compliance controls are associated with this Policy definition 'Review development process, standards and tools' (1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-15 |
FedRAMP_High_R4_SA-15 |
FedRAMP High SA-15 |
System And Services Acquisition |
Development Process, Standards, And Tools |
Shared |
n/a |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization- defined security requirements].
Supplemental Guidance: Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8.
References: None. |
link |
1 |
| hipaa |
0635.10k1Organizational.12-10.k |
hipaa-0635.10k1Organizational.12-10.k |
0635.10k1Organizational.12-10.k |
06 Configuration Management |
0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. |
|
9 |
| hipaa |
0641.10k2Organizational.11-10.k |
hipaa-0641.10k2Organizational.11-10.k |
0641.10k2Organizational.11-10.k |
06 Configuration Management |
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization does not use automated updates on critical systems. |
|
13 |
| hipaa |
1790.10a2Organizational.45-10.a |
hipaa-1790.10a2Organizational.45-10.a |
1790.10a2Organizational.45-10.a |
17 Risk Management |
1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization includes business requirements for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies. |
|
6 |
| ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
| ISO27001-2013 |
A.14.2.1 |
ISO27001-2013_A.14.2.1 |
ISO 27001:2013 A.14.2.1 |
System Acquisition, Development And Maintenance |
Secure development policy |
Shared |
n/a |
Rules for the development of software and systems shall be established and applied to developments within the organization. |
link |
7 |
| ISO27001-2013 |
A.14.2.5 |
ISO27001-2013_A.14.2.5 |
ISO 27001:2013 A.14.2.5 |
System Acquisition, Development And Maintenance |
Secure system engineering principles |
Shared |
n/a |
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. |
link |
5 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-53_R4 |
SA-15 |
NIST_SP_800-53_R4_SA-15 |
NIST SP 800-53 Rev. 4 SA-15 |
System And Services Acquisition |
Development Process, Standards, And Tools |
Shared |
n/a |
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization- defined security requirements].
Supplemental Guidance: Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8.
References: None. |
link |
1 |
| NIST_SP_800-53_R5 |
SA-15 |
NIST_SP_800-53_R5_SA-15 |
NIST SP 800-53 Rev. 5 SA-15 |
System and Services Acquisition |
Development Process, Standards, and Tools |
Shared |
n/a |
a. Require the developer of the system, system component, or system service to follow a documented development process that:
1. Explicitly addresses security and privacy requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]. |
link |
1 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |