AIS-01: Application and Interface Security Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: AIS-01: Application Security, AIS-04: Data Security / Integrity.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.

Implementation Guidance

The policy should:

  1. Include defined roles and responsibilities supported by regular workforce training.
  2. Align with organizational purpose and strategy.
  3. Provide a framework for setting application security baselines (e.g., NIST, ISO, OWASP, and CIS benchmarks).
  4. Guide the development of application security controls.
  5. Include a commitment to satisfy applicable requirements and continual improvement.
  6. Cover all relevant applications regardless of whether they are developed in-house or via oneā€™s supply chain.
  7. Promote the use of an established software development lifecycle (SDLC) in software development, including code review, secure coding training, testing (functional, regression, security, etc.), vulnerability testing, and change management.
  8. Ensure vulnerability processes are followed with regular patching, scanning, and remediation before production deployment.
  9. Be reviewed by management periodically or after significant changes.

Auditing Guidance

  1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to planning, delivery, and support of the organization's application security capabilities.
  2. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.