10.1 IDENTIFY SYSTEM SECURITY REQUIREMENTS

Identify the security requirements that your information systems
must meet before you start the systems development process.

Identify the security requirements that infrastructure applications
must meet before you start the application development process.

Identify the security requirements that business applications
must meet before you start the application development process.

Identify the security requirements that user‑developed applications
must meet before you start the application development process.

Document the security requirements that
your information systems must meet.

Make sure that your documentation justifies and
explains why security requirements must be met.

10.1.1 SPECIFY SECURITY CONTROLS AND REQUIREMENTS

Specify the security requirements that
new information systems must meet.

Specify the security requirements that
new software packages must meet.

Specify the security requirements that all
enhancements to existing systems must meet.

Specify the security controls that new
information systems should have.

Specify the security controls that
new software packages should have.

Specify the controls that enhancements to
existing information systems should have.

Make sure that your security specifications identify the
automated controls that should be built into the system.

Make sure that your security specifications identify
the manual controls that should support the system.

Make sure that your security controls and requirements
consider how valuable your information assets are and
how much damage a security failure could cause.

10.2 BUILD SECURITY INTO APPLICATION SYSTEMS

Prevent the loss of user data in your application systems.

Prevent the misuse of user data in application systems.

Prevent the modification of user data in application systems.

Design security controls into your application systems.

Design security controls into user‑written application systems.

Design audit trails or activity logs into application systems.

Design audit trails or activity logs into user‑written systems.

Design additional security controls into systems that
process valuable, sensitive, or critical information.

Design additional security controls into systems that
have an impact on valuable, sensitive, or critical assets.

Use risk assessments to select controls
for your application systems.

10.2.1 BUILD INPUT DATA VALIDATION INTO YOUR SYSTEMS

Build input data validation controls into application systems.

Make sure that your validation controls are able to
verify that your input data is correct and appropriate.

Make sure that validation controls are used to verify that the
input of business transactions is correct and appropriate.

Make sure that validation controls are used to verify
that input of standing data and parameter tables
is correct and appropriate.

Use input validation controls to detect out‑of‑range values.

Use input validation controls to detect missing or incomplete data.

Use input validation controls to detect invalid characters in data fields.

Use input validation controls to detect when upper
and lower data volumes have been exceeded.

Review periodically the content of key fields
in order to verify their integrity and validity.

Review periodically the content of data files
in order to verify their integrity and validity.

Inspect hardcopy input documents in order
to detect unauthorized changes to input data.

Develop procedures to respond to data validation errors.

Develop procedures to test the plausibility of input data.

Define the responsibilities of all data input personnel.

10.2.2 BUILD PROCESSING CONTROLS INTO YOUR SYSTEMS

10.2.2.1 DESIGN PROCESSING CONTROLS TO MINIMIZE RISK

Build internal processing controls into application systems.

Make sure that processing controls can detect data corruption.

Make sure that restrictions are built into your applications
that are designed to minimize the risk of data processing
failures and the loss of integrity.

Make sure that add‑and‑delete functions in programs are
designed so that they minimize the risk of processing errors.

Make sure that procedures are built into your applications
that prevent programs from running in the wrong order.

Make sure that procedures are built into your applications
that prevent programs from running after processing failures.

Make sure that you ensure that the correct programs
are used to recover from data processing failures.

10.2.2.2 INCORPORATE PROCESSING CHECKS AND CONTROLS

Detect and prevent data corruption by incorporating
internal processing checks and controls into systems.

Detect corrupt data by using session or batch controls
to reconcile file balances after transaction updates.

Detect corrupt data by using balancing controls to check
opening balances against previous closing balances.

Detect data corruption by using run‑to‑run controls.

Detect data corruption by using file update totals.

Detect corruption by using program‑to‑program controls.

Detect corruption by using system‑generated validation data.

Detect corruption by using hash totals of records and files.

Detect corruption by checking the integrity
of data that is downloaded or uploaded
between central and remote computers.

Detect corruption by checking the integrity
of software that is downloaded or uploaded
between central and remote computers.

Prevent data corruption by ensuring that all
application programs are run at the right time.

Prevent corruption by ensuring that application
programs are run in the correct order.

Prevent corruption by ensuring that application
programs terminate when failures occur.

Prevent corruption by ensuring that application
programs are halted until the problem is solved.

10.2.3 BUILD MESSAGE AUTHENTICATION INTO YOUR SYSTEMS

Protect the integrity of electronic messages by building
message authentication into hardware systems.

