9-4 Information Technology Professionals Policy - Section VII: Information Systems Acquisition, Development and Maintenance Policy
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
Section VII: Information Systems Acquisition, Development and Maintenance Policy
Read next: Section VIII: Information Technology (IT) Resource Management Policy
VII. Information Systems Acquisition, Development and Maintenance Policy
This Policy provides direction for the integration of information security into the lifecycle of information systems that hold and process Local Agency data.
- Security Requirements of Information Systems
- To ensure security is built into all Local Agency information systems, all security requirements must be identified and documented at the design stage for new information systems or enhancements to existing systems.
- Security controls must be commensurate with the risks and the relative sensitivity of the system and the information it stores and/or processes.
- Separation of Development, Test and Production Environments
- Development and test environments must be logically or physically separated from production environments.
- Media used for development and test activities must be clearly labeled as such and must not be used on production systems unless all test data has been removed.
- Local Agency data that is used for development and test activities must be protected and controlled.
- If production data is used in a test environment, the following must be adhered to:
- Production data used in a test environment must be protected as if it is still production data.
- A copy of the production data must be made so that live data cannot be altered.
- The physical or electronic output of tests using the production data must be strictly controlled and promptly destroyed when no longer needed.
- System Planning and Acceptance
- Advance planning and preparation must be performed to ensure the availability of adequate capacity and resources. The security requirements of new systems must be established, documented, and tested prior to their acceptance and use.
- The capacity demands of Local Agency IT resources must be monitored and projections made of future capacity requirements to ensure adequate power and data storage requirements can be filled.
- Acceptance criteria must be developed and documented for new information systems or enhancements to existing systems.
- Acceptance testing must be performed to ensure security requirements are met prior to the system being migrated to the production environment.
- Correct Processing in Applications
To prevent errors, loss and unauthorized modification or misuse of information in application systems; processes must be established and maintained for:
- Input data validation - Data input to an information system must be validated to ensure it is correct and appropriate.
- Internal processing - Internal processing checks must be performed to minimize the risk of processing failures or deliberate acts leading to a loss of integrity.
- Output data validation – Data output from an information system must be validated to ensure the processing of stored information is correct and appropriate.
- Message integrity - Message integrity controls must be used for information systems where there is a security requirement to protect the authenticity of the message content.
- Error response – Responsibilities and procedures must be defined for responding to detected errors.
- Software Maintenance
- When technically feasible, all system software must be maintained at a vendor-supported level to ensure software accuracy and integrity.
- Modification of commercial-off-the-shelf software security controls is limited to essential changes that are strictly controlled and documented.
- All known security patches must be reviewed, evaluated, and appropriately applied in a timely manner. See also Section XII. Technical Vulnerability Management Policy.
- Change Control
Changes to software must be controlled by the use a formal change control procedure as specified in Section V. Change Management Policy.