System Acquisition Development and Maintenance Clause Samples
POPULAR SAMPLE Copied 1 times
System Acquisition Development and Maintenance. (a) Application Hardening
i) Supplier will maintain and implement secure application development policies, procedures and standards consistent with Industry Standard Practices such as the SANS Top 25 Security Development Techniques or the OWASP Top Ten project.
ii) All Supplier Personnel responsible for secure application design, development, configuration, testing, and deployment will be qualified to perform the Services and Deliverables and receive appropriate training regarding Supplier’s secure application development practices.
(b) System Hardening
i) Supplier will establish and ensure the use of standard secure configurations of operating systems. Images should represent hardened versions of the underlying operating system, and the applications installed on the system. Hardening includes removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, applying patches, closing open and unused network ports, and implementing intrusion detection systems and/or intrusion prevention systems. These images should be validated on a regular basis to update their security configuration as appropriate. Supplier will implement patching tools and processes for both applications and operating system software. When outdated systems can no longer be patched, Supplier will update to the latest version of application software. Supplier will remove outdated, unsupported, and unused software from the system.
ii) Supplier will limit administrative privileges to only those personnel who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.
System Acquisition Development and Maintenance. 9.1. Within the software development lifecycle, production data will not be used in testing. In the event that testing requires the use of production data, then the express permission of the Controller will first be obtained.
System Acquisition Development and Maintenance. ● Processor has policies for secure development, system engineering and support. Processor conducts appropriate tests for system security as part of acceptance testing processes.
System Acquisition Development and Maintenance. 9.1 The Supplier shall ensure that development activities are carried out in accordance with a documented system development methodology.
9.2 The Supplier shall maintain segregation of the Supplier’s development and test environments to reduce the risks of unauthorised access or changes to the operational system.
9.3 The Supplier shall ensure that information security and secure coding standards for the system under development shall be followed when designing the system.
9.4 The Supplier shall ensure that all system requirements (including functional and technical specifications and information security requirements) shall be documented and agreed before detailed design commences.
9.5 The Supplier shall ensure that quality assurance of key information security activities is performed during the development lifecycle.
9.6 The Supplier shall ensure that system build activities shall be carried out in accordance with Good Industry Practice, performed by individuals with the relevant skills and provided with the relevant tools. The Supplier shall inspect all system build activities to identify unauthorised modifications or changes which may compromise security controls.
9.7 The Supplier shall ensure that all elements of the Supplier Systems are tested at all stages of the software development lifecycle before the system is promoted to the live environment.
9.8 The Supplier shall undertake post-implementation reviews for all major changes.
9.9 The Supplier shall ensure that segregation of duties is in place for system development, including ensuring that system developers do not have access to the live environment, unless in an emergency. Such activities in these circumstances shall be logged and subject to independent review.
System Acquisition Development and Maintenance i. Security Requirements. Cisco shall adopt security requirements for the purchase, use, or deve- lopment of information systems, including for application services delivered through public net- works.
System Acquisition Development and Maintenance. 9.1. Security requirements of information systems
System Acquisition Development and Maintenance. Supplier shall: (i) use separate physical and logical development/test and production environments and databases; (ii) maintain written change management and secure application/system development procedures, including procedures to manage software on the network so that only authorized software is installed and can execute; (iii) maintain tools or services to identify malicious programming and code, including unauthorized or unmanaged software; and (iv) manage the security life-cycle of software to timely prevent, detect, and remediate security vulnerabilities.
System Acquisition Development and Maintenance. To establish information security as a vital part of information systems throughout the entire information lifecycle, including designing information security into the development of such systems. To ensure that sufficient controls are established to protect data used in testing.
System Acquisition Development and Maintenance. Secure software principles are followed both for coding projects and for software reuse operations.
System Acquisition Development and Maintenance. If Supplier develops software for use by Canary and/or Canary clients or for use in Processing Personal Information, Supplier must adhere to industry best practices and standards for Secure Software Development Lifecycle (SSDLC), including all of, but not limited to, the following techniques:
a. Consistently executed secure code reviews and testing either through manual peer review or via a code scanning solution;
b. Leveraging security guidelines from one or all of the following industry best practices and standards – OWASP Top 10, SANS Top 25 and Cloud Security Alliance;
c. Protection of test data and content and removal of test data and content before deployment to production;
d. System acceptance testing; and
e. System change control and approvals before deployment to production.