Overview: • Determine security requirements for the state informaon system. • Manage the technology life cycle by defining security roles and responsibilies, and integrang the risk management process. • Follow change control procedures to ensure separate dues for development and test/producon areas, and removal of test data before system is acve. • Develop applicaons based on secure coding guidelines to prevent coding violaons. • The acquision process must include descripons and requirements for security funcon and controls, security strength, security assurance and acceptance criteria. • Administrator documentaon for the state informaon system must describe user-accessible security funcons, methods for user interacon, user responsibility in maintaining system security, and protecon documentaon in accordance with risk management. • Perform configuraon management during development, implementaon and operaon and document accordingly. • Independent agents to verify the correct implementaon of the security assessment plan and conduct penetraon tesng. Purpose: Establish adequate security controls for the acquision and deployment of state informaon systems. Why it’s important: Implemenng the right technology best meets the agency’s requirements and also follows federal and state regulaons for encrypon. Migates potenal risks and vulnerabilies. Target audience: IT managers, finance managers, procurement team 06.16.14 8130 IT SECURITY POLICY 8130 IT SECURITY POLICY System Security Acquision and Development System Security Acquision and Development Documentation must describe the secure configuration, installation, operation of the system and the components. Information engineering principles must be applied in the specification, design, development, implementation and modification of the system. Implement software development processes: remove user IDs and passwords; review custom code prior to release. Create and implement a security assessment plan that tests and evaluates security-related functional properties. Providers of external state information system services must identify the functions, ports, protocols and other services required. password username login Address new threats and vulnerabilities for public Web applications on an ongoing basis. Install Web-application firewalls. Perform threat and vulnerability analyses. For more informaon about this IT Security Policy, contact [email protected]. 07.07.14 3

and Development 8130 - AZ POLICY P8130...Overview: • Determine security requirements for the state information system. • Manage the technology life cycle by deﬁning security

Download PDF Report

Upload
truongduong
View
213
Download
1

Embed Size (px)

Citation preview

Overview:

• Determine security requirements for the state information system.

• Manage the technology life cycle by defining security roles and responsibilities, and integrating the risk management process.

• Follow change control procedures to ensure separate duties for development and test/production areas, and removal of test data before system is active.

• Develop applications based on secure coding guidelines to prevent coding violations.

• The acquisition process must include descriptions and requirements for security function and controls, security strength, security assurance and acceptance criteria.

• Administrator documentation for the state information system must describe user-accessible security functions, methods for user interaction, user responsibility in maintaining system security, and protection documentation in accordance with risk management.

• Perform configuration management during development, implementation and operation and document accordingly.

• Independent agents to verify the correct implementation of the security assessment plan and conduct penetration testing.

Purpose:Establish adequate security controls for the acquisition and deployment of state information systems.

Why it’s important:Implementing the right technology best meets the agency’s requirements and also follows federal and state regulations for encryption. Mitigates potential risks and vulnerabilities.

Target audience:IT managers, finance managers, procurement team

06.16.14

8130IT SECURITY POLICY

8130IT SECURITY POLICYSystem Security Acquisition

and DevelopmentSystem Security Acquisition

and Development

Documentation must describe the secure configuration, installation, operation of the system and the components.

Information engineering principles must be applied in the specification, design, development, implementation and modification of the system.

Implement software development processes: remove user IDs and passwords; review custom code prior to release.

Create and implement a security assessment plan that tests and evaluates security-related functional properties.

Providers of external state information system services must identify the functions, ports, protocols and other services required.

password

username

Address new threats and vulnerabilities for public Web applications on an ongoing basis. Install Web-application firewalls. Perform threat and vulnerability analyses.

For more information about this IT Security Policy, contact [email protected].

07.07.14