that they minimize the risk of processing errors.

 

Make sure that procedures are built into your applications
that prevent programs from running in the wrong order.

 

Make sure that procedures are built into your applications
that prevent programs from running after processing failures.

 

Make sure that you ensure that the correct programs
are used to recover from data processing failures.

10.2.2.2 INCORPORATE PROCESSING CHECKS AND CONTROLS

 

Detect and prevent data corruption by incorporating
internal processing checks and controls into systems.

 

Detect corrupt data by using session or batch controls
to reconcile file balances after transaction updates.

 

Detect corrupt data by using balancing controls to check
opening balances against previous closing balances.

 

Detect data corruption by using run‑to‑run controls.

 

Detect data corruption by using file update totals.

 

Detect corruption by using program‑to‑program controls.

 

Detect corruption by using system‑generated validation data.

 

Detect corruption by using hash totals of records and files.

 

Detect corruption by checking the integrity
of data that is downloaded or uploaded
between central and remote computers.

 

Detect corruption by checking the integrity
of software that is downloaded or uploaded
between central and remote computers.

 

Prevent data corruption by ensuring that all
application programs are run at the right time.

 

Prevent corruption by ensuring that application
programs are run in the correct order.

 

Prevent corruption by ensuring that application
programs terminate when failures occur.

 

Prevent corruption by ensuring that application
programs are halted until the problem is solved.

10.2.3 BUILD MESSAGE AUTHENTICATION INTO YOUR SYSTEMS

 

Protect the integrity of electronic messages by building
message authentication into hardware systems.

 

Protect the integrity of electronic messages by building
message authentication into software systems.

 

Assess your security risks before you decide how
to use message authentication techniques to
protect messages and detect integrity problems.

 

Use message authentication to detect unauthorized changes
to the contents of transmitted electronic messages.

 

Use message authentication to detect the
corruption of transmitted electronic messages.

 

Use message authentication techniques
to protect the integrity of important messages
that must be transmitted electronically.

 

Use message authentication techniques to
protect the integrity of electronic fund transfers.

 

Use message authentication techniques to protect the
integrity of electronically transmitted specifications.

 

Use message authentication techniques to protect
the integrity of electronically transmitted proposals.

 

Use message authentication techniques to protect
the integrity of electronically transmitted contracts.

10.2.4 BUILD OUTPUT DATA VALIDATION INTO YOUR SYSTEMS

 

Ensure that output data is correct by building
output data validation into your application systems.

 

Validate your output by performing plausibility checks
to see whether your output data is reasonable.

 

Validate your output by performing reconciliation control
counts to ensure that all data has been processed.

 

Validate your output by providing information that allows
readers to verify the correctness of the output data.

 

Validate your output by providing information that allows
subsequent processing systems to verify the accuracy
and completeness of your output data.

 

Develop procedures that describe how people should
interpret and respond to output validation tests.

 

Define the duties and responsibilities of the people
that manage, process, and receive data output.

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

10.3 USE CRYPTOGRAPHY TO PROTECT INFORMATION

 

Use cryptographic systems and techniques to protect
the confidentiality and integrity of your information.

 

Use cryptographic systems and techniques
to protect information that is at risk.

 

Do a risk assessment to determine whether
cryptographic solutions are appropriate.

 

Use your risk assessment to determine what
your cryptographic controls should be used for.

 

Use your risk assessment to determine what level
of protection should be given to your information.

 

Use your risk assessment to help determine what
type of business processes should be protected
using cryptographic controls.

 

Use your risk assessment to help determine what
type of cryptographic controls should be used.

 

Use cryptographic systems and techniques to protect
information when other methods are inadequate.

10.3.1 DEVELOP A POLICY ON THE USE OF CRYPTOGRAPHY

 

Develop a policy on the use of cryptography.

 

Make sure that your cryptography policy helps you to maximize
the benefit and minimize the risk of using cryptographic systems
and techniques to protect your organization’s information.

 

Make sure that your cryptography policy helps you to avoid the incorrect or inappropriate use of cryptographic systems and techniques.

 

Make sure that your cryptography policy describes the approach
your organization’s managers should follow when cryptographic
controls are being considered.

 

Make sure that your cryptography policy describes the
general principles that govern the encryption of information.

 

Make sure that your cryptography policy describes
your approach to the management and use of keys.

 

Make sure that your key management approach describes methods
that should be used to recover information when keys have been lost, damaged, or compromised.

 

Make sure that your cryptography policy describes
all the associated roles and responsibilities.

 

Make sure that your cryptography policy specifies who
is responsible for the implementation of your policy.

 

Make sure that your cryptography policy specifies
who is responsible for the management of keys.

 

Make sure that your cryptography policy specifies who
is responsible for determining what level of cryptographic
protection is necessary to protect your business processes.

 

Make sure that your cryptography policy specifies who
is responsible for deciding which cryptographic solutions
should be used to protect your business processes.

 

Make sure that your cryptography policy respects the
regulations and restrictions that other nations impose
on the use of cryptographic systems and techniques.

 

Make sure that your cryptography policy addresses
the issues related to the flow of encrypted information
across national borders.

 

Make sure that your cryptography policy discusses
the controls that apply to the export and import of
cryptographic technologies.

10.3.2 ENCRYPT SENSITIVE OR CRITICAL INFORMATION

 

Encrypt your sensitive or critical information.

 

Do a risk assessment to identify the level of protection
needed to secure your sensitive or critical information.

 

Make sure that your risk assessment considers
the type and quality of your encryption algorithms.

 

Make sure that your risk assessment considers
the length of your cryptographic keys.

 

Use cryptography specialists to help you identify the
most appropriate level of cryptographic protection.

 

Use cryptography specialists to help you
select suitable cryptography products.

 

Use cryptography specialists to help you
implement a secure key management system.

 

Use legal experts to help you to identify and evaluate
the laws and regulations that govern your organization’s
use of encryption technologies.

10.3.3 PROTECT DOCUMENTS WITH DIGITAL SIGNATURES

 

Use digital signatures to protect the integrity
and authenticity of your electronic documents.

 

Make sure that your digital signature algorithm
is capable of protecting the integrity and authenticity
of your electronic documents.

 

Use digital signature technology to verify
who signs electronic documents.

 

Use digital signature technology to verify that the
content of signed documents has not been changed.

 

Use digital signatures to protect electronic payments.

 

Use digital signatures to protect funds transfers.

 

Use digital signatures to protect contracts.

 

Use uniquely related pairs of keys to
implement digital signature technology.

 

Use private keys to create digital signatures.

 

Use public keys to verify digital signatures.

 

Make sure that people cannot forge electronic
signatures by protecting the secrecy of private keys.

 

Protect the integrity of public keys
through the use of public key certificates.

 

Use keys to create and verify digital signatures
different from the keys used to encrypt information.

 

Make sure that you are clear about when digital
signatures are legally binding and when they’re not.

 

Make sure that you are familiar with the legislation
governing the use of digital signature technology.

 

Use legal experts to help you to identify and evaluate
the laws and regulations that govern your organization’s
use of digital signatures.

 

Use contracts to support digital signatures whenever the
legal status of digital signatures is doubtful or uncertain.

10.3.4 USE NON‑REPUDIATION SERVICES TO RESOLVE DISPUTES

 

Use non‑repudiation services to prove whether
or not an action or event has in fact taken place.

 

Use non‑repudiation services to protect against
any attempt to deny that a digitally signed
document has been sent or received.

 

Use non‑repudiation services to resolve disagreements
over your organization’s use of digital signatures.