Back

Establish, implement, and maintain a system testing policy.


CONTROL ID
01102
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform Quality Management on all newly developed or modified systems., CC ID: 01100

This Control has the following implementation support Control(s):
  • Configure the test environment similar to the production environment., CC ID: 06837
  • Disseminate and communicate the system testing policy to interested personnel and affected parties., CC ID: 15473
  • Establish, implement, and maintain parallel testing criteria and pilot testing criteria., CC ID: 01107
  • Return test payment cards after their use., CC ID: 06398


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A methodology for system testing should be established. The scope of testing should cover business logic, system function, security controls and system performance under various load and stress conditions. A test plan should be established and approved before testing. (§ 5.7.1, Technology Risk Management Guidelines, January 2021)
  • A process should be implemented to formally assess and report on the quality and performance measures for all lifecycle stages while validating bespoke or customized computerized systems. (¶ 4.6, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The validation master plan should define the reporting requirements for documenting the validation exercises and results. (¶ 7.3 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Hardware and software development and testing should be documented and formally agreed upon by all parties. (¶ 13.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should develop, formally document, and use test scripts, which are related to the user requirements specifications and the functional specifications, to show that the system has been installed and is operating and performing satisfactorily. (¶ 13.4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Documented. (11.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (11.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (11.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (11.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (11.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (11.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (11.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (11.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (11.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A basic control issue of systems development and acquisition work is to perform testing during the project to ensure system interfaces are operating as expected, individual system elements are working as required, users are being involved in the testing process, and intended functionality is provide… (§ 5.3.6 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • During system development lifecycle (SDLC) audits test plans, cases, and results must be documented, specified in the contract, and shared with the client. (§ 3 (Application Development) ¶ 4, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • System testing should be performed independently of system development staff, involve business users, and simulate the live environment. (CF.18.04.05, The Standard of Good Practice for Information Security)
  • There should be a process for ensuring that flaws or security weaknesses identified during the testing process are resolved in a consistent manner. (CF.18.05.06, The Standard of Good Practice for Information Security)
  • There should be a process for ensuring that flaws or security weaknesses identified during the testing process are resolved in a consistent manner. (CF.18.05.07, The Standard of Good Practice for Information Security, 2013)
  • The organization shall develop a validation plan. (§ 6.4.8.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • A program to review and keep current systems development and testing methodology for such systems; (§242.1001(a)(2)(iii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • All DoD test and development performed in cloud infrastructure must be categorized IAW the T&D Zone descriptions in the Enclave T&D STIG Overview document and comply with the security requirements in the associated Enclave T&D STIG. (Section 5.14 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The organization should continuously test the system to ensure the effectiveness of implemented controls. (