Status: Live
The organization will develop, disseminate, and review: 1) a process to examine received software for vulnerabilities that address purpose, scope, and compliance; and 2) procedures to facilitate implementing the process. [UCF ID 01898]
Supporting and supported controls
This control directly supports:
- • Acceptance of facilities, technology, and technology services [UCF Control ID 01144]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj H.8; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-302.a; The Standard of Good Practice for Information Security, SM4.3.3, SM4.3.4, SD4.4.4(a), SD4.4.4(b); Archer Control Table, ATCS-414
Banking and Finance Guidance
[Exam Tier II Obj H.8, FFIEC IT Examination Handbook – Information Security]
US Federal Security Guidance
Software must be tested to ensure it does not contain any features that might mitigate the security features of the operating system. Security software must be tested to ensure the security features operate as stated. [§ 8-302.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]
General Guidance
All new software should be examined by appropriate staff to identify any security deficiencies. External assessments from trusted sources also should be used to determine any vulnerabilities. [SM4.3.3, SM4.3.4, SD4.4.4(a), SD4.4.4(b), The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.