oneneck.com/it-security-services
16
Section Four
Control 16 –Application Software Security
Many companies are adopting software as a service
(SaaS) applications and cloud services (infrastructure
as a service, platform as a service), which can
introduce new digital risks and require ongoing
patch management to address new vulnerabilities.
IT teams are also rapidly developing new custom
applications and may leave testing to late-stage
development, which can introduce gaps and errors
that attackers can exploit.
This control helps you manage the entire security
life cycle of all software that you develop or acquire
to ensure that you can prevent, detect and correct
any weaknesses before others discover them.
This control targets only IG2s. They should
establish secure coding; do QA testing for in-house
developed software; verify that external software
is supported and appropriately hardened before
use; use only standardized, accepted encryption
algorithms; train developers on writing secure code.
Newer recommendations also include performing
root cause analysis on security vulnerabilities,
establish and manage an updated inventory of
third-party components "bill of materials" used in
development, and applying secure design principles
in application architectures.
Control 17 – Incident Response Management
With the frequency and complexity of cyberattacks,
if you haven't already experienced an attack, you
will. When that happens, your response can greatly
affect the extent of the damage and the speed of
your recovery.
Control 17 helps you implement an incident
response program, with defined plans, roles, training,
communications and management oversight. You'll
develop a written plan that includes roles and key
phases for incident handling and management. You'll
designate management personnel who will make
critical decisions; assemble contact information
for third parties who need to be contacted when
incidents occur; and publish information on key
anomalies and incidents, sharing them with both
incident team members and all employees routinely.
IG2s will want to consider assigning job titles and
duties for handling incidents to key management
team members; develop organization-wide
standards for reporting incidents, including
determining which primary and secondary
mechanisms will be used to communicate and
report during a security incident, time requirements
for doing so; and plan and conduct exercises and
scenarios to practice incident responses. This should
be followed up by a post-incident review to help
prevent reoccurrences by identifying lessons learned
and implementing proper follow-up actions.
Cyberbreach studies have
identified human error as
a key cause of up to 90%
of data breaches. (Anthony
Spadafora)
