Software development and supplier management are closely linked. The ISO/IEC 27001 standard also reflects this relationship. In two chapters, the set of rules offers you orientation for the security-compliant design of supplier management (Appendix A.15) and SW development (Appendix A.14).
Acquisition, Development And Maintenance Of Systems
The first of the ISO standard annexes considered here deals with the acquisition, development and maintenance of IT systems, whereby software is to be understood as part of an IT system. The goal is to anchor information security as a central requirement throughout the entire life cycle . This part consists of three sub-items focusing on general security requirements, development and operation/support processes and test data. By implementing the requirements defined here, you set a framework for security-oriented processes in your organization. In doing so, you should take into account the specific risks of your company and the legal framework.
Security Requirements For The Information Systems
Already in the course of requirements analysis and specification of a solution, security as a criterion for the quality of an IT solution should not be neglected. There are three sub-points to consider:
- Analysis and specification of information security requirements: Security-specific requirements must be specified in the specification of new IT systems. As a prerequisite for this, they must already be taken into account in the requirements analysis. The same applies if systems are not newly established, but are changed or expanded.
- Securing application services in public networks: If information is transmitted via public networks such as the Internet, it must be specially secured. Threat scenarios such as fraudulent activities, contractual conflicts and unauthorized disclosure or modification play a role here.
Protection of transactions in application services: The exchange of information between programs must be secured. In addition to incorrect routing and incomplete transmission, known sources of error also include manipulations such as unauthorized disclosure and unauthorized repetition or modification of messages. Measures such as authentication and cryptography serve to secure message transmission.
Security In Development And Operation/Support Processes
Your company must also ensure information security in the subsequent phases of the life cycle of IT systems. The previously defined requirements must be implemented during development as well as later in operation and support. The following nine points must be taken into account:
- Guidelines for secure development: Binding rules must be defined and consistently implemented for system development. This also includes continuous documentation.
- System Change Management Procedures: Formal change management and control procedures are required. These must be established and used.
- Technical review of applications after changes to the operating platform: Business-critical applications in particular must be reviewed and tested when changes are made to the operating platform. This serves to avoid negative side effects on supported business processes.
- Limitation of changes to software packages: Changes to software modules are to be limited to what is necessary. In addition, a change management process for change control is required.
- Principles for the analysis, development and maintenance of secure systems: Principles for system development including requirements analysis and subsequent maintenance must be defined and documented. To ensure the quality of secure IT systems, they must be applied to every implementation project and updated regularly.
- Secure development environment: Secure software tools are required for development and system integration projects. These must be provided throughout the entire development cycle and protected appropriately.
- Outsourced development: If development activities are to be outsourced to a service provider, the requirements must be defined in advance and a suitable partner selected. During the term of the contract, the activities of the outsourcing partner must be supervised and monitored by the client.
- Testing of system security: Security functionalities are to be tested even during development.
- System Acceptance Test: Acceptance tests, including the associated criteria, are required not only for new information systems, but also for upgrades and new versions.
Secure Handling Of Test data
Just like productive data, test data must also be protected appropriately. For test purposes, it can make sense to work with anonymized or pseudonymized data. The third section of this chapter addresses this.
The second appendix of ISO 27001 presented here deals with safety aspects in cooperation with suppliers and the control of service provision.
Information Security In Supplier Relationships
The first step is to develop and establish a guideline for suppliers. Because the fact that a partner has access to IT systems and data means a risk for information as values of the organization. Agreements with each and every supplier are required to reduce risk throughout the ICT supply chain . These serve to contractually fix and document the information security requirements. It is important to consider whether an outsourcing partner might have access to company information and whether it could process, store or pass it on. It must also be documented whether he provides IT infrastructure components for this.
Management Of Service Delivery By Suppliers
The aim of this second aspect is to maintain the agreed level of security. The provision of services must be in accordance with the supplier contracts. The measures listed include the monitoring and review of supplier services. This can be ensured by regular (external) audits. In addition, it is important to establish a change management process so that changes to supplier services can be managed and controlled in an orderly manner. This should also cover changes to existing information security policies, procedures and measures. Possible changes can concern, for example, the criticality of affected business information or a risk assessment.
Connections Between SW Development And Suppliers
In the meantime, practically all industries and sectors are affected by software or computer-aided automation. A few examples:
- Imagine you are the managing director of the local municipal utility that supplies the residents with electricity, water, gas, etc. To manage the power supply, you use various IT systems, so-called control systems. As a result of a make-or-buy decision, the use of purchased standard products has turned out to be advantageous. An in-house development would make about as much sense as with Office applications such as Microsoft Word or Excel. Customization is used to make specific adjustments to the software products for your company. The development, provision and maintenance of the system remains with the manufacturer. He implements your requirements and change requests himself or hands them over to another service provider.
- Another example is food manufacturing companies. Let’s say your company brews beer. The systems are controlled by software. After all, it is inconceivable that you would have individual bottles filled and labeled by hand in your large brewery. The personnel costs would be enormous. As in many areas of the food industry, your manufacturing and manufacturing processes are automated.
- The same applies in the (hypothetical) case that you work in the healthcare sector, for example, run a clinic. Process automation and IT systems are also widespread here. Think of artificial respiration or imaging methods such as magnetic resonance imaging (MRI).
If, as in the examples described, you operate systems and applications that you do not participate in (further) developing yourself, this will have consequences for your company. Because it is up to you as the client to check your suppliers as service providers, including their security measures. It is important to make regulations, agree them in writing and – what is much more important – monitor them regularly.
Security begins with the production of an IT system – regardless of whether it is software for an automation system, computer-aided solutions for manufacturing products or systems for supplying people. Systems and applications must be safe. To do this, rules must be established and followed. Both are your responsibility as the client.
Also Read: Automatic Is Not The Same As Autonomous