Back

Establish, implement, and maintain system design principles and system design guidelines.


CONTROL ID
01057
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle planning phase., CC ID: 06266

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a security controls definition document., CC ID: 01080
  • Include naming conventions in system design guidelines., CC ID: 13656
  • Implement manual override capability into automated systems., CC ID: 14921
  • Define and assign the system development project team roles and responsibilities., CC ID: 01061
  • Redesign business activities to support the system implementation., CC ID: 01067
  • Establish, implement, and maintain security design principles., CC ID: 14718
  • Establish, implement, and maintain a system use training plan., CC ID: 01089
  • Include the physical design characteristics in the system design specification., CC ID: 06927


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to verify that the system development plan is based on the medium- to long-term system plan and that it adopts appropriate technologies. It is also necessary for the development manager to approve the plan in order for it to be implemented. (C3.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Multi-tier application architecture needs to be considered for relevant critical systems like internet banking systems which differentiate session control, presentation logic, server side input validation, business logic and database access. (Critical components of information security 11) c.28., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • (§ F.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The user requirement specifications should describe the required computerized system functions. (¶ 4.4, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The top management initiates, controls and monitors an information security management system (ISMS), which has a valid certification according to ISO/IEC 27001:2013 or ISO 27001 on the basis of IT- Grundschutz. The statement of applicability covers the IT processes for the development and operation… (Section 5.1 OIS-01 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The management board shall define appropriate quantitative or qualitative criteria for managing those areas responsible for operations and for the further development of IT systems, and compliance with them shall be monitored. (II.2.7, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Define the minimum security criteria. (§ 2.1.2, Microsoft Simplified Implementation of the Security Development Lifecycle (SDL), 1.0)
  • There needs to be complete and accurate documentation and records at all times covering all aspects of the design phase, implementation phase, and the validation phase. (¶ 5.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization needs to establish and agree on the requirements for software, hardware, and non-software. (¶ 9.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • A detailed system description, including diagrams, should be written and kept up to date, to include a description of the objectives, principles, scope, and security measures; the main features of how the system operates; and how it interacts with other procedures and systems. (¶ 4, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Examine the written software development processes to verify Information Security is included throughout the development lifecycle. (Testing Procedures § 6.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview software developers to verify the software development processes have been implemented. (Testing Procedures § 6.3.d, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must use PCI DSS requirements and industry best practices when developing new software and ensure information security is incorporated throughout the software lifecycle. (§ 6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Security policies and operational procedures for developing and maintaining secure systems and applications must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications documented, in use, and known to all affected parties? (PCI DSS Question 6.7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives. (§ 3 Principle 11 Points of Focus: Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, COSO Internal Control - Integrated Framework (2013))
  • Standards should be adopted for systems development processes. These standards should apply to designing, developing, testing, implementing, and maintaining programs and systems when the organization develops their own applications. For outsourced application development or acquiring new systems, ag… (§ 5.3.2 ¶ 3, § 5.3.6 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The system design criteria should include national and local requirements; what quality is to be used for each item (for example, not installing a high quality lock on a hollow door); the space and capacity requirements; system performance parameters; system features; implementation costs; operation… (Pg 6-II-6 thru Pg 6-II-8, Revised Volume 2 Pg 1-III-13 thru Revised Volume 2 Pg 1-III-16, Protection of Assets Manual, ASIS International)
  • The security architecture shall be maintained (e.g., involving reviews, exception handling, and Change Management). (CF.08.01.08d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for developing critical desktop applications. (CF.13.04.01-1, The Standard of Good Practice for Information Security)
  • Critical desktop applications standards and procedures should cover designing the desktop application. (CF.13.04.01-3, The Standard of Good Practice for Information Security)
  • The system development methodology should be kept up-to-date to include new and emerging application architectures (e.g., web 2.0, Service Oriented Architecture, and web services). (CF.17.01.05c, The Standard of Good Practice for Information Security)
  • The security architecture shall be maintained (e.g., involving reviews, exception handling, and Change Management). (CF.08.01.08d, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for developing critical desktop applications. (CF.13.04.01-1, The Standard of Good Practice for Information Security, 2013)
  • Critical desktop applications standards and procedures should cover designing the desktop application. (CF.13.04.01-3, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacente… (CCC-01, Cloud Controls Matrix, v3.0)
  • Integrating ICT security. An organization should implement ICT (Information and Communications Technology) security activities uniformly throughout the organization and from the beginning of any ICT system's lifecycle. The ICT security process is itself a major cycle of activities and should be inte… (§ 5.2.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessa… (¶ 8.1.5(3), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The organization shall use accepted professional practices and applicable standards to define the stakeholder requirements for physical capabilities, mental capabilities, and learned capabilities. (§ 6.4.1.3(b)(3)(i), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall use accepted professional practices and applicable standards to define the stakeholder requirements for the workplace, facility, and environment. (§ 6.4.1.3(b)(3)(ii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall use accepted professional practices and applicable standards to define the stakeholder requirements for normal conditions, unusual conditions, and emergency conditions. (§ 6.4.1.3(b)(3)(iii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall use accepted professional practices and applicable standards to define the stakeholder requirements for user and operator training, recruitment, and culture. (§ 6.4.1.3(b)(3)(iv), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • (§ 8.4(f), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Rules for the development of software and systems shall be established and applied to developments within the organization. (A.14.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Rules for the development of software and systems should be established and applied to developments within the organization. (§ 14.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria, (includes March 2020 updates))
  • CSR 2.5.6: The organization must make the sensitive information system development documentation available, including security mechanisms and implementation. CSR 6.3.1: The organization must use the security engineering principles from NIST SP 800-27 Rev. A for the design and implementation of new i… (CSR 2.5.6, CSR 6.3.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (§242.1001(a)(2)(vi), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • § 820.30(a)(1): A medical device manufacturer of Class II or III devices and Class I devices listed in § 820.30(a)(2) shall establish and maintain procedures for controlling the device design to ensure design requirements are met. § 820.30(b): A medical device manufacturer shall establish and mai… (§ 820.30(a)(1), § 820.30(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The design reviews should include design specifications, requirements specifications, test plans and procedures, the examination of development plans, verification results for each lifecycle stage, other documents and activities associated with the project, and validation results for the overall dev… (§ 3.5 ¶ 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The software requirements specification document should contain a written definition of the software functions, and usually contains all inputs; all outputs; all functions; all performance requirements; external and user interfaces; how user's interact with it; any errors and the handling of errors;… (§ 5.2.2 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The user requirements specification must define the intended use of the software or automated equipment. (§ 6.2 ¶ 1 Bullet 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The user requirements specification must define the extent that the device manufacturer is dependent on the software or automated equipment to produce a quality medical device. (§ 6.2 ¶ 1 Bullet 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Securely designs, builds, and operates databases. (App A Objective 3:6a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The designers should develop detailed documentation for the completed designs to enable other programmers to modify the software after it is in production. The designers should also develop draft versions of user, operator, and maintenance manuals. (Pg 22, Exam Obj 5.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Does management use a formal methodology for acquiring, developing, or maintaining new software or modified software? (IT - Networks Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The initial system security plan developed at the start of the system development process should include the development, documentation, and deployment of media sanitization controls. (§ 4.1, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. (T0012, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must use information system security engineering principles for the design, specification, development, modification, and implementation of the Information System. (App F § SA-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. (T0012, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. (SA-8 Control, TX-RAMP Security Controls Baseline Level 2)