Section CB2.3 Change management
(continued)CB2.3.5
Arrangements should be made to ensure that once changes have been applied:
version control is maintained (eg using configuration management)
a record is maintained, showing what was changed, when, and by whom (eg using automated helpdesk / service desk software)
details of changes are communicated to relevant individuals (eg associated users, business managers and relevant third parties)
checks are performed to confirm that only intended changes have been made (eg by comparing code against a control version or checking ‘before and after’ contents of key records, such as within customer master files) documents associated with the application are updated (eg design information, system configuration, implementation details, and records of all changes to the application)
the classification of information associated with the application is reviewed.
CB2.3.6
Checks should be performed on a regular basis to confirm that only intended changes have been made (eg by using code comparison programs or checking ‘before and after’ contents of key records such as customer master files).
a) b) c) d) e) f)
CB2 Application Management
www.securityforum.org
CB
Section CB2.4 Information security incident management
Principle
Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.Objective
To identify and resolve information security incidents effectively, minimise their business impact and reduce the risk of similar incidents occurring.CB2.4.1
There should be a documented information security incident management process that applies to the application.
CB2.4.2
The information security incident management process should include:
identifying information security incidents responding to information security incidents recovering from information security incidents following up information security incidents.
CB2.4.3
Information security incidents should be:
reported to a predetermined contact (eg a helpdesk, telephone hot line or specialist IT team / department) recorded in a log, or equivalent (eg using an automated information security incident management system) categorised and classified (eg according to their severity and type).
CB2.4.4
The business impact of serious information security incidents should be assessed by an application specialist, the application owner and an information security specialist.
CB2.4.5
The response to information security incidents should include:
analysing available information (eg application and system event logs)
handling necessary evidence (eg labelling it and storing it in a safe location to prevent unauthorised tampering)
investigating the cause of information security incidents (eg with assistance from the information security incident management team)
containing and eradicating the information security incident (eg by making changes to access control or terminating network connections).
CB2.4.6
The recovery of information security incidents should involve:
rebuilding applications (and supporting IT facilities) to a previously known secure state (ie the same state they were in before the information security incident occurred)
restoring from information that has not been compromised by the information security incident closure of the information security incident.
(continued on the next page) a)
www.securityforum.org
CB
Section CB2.4 Information security incident management
(continued)
CB2.4.7
Following recovery from information security incidents:
reviews should be performed to determine the cause (eg by performing a root cause analysis) and effect of the information security incident and corresponding recovery actions
forensic investigations should be performed if required (eg for legal purposes or serious information security incidents, such as fraud)
existing security controls should be examined to determine their adequacy
corrective actions should be undertaken to minimise the risk of similar incidents occurring details of the information security incident should be documented in a post-incident report.
a) b) c) d) e)
CB2 Application Management
www.securityforum.org
CB
Section CB2.5 Business continuity
Principle
A business continuity plan should be established, supported by contingency arrangements, and tested regularly.Objective
To enable the business processes associated with the application to continue in the event of a disaster.CB2.5.1
Business continuity should be the responsibility of a specific individual or working group.
CB2.5.2
The application should be supported by a documented business continuity plan, based on the results of a documented risk analysis, reviewed by key staff (eg information security specialists and user representatives), and signed off by an appropriate business representative.
CB2.5.3
The business continuity plan should specify:
recovery tasks to be carried out, in priority order responsibilities of individuals, with nominated deputies
arrangements for the safe storage of plans, and their retrieval in case of emergency
testing of information security arrangements (eg rebuild and configuration of firewalls, malware protection software and intrusion detection mechanisms).
CB2.5.4
Relevant staff should be made aware of the responsibilities assigned to them in the business continuity plan.
CB2.5.5
The application should be supported by business continuity arrangements (eg a separate processing facility ready for immediate use or a contract with a specialist business continuity arrangements provider) in case of a disaster or emergency.
CB2.5.6
Business continuity arrangements should cover the prolonged unavailability of:
system or application software
critical information (eg business information, documentation, back-up files) computer or network equipment, cabling or links
key staff (eg information security specialists, IT or user representatives) buildings, machine rooms, power, communications and other vital services
access to systems or buildings (eg due to police, military or terrorist action, natural disaster, or withdrawal of transport services).
CB2.5.7
Steps should be taken to ensure business continuity arrangements will work within critical timescales by carrying out:
tests of alternative processing arrangements (eg running the application from a back-up site) realistic simulations, involving both users and IT staff
tests of information security arrangements (eg rebuild and configuration of firewalls, malware protection software and intrusion detection mechanisms).
a)
www.securityforum.org
CB
Section CB2.6 Sensitive information
Principle
Additional protection should be provided for applications that involve handling sensitive material or transferring sensitive information.Objective
To preserve the integrity of sensitive information and protect it from unauthorised disclosure.CB2.6.1
The transfer of sensitive information (eg involving other business applications or third parties) should involve the use of cryptography to:
protect the confidentiality of sensitive information when transferred determine if critical information has been altered during transfer
enable the identity of the originator of critical information to be proven (eg using digital signatures to provide non-repudiation).
CB2.6.2
Sensitive physical material associated with the application (eg smartcards, access tokens, blank cheques, print-outs of personal information and removable storage media containing PIN data) should be:
stored in a physically secure location (eg in a fireproof safe and according to the manufacturer’s specifications) protected in transit (eg by recording authorised recipients, clearly marking all material and confirming receipt) monitored by recording its issue and use
disposed of in a secure manner when no longer required (eg by using methods such as erasure, incineration or shredding)
protected from loss, theft and unauthorised disclosure (eg by immediate removal from printers, facsimile machines or photocopiers).
a) b) c)
a) b) c) d) e)
CB2 Application Management
www.securityforum.org