Protect the integrity of electronic messages by building
message authentication into software systems.

Assess your security risks before you decide how
to use message authentication techniques to
protect messages and detect integrity problems.

Use message authentication to detect unauthorized changes
to the contents of transmitted electronic messages.

Use message authentication to detect the
corruption of transmitted electronic messages.

Use message authentication techniques
to protect the integrity of important messages
that must be transmitted electronically.

Use message authentication techniques to
protect the integrity of electronic fund transfers.

Use message authentication techniques to protect the
integrity of electronically transmitted specifications.

Use message authentication techniques to protect
the integrity of electronically transmitted proposals.

Use message authentication techniques to protect
the integrity of electronically transmitted contracts.

10.2.4 BUILD OUTPUT DATA VALIDATION INTO YOUR SYSTEMS

Ensure that output data is correct by building
output data validation into your application systems.

Validate your output by performing plausibility checks
to see whether your output data is reasonable.

Validate your output by performing reconciliation control
counts to ensure that all data has been processed.

Validate your output by providing information that allows
readers to verify the correctness of the output data.

Validate your output by providing information that allows
subsequent processing systems to verify the accuracy
and completeness of your output data.

Develop procedures that describe how people should
interpret and respond to output validation tests.

Define the duties and responsibilities of the people
that manage, process, and receive data output.

10.3 USE CRYPTOGRAPHY TO PROTECT INFORMATION

Use cryptographic systems and techniques to protect
the confidentiality and integrity of your information.

Use cryptographic systems and techniques
to protect information that is at risk.

Do a risk assessment to determine whether
cryptographic solutions are appropriate.

Use your risk assessment to determine what
your cryptographic controls should be used for.

Use your risk assessment to determine what level
of protection should be given to your information.

Use your risk assessment to help determine what
type of business processes should be protected
using cryptographic controls.

Use your risk assessment to help determine what
type of cryptographic controls should be used.

Use cryptographic systems and techniques to protect
information when other methods are inadequate.

10.3.1 DEVELOP A POLICY ON THE USE OF CRYPTOGRAPHY

Develop a policy on the use of cryptography.

Make sure that your cryptography policy helps you to maximize
the benefit and minimize the risk of using cryptographic systems
and techniques to protect your organization's information.

Make sure that your cryptography policy helps you to avoid the incorrect
or inappropriate use of cryptographic systems and techniques.

Make sure that your cryptography policy describes the approach
your organization’s managers should follow when cryptographic
controls are being considered.

Make sure that your cryptography policy describes the
general principles that govern the encryption of information.

Make sure that your cryptography policy describes
your approach to the management and use of keys.

Make sure that your key management approach describes methods
that should be used to recover information when keys have been lost,
damaged, or compromised.

Make sure that your cryptography policy describes
all the associated roles and responsibilities.

Make sure that your cryptography policy specifies who
is responsible for the implementation of your policy.

Make sure that your cryptography policy specifies
who is responsible for the management of keys.

Make sure that your cryptography policy specifies who
is responsible for determining what level of cryptographic
protection is necessary to protect your business processes.

Make sure that your cryptography policy specifies who
is responsible for deciding which cryptographic solutions
should be used to protect your business processes.

Make sure that your cryptography policy respects the
regulations and restrictions that other nations impose
on the use of cryptographic systems and techniques.

Make sure that your cryptography policy addresses
the issues related to the flow of encrypted information
across national borders.

Make sure that your cryptography policy discusses
the controls that apply to the export and import of
cryptographic technologies.

10.3.2 ENCRYPT SENSITIVE OR CRITICAL INFORMATION

Encrypt your sensitive or critical information.

Do a risk assessment to identify the level of protection
needed to secure your sensitive or critical information.

Make sure that your risk assessment considers
the type and quality of your encryption algorithms.

Make sure that your risk assessment considers
the length of your cryptographic keys.

Use cryptography specialists to help you identify the
most appropriate level of cryptographic protection.

Use cryptography specialists to help you
select suitable cryptography products.

Use cryptography specialists to help you
implement a secure key management system.

Use legal experts to help you to identify and evaluate
the laws and regulations that govern your organization's
use of encryption technologies.

10.3.3 PROTECT DOCUMENTS WITH DIGITAL SIGNATURES

Use digital signatures to protect the integrity
and authenticity of your electronic documents.

