System Acquisition Development and Maintenance. (a) Application Hardening i) Supplier will maintain and implement secure application development policies, procedures and standards consistent with Industry Standard Practices such as the SANS Top 25 Security Development Techniques or the OWASP Top Ten project. ii) All Supplier Personnel responsible for secure application design, development, configuration, testing, and deployment will be qualified to perform the Services and Deliverables and receive appropriate training regarding Supplier’s secure application development practices. (b) System Hardening i) Supplier will establish and ensure the use of standard secure configurations of operating systems. Images should represent hardened versions of the underlying operating system, and the applications installed on the system. Hardening includes removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, applying patches, closing open and unused network ports, and implementing intrusion detection systems and/or intrusion prevention systems. These images should be validated on a regular basis to update their security configuration as appropriate. Supplier will implement patching tools and processes for both applications and operating system software. When outdated systems can no longer be patched, Supplier will update to the latest version of application software. Supplier will remove outdated, unsupported, and unused software from the system. ii) Supplier will limit administrative privileges to only those personnel who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.
Appears in 2 contracts
Sources: Supplier Privacy and Security Terms, Supplier Privacy and Security Terms