CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
PL-8: Security and Privacy Architectures
Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; Describe how the architectures are integrated into and support…
SA-3: System Development Life Cycle
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; Define and document information security and privacy roles and responsibilities throughout the system development life cycle; Identify individuals having information security and privacy roles and responsibilities; and Integrate the organizational information security and privacy risk…
SA-4: Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Assignment (one or more): standardized contract language, [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the…
SA-8: Security and Privacy Engineering Principles
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
SA-10: Developer Configuration Management
Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Assignment (one or more): design, development, implementation, operation, disposal]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system, component, or service;…
SA-11: Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; Perform [Assignment (one or more): unit, integration, system, regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; Produce evidence of…
SA-15: Development Process, Standards, and Tools
Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of…
SA-17: Developer Security and Privacy Architecture and Design
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; Accurately and completely describes the required security and privacy functionality, and the allocation of controls…
SI-12: Information Management and Retention
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.
Cloud Controls Matrix v3.0.1
AIS-01: Application Security
Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
CCC-01: New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function.
CCC-02: Outsourced Development
External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).
CCC-03: Quality Testing
Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services.
IAM-06: Source Code Access Restriction
Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.
IVS-08: Production / Non-Production Environments
Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. Separation of the environments may include: stateful inspection firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments as part of their job duties.
IPY-01: APIs
The provider shall use open and published APIs to ensure support for interoperability between components and to facilitate migrating applications.
IPY-05: Virtualization
The provider shall use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability, and shall have documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review.
TVM-03: Mobile Code
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of unauthorized mobile code, defined as software transferred between systems over a trusted or untrusted network and executed on a local system without explicit installation or execution by the recipient, on organizationally-owned or managed user end-point devices…
Critical Security Controls Version 8
16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
NIST Special Publication 800-53 Revision 4
PL-8: Information Security Architecture
The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about,…
SA-3: System Development Life Cycle
The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; Defines and documents information security roles and responsibilities throughout the system development life cycle; Identifies individuals having information security roles and responsibilities; and Integrates the organizational information security risk management process into system development life cycle activities.
SA-4: Acquisition Process
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; Security strength requirements; Security assurance requirements; Security-related documentation…
SA-8: Security Engineering Principles
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
SA-10: Developer Configuration Management
The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system,…
SA-11: Developer Security Testing And Evaluation
The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan; Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; Produce evidence of the execution of the security assessment plan and the results of the security…
SA-15: Development Process, Standards, And Tools
The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the…
SA-17: Developer Security Architecture And Design
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture; Accurately and completely describes the required security…
SI-12: Information Handling And Retention
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Critical Security Controls Version 7.1
18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.