Make sure that your digital signature algorithm
is capable of protecting the integrity and authenticity
of your electronic documents.

Use digital signature technology to verify
who signs electronic documents.

Use digital signature technology to verify that the
content of signed documents has not been changed.

Use digital signatures to protect electronic payments.

Use digital signatures to protect funds transfers.

Use digital signatures to protect contracts.

Use uniquely related pairs of keys to
implement digital signature technology.

Use private keys to create digital signatures.

Use public keys to verify digital signatures.

Make sure that people cannot forge electronic
signatures by protecting the secrecy of private keys.

Protect the integrity of public keys
through the use of public key certificates.

Use keys to create and verify digital signatures
different from the keys used to encrypt information.

Make sure that you are clear about when digital
signatures are legally binding and when they’re not.

Make sure that you are familiar with the legislation
governing the use of digital signature technology.

Use legal experts to help you to identify and evaluate
the laws and regulations that govern your organization's
use of digital signatures.

Use contracts to support digital signatures whenever the
legal status of digital signatures is doubtful or uncertain.

10.3.4 USE NON‑REPUDIATION SERVICES TO RESOLVE DISPUTES

Use non‑repudiation services to prove whether
or not an action or event has in fact taken place.

Use non‑repudiation services to protect against
any attempt to deny that a digitally signed
document has been sent or received.

Use non‑repudiation services to resolve disagreements
over your organization's use of digital signatures.

Use non‑repudiation services to resolve disagreements
over your organization's use of electronic contracts.

Use non‑repudiation services to resolve disagreements
over your organization's use of electronic payments.

10.3.5 ESTABLISH A KEY MANAGEMENT SYSTEM

10.3.5.1 PROTECT YOUR CRYPTOGRAPHIC KEYS

Establish a management system
to protect your cryptographic keys.

Make sure that your key management system
supports the use of secret key techniques.

Make sure that your key management system allows you to 
keep keys secret when two or more people use the same
secret key to both encrypt and decrypt information.

Make sure that your key management system
supports the use of public key techniques.

Make sure that your key management system allows
you to control the use of public-private key pairs.

Make sure that your key management system allows
public keys to be revealed to anyone while ensuring
that private keys are kept secret.

Protect all cryptographic keys against
unauthorized destruction or modification.

Protect all private and secret keys against unauthorized disclosure.

Use cryptographic techniques to protect your cryptographic keys.

Use physical techniques to protect the equipment
that is used to create, store, and archive your keys.

10.3.5.2 USE SECURE METHODS TO MANAGE KEYS

Make sure that your key management system
complies with the appropriate security standards.

Make sure that your key management system uses secure
methods and procedures to manage cryptographic keys.

Make sure that your key management system uses secure
methods and procedures to generate cryptographic keys.

Make sure that your key management system uses secure
methods and procedures to generate public key certificates.

Make sure that your key management system uses secure
methods and procedures to obtain public key certificates.

Make sure that your key management system uses secure
methods and procedures to distribute cryptographic keys.

Make sure that your key management system uses secure
methods and procedures to activate cryptographic keys.

Make sure that your key management system ensures that
cryptographic keys are issued for a finite time period and
therefore have defined activation and deactivation dates.

Make sure that your key management system uses secure
methods and procedures to store cryptographic keys.

Make sure that your key management system uses
secure methods and procedures to control how
users get access to keys.

Make sure that your key management system uses
secure methods and procedures to control how
cryptographic keys should be changed or updated.

Make sure that your key management system
specifies rules that control when and how your
keys should be changed or updated.

Make sure that your key management system uses
secure methods and procedures to control how
compromised cryptographic keys should be handled.

Make sure that your key management system uses secure
methods and procedures to control how cryptographic
keys are revoked, withdrawn, or deactivated.

Make sure that your key management system uses secure
methods and procedures to destroy cryptographic keys.

Make sure that your key management system use secure
methods and procedures to archive cryptographic keys.

Make sure that your key management system uses
secure methods and procedures to control how and
when cryptographic keys should be archived.

Make sure that your key management system uses secure
methods and procedures to control how cryptographic keys
should be recovered when lost or corrupted.

Make sure that your key management system
uses secure methods and procedures to log
and audit key management activities.

Develop procedures to handle legal requests
to gain access to your cryptographic keys.

Make sure that your procedures describe how
encrypted information could be made legally
available in an unencrypted form.

Protect your organization's public keys.

Prevent people from forging users' digital signatures by 
replacing public keys with their own fraudulent keys.

