Software development and supplier management are closely linked. The ISO/IEC 27001 standard also reflects this relationship. In two chapters, the set of rules offers you orientation for the security-compliant design of supplier management (Appendix A.15) and SW development (Appendix A.14).
Table of Contents
The first of the ISO standard annexes considered here deals with the acquisition, development and maintenance of IT systems, whereby software is to be understood as part of an IT system. The goal is to anchor information security as a central requirement throughout the entire life cycle . This part consists of three sub-items focusing on general security requirements, development and operation/support processes and test data. By implementing the requirements defined here, you set a framework for security-oriented processes in your organization. In doing so, you should take into account the specific risks of your company and the legal framework.
Already in the course of requirements analysis and specification of a solution, security as a criterion for the quality of an IT solution should not be neglected. There are three sub-points to consider:
Protection of transactions in application services: The exchange of information between programs must be secured. In addition to incorrect routing and incomplete transmission, known sources of error also include manipulations such as unauthorized disclosure and unauthorized repetition or modification of messages. Measures such as authentication and cryptography serve to secure message transmission.
Your company must also ensure information security in the subsequent phases of the life cycle of IT systems. The previously defined requirements must be implemented during development as well as later in operation and support. The following nine points must be taken into account:
Just like productive data, test data must also be protected appropriately. For test purposes, it can make sense to work with anonymized or pseudonymized data. The third section of this chapter addresses this.
The second appendix of ISO 27001 presented here deals with safety aspects in cooperation with suppliers and the control of service provision.
The first step is to develop and establish a guideline for suppliers. Because the fact that a partner has access to IT systems and data means a risk for information as values of the organization. Agreements with each and every supplier are required to reduce risk throughout the ICT supply chain . These serve to contractually fix and document the information security requirements. It is important to consider whether an outsourcing partner might have access to company information and whether it could process, store or pass it on. It must also be documented whether he provides IT infrastructure components for this.
The aim of this second aspect is to maintain the agreed level of security. The provision of services must be in accordance with the supplier contracts. The measures listed include the monitoring and review of supplier services. This can be ensured by regular (external) audits. In addition, it is important to establish a change management process so that changes to supplier services can be managed and controlled in an orderly manner. This should also cover changes to existing information security policies, procedures and measures. Possible changes can concern, for example, the criticality of affected business information or a risk assessment.
In the meantime, practically all industries and sectors are affected by software or computer-aided automation. A few examples:
If, as in the examples described, you operate systems and applications that you do not participate in (further) developing yourself, this will have consequences for your company. Because it is up to you as the client to check your suppliers as service providers, including their security measures. It is important to make regulations, agree them in writing and – what is much more important – monitor them regularly.
Security begins with the production of an IT system – regardless of whether it is software for an automation system, computer-aided solutions for manufacturing products or systems for supplying people. Systems and applications must be safe. To do this, rules must be established and followed. Both are your responsibility as the client.
Also Read: Automatic Is Not The Same As Autonomous
7starhd is the best place for the latest movies, we can find free 300MB and…
The file:///sdcard/ is a tool which creates a way to view the android files and…
Content://com.android.browser.home/: With just iOS for iPhone & iPad users as serious competition to Android, it…
Moviemad gives people free access to the most recent releases in high HD! With a…
1Movies is a place where one can get HD quality movies, TV Shows and Series…
7Movierulz is a sister website to Movierulz.com from which we can download a lot of…