CF13.4 Desktop Application Development

Principle

Development of desktop applications should be carried out in accordance with a documented

development methodology.

Objective

To ensure desktop applications function correctly and meet security requirements.

CF13.4.1

There should be documented standards / procedures for developing critical desktop applications, which cover: specifying requirements; designing, building and testing the desktop application; distributing the desktop application; and training users of the desktop application.

CF13.4.2

Development of critical desktop applications should include a defi nition of security requirements, which: a) includes an assessment of the need for confi dentiality, integrity and availability of information

b) takes into account an information classifi cation scheme (ie the method of classifying information according to its level of confi dentiality such as top secret, company-in-confi dence and public).

CF13.4.3

Security requirements for critical desktop applications should be documented and signed off by an appropriate business representative (eg the individual in charge of the local environment).

CF13.4.4

Critical desktop applications should be subject to information risk assessment, in accordance with enterprise- wide standards / procedures for information risk assessment (eg using a structured Information Risk Analysis Methodology, such as the ISF’s IRAM approach).

CF13.4.5

The results of the information risk assessment should be signed off by an appropriate business representative.

CF13.4.6

The design of critical desktop applications should include the identifi cation and selection of security controls.

CF13.4.7

The build of critical desktop applications should be subject to:

a) approved methods of developing desktop applications (eg when creating macros and similar user defi ned routines in spreadsheets, databases, and other desktop applications)

b) documented version control (eg by using incremental version numbers following a change to the desktop application)

c) review by an independent desktop application specialist (eg an individual that does not work in the local environment, and is highly skilled in the functionality of desktop applications).

CF13.4.8

Critical desktop applications should be tested to ensure that they: a) function as required

b) meet security requirements.

CF13.4.9

Testing of critical desktop applications should be supplemented by the use of automated tools (eg macros, defi ned routines and scanning tools) to examine the integrity of formulae and code.

CONTROL FRAMEWORK

www.securityforum.org

CF

SPECIALISED

(continued)

CF13.4.10

Before critical desktop applications are made available to users, checks should be performed to ensure that they can be supported on a continuing basis (eg by an individual or group of individuals skilled in developing desktop applications).

CF13.4.11

Changes to critical desktop applications should be:

a) performed in accordance with a change management process

b) reviewed to ensure that they do not adversely affect intended functionality or compromise security controls.

Related areas / topics

CF17 System Development Management

CF18 Systems Development Lifecycle

ISF resources

Protecting Information in the End User Environment

CF

CONTROL FRAMEWORK

www.securityforum.org

CF14.1 Remote Environments

Principle

Staff working in remote environments (eg in locations other than the organisation’s premises)

should be subject to authorisation, supported by security awareness material and supplied with approved, robust and secure computing devices.

Objective

To ensure that critical and sensitive information handled by staff working in remote environments

is protected against the full range of security threats.

CF14.1.1

Staff that work in remote environments, including public areas (eg hotels, trains, airports and Internet cafes) or from home, should be supported by documented standards / procedures, which cover:

a) authorisation by an appropriate business representative for staff to work remotely b) security requirements associated with remote working

c) the types of device that can be used by staff working in remote environments, such as computing devices (eg desktop computers, laptop computers, tablets and smartphones) and other devices (eg printers or specialist equipment)

d) implementation and maintenance of computing devices located in remote environments e) software confi guration (eg employing standard ‘builds’ and relevant web browser settings)

f) provision of software to protect computing devices (eg system management tools, access control mechanisms, malware protection software and encryption capabilities)

g) protection against loss or theft.

CF14.1.2

Staff that work in remote environments should be:

a) authorised to work only in specifi ed locations and informed of locations not approved for remote working (eg bars, public transportation)

b) equipped with the necessary skills to perform required security tasks (eg restricting access, performing back- ups and encrypting key fi les)

c) made aware of the additional risks associated with remote working (including the increased likelihood of theft of equipment or disclosure of confi dential information)

d) provided with adequate technical support (eg via a helpdesk)

e) in compliance with legal and regulatory requirements (eg health and safety laws, and data privacy regulations) f) provided with alternative working arrangements in case of emergency

CF14.1.3

Staff that work in remote environments should be supplied with computing devices that are:

a) purchased from approved suppliers (eg those with a proven record of providing robust and resilient equipment) b) tested prior to use

c) supported by maintenance arrangements.

CF14.4 Portable Storage Devices CF14.5 Consumer Devices

AREA CF14 – Mobile Computing

List of Topics

CF14.1 Remote Environments CF14.2 Mobile Device Confi guration CF14.3 Mobile Device Connectivity

CONTROL FRAMEWORK

www.securityforum.org

CF

CF14.1 Remote Environments

(continued)

CF14.1.4

Computing devices used by staff working in remote environments should be supplied with:

a) standard, technical confi gurations (eg pre-confi gured to run a standard operating system, standard applications and common communications software)

b) a comprehensive set of system management tools (eg maintenance utilities and back-up software) c) access control mechanisms to restrict access to the remote computer (eg using external party products) d) up-to-date malware protection software, to protect against viruses, worms, trojan horses, spyware and adware e) encryption software to protect information stored on the computer (eg using hard disk encryption) or

transmitted by the computer (eg using a virtual private network (VPN) when connecting to the organisation’s network)

f) a security screen fi lter (often referred to as a privacy fi lter) to protect against the threat of shoulder surfi ng.

CF14.1.5

Access to computing devices used in remote environments should be restricted by encrypting passwords and preventing logical access to the capabilities of unattended computing devices (eg by using password-protected screen savers and confi guring computers with a terminal lock-out).

CF14.1.6

Computing devices should be protected against loss and theft by:

a) providing users with physical locks, alarms or equivalent security devices

b) attaching tamper-proof labels, with identifi cation details (eg a unique asset number or bar code)

c) removing any markings / labels that indicate the owner of the device (eg individual’s name or organisation’s name)

d) the use of indelible marking

e) issuing instructions on how to return the equipment in the event of loss or theft (eg indicating a ‘fi nders fee’ or reward for safe return).

SPECIALISED

Related areas / topics

CF16.2 Hardware / Software Acquisition

ISF resources

Best Practice in Securing Endpoint Computing Devices

CONTROL FRAMEWORK

www.securityforum.org

CF

FUNDAMENTAL

In document The 2011 Standard of Good Practice for Information Security. June 2011 (Page 176-180)