Use public key certificates to prevent someone
from forging a user's digital signature through
the use of fraudulent keys.

Make sure that your public key certificates are
generated by binding information about the
owner of a key pair to the public key.

Make sure that your public key certificates are generated
by a recognized and trustworthy certification authority.

Make sure that your certification authority has
assured you that they have established all the
necessary controls and procedures.

Establish formal service contracts with your
external cryptographic service providers.

Make sure that your cryptographic service
contracts clarify service response time issues.

Make sure that your cryptographic service
contracts clarify service reliability issues.

Make sure that your cryptographic service
contracts clarify all liability issues.

10.4 PROTECT YOUR ORGANIZATION’S SYSTEM FILES

Make sure that IT projects and activities do not
compromise the security of your system files.

Control the access that IT project personnel
can have to your organization's system files.

Make system owners responsible for system integrity.

10.4.1 CONTROL THE IMPLEMENTATION OF SOFTWARE

Establish controls to manage the implementation
of software on your operational systems.

Make sure that your controls are designed to minimize the
chances that your operational systems will be corrupted.

Make sure that only authorized librarians are allowed
to update your operational program libraries.

Make sure that your operational systems
contain only executable code.

Make sure that executable code is not
implemented on operational systems until
tests prove that it will work as planned.

Make sure that executable code is not
implemented on operational systems until
user acceptance has been obtained.

Make sure that executable code is not implemented
on operational systems until the corresponding program
source libraries have been updated.

Maintain an audit log of all updates
to your operational program libraries.

Retain previous versions of all updated software.

Ensure that all vendor supplied software used in your
operational systems is still supported by the vendor.

Evaluate the security strengths and weaknesses of all
new software releases before you decide to upgrade.

Apply software patches whenever they are likely to 
improve security or eliminate security weaknesses.

Make sure that management approval is required
before suppliers are allowed to have logical
or physical access to software.

Monitor the activities of your software suppliers.

10.4.2 CONTROL THE USE OF SYSTEM DATA FOR TESTING

Control the use of your operational data
for system and acceptance testing.

Protect operational data while it is being used
for system and acceptance testing purposes.

Avoid using personal information for testing
purposes or depersonalize it before use.

Use access control procedures to restrict
access to both operational application
systems and test application systems.

Make sure that authorization is required before operational
information may be copied to test application systems.

Make sure that operational information is immediately erased
from test application systems once testing has been completed.

Make sure that a log and audit trail is established
whenever operational information is copied and
used for testing purposes.

10.4.3 CONTROL ACCESS TO PROGRAM SOURCE LIBRARY

Prevent the corruption of computer programs by 
controlling access to your program source libraries.

Avoid holding your program source
libraries in your operational systems.

Appoint a program librarian for each
one of your organization's applications.

Make sure that updates to program source libraries are carried
out by the librarian that has been nominated for that purpose.

Make sure that program source library updates are authorized by the IT
manager that is responsible for supporting the application being updated.

Make sure that your program source librarians control the 
issuing of program source materials to programmers.

Make sure that your librarians receive formal authorization
from the appropriate IT support manager before program
source materials are issued to programmers.

Make sure that you control the access that your IT
support staff have to your program source libraries.

Make sure that an audit log is maintained that tracks
and records access to program source libraries.

Avoid holding programs that are under development
in your operational program source libraries.

Avoid holding programs that are under maintenance
in your operational program source libraries.

Hold program listings in a secure environment.

Archive old versions of source programs.

Make sure that your source program archives specify
exactly when your old source programs were operational.

Make sure that your source program archives include
all supporting software, data definitions, job control information,
and associated procedures.

Establish change control procedures to manage the
copying and maintenance of your program source libraries.

10.5 CONTROL DEVELOPMENT AND SUPPORT

Control your information system development
projects and support environments.

Make sure that application system managers are
also responsible for the security of development
projects and support environments.

Make sure that application system managers are responsible
for ensuring that all system changes are checked in order to
ensure that they do not undermine the security of the system.

Make sure that application system managers are responsible for
ensuring that all system changes are checked to ensure that they
do not undermine the security of the support environment.

10.5.1 ESTABLISH CHANGE CONTROL PROCEDURES

Establish formal procedures to control changes to information systems.

Make sure that change control procedures are used to ensure that
system development projects do not corrupt information systems.

Make sure that your change control procedures are used to ensure
that information system development projects do not compromise
the security of your information systems.

Make sure that your change control procedures ensure that
formal approvals are obtained before detailed work begins.

Make sure that your change control procedures are used to ensure
that programmers are allowed to access only those parts of the 
system that they need in order to do their work.

Make sure that your change control procedures are used to ensure
that formal agreement is reached and all approvals are received
before changes are actually made.

Make sure that your change control procedures ensure
that a record of authorization levels is always maintained.

Make sure that your change control procedures ensure
that only authorized users are allowed to submit changes.

Make sure that your change control procedures ensure
that an audit trail is maintained for all change requests.

Make sure that your change control procedures ensure that
users accept proposed changes prior to implementation.

Make sure that your change control procedures ensure
that changes will not compromise existing operational
controls and integrity procedures.

Make sure that your change control procedures ensure that changes are
implemented without causing a major disruption of business activities.

Make sure that your change control procedures ensure that system
documentation is promptly updated after each change is made.

Make sure that your change control procedures ensure that operating
documentation is promptly updated to reflect system changes.

Make sure that change control procedures ensure that
user procedures are updated to reflect system changes.

Make sure that change control procedures ensure that
version control is maintained for all software updates.

Make sure that your change control procedures ensure
that old system documentation is disposed of or archived.

Segregate your software testing environment from
software development and production environments.

10.5.2 REVIEW CHANGES TO OPERATING SYSTEM

Review and test application systems whenever
you make changes to your operating system.

Make sure that your application system reviews ensure that
operating system changes do not adversely effect operations.

Make sure that your application system reviews ensure that
operating system changes do not compromise security.

Make sure that your application system reviews ensure that
operating system changes do not compromise existing
application controls and integrity procedures.

Make sure that your annual support plan and budget will
allow you to test your application systems whenever you
make changes to your operating system.

Make sure that you notify people about operating system
changes so that they have enough time to carry out reviews
before changes are implemented.

Make sure that business continuity plans are updated
whenever you make changes to your operating system.

10.5.3 RESTRICT CHANGES TO SOFTWARE PACKAGES

Maintain the security of vendor‑supplied software by
encouraging people not to modify it without approval.

Determine whether or not built‑in controls will be compromised
before you decide to modify a vendor‑supplied software package.

Determine whether or not integrity processes will be compromised
before you decide to modify a vendor‑supplied software package.

Determine whether or not the consent of the vendor is required
before you decide to modify a vendor‑supplied software package.

Determine whether or not the required changes will be provided
as a standard program update before you decide to modify a
vendor‑supplied software package.

Determine whether or not you will be responsible for future software
maintenance, and what the impact of this might be, before you decide
to modify a vendor‑supplied software package.

Make sure that you apply software modifications to a clearly
identified copy of your vendor‑supplied software package
and retain an unmodified version of the original package.

Test all changes to vendor‑supplied software
packages before you implement them.

Document all changes to vendor‑supplied
software packages so that they can be
reapplied to future software upgrades.

10.5.4 SAFEGUARD AGAINST COVERT CHANNELS AND TROJANS

Safeguard your computing systems
against Trojan code and covert channels.

Protect yourself against Trojan code and covert channels
by purchasing programs only from reputable sources.

Protect yourself against Trojan code and covert channels
by purchasing programs in source code and verifying
that the code is harmless.

Protect yourself against Trojan code and covert channels
by using programs that have been evaluated.

Protected yourself against Trojan code and covert
channels by inspecting all source code prior to use.

Protect yourself against Trojan code and covert
channels by controlling access to code once
programs have been installed.

Protect yourself against Trojan code and covert
channels by controlling the modification of code
once programs have been installed.

Protect yourself against Trojan code and covert channels
by using trustworthy staff to work on important systems.

10.5.5 CONTROL OUTSOURCED SOFTWARE DEVELOPMENT

Manage and control your outsourced software development projects.

Clarify intellectual property rights including who owns
the code before you outsource software development.

Clarify software licensing arrangements before
you outsource your software development projects.

Expect your suppliers to certify the quality and the accuracy of the
software development work that has been outsourced to them.

Establish the right to audit  the quality and accuracy of
outsourced software development work before it begins.

Protect yourself against poor quality code by specifying
quality requirements in the contracts you have with suppliers
of outsourced software development services.

Protect yourself against failure by establishing escrow arrangements
before you outsource your software development projects.

Protect yourself against Trojan code by testing
outsourced software prior to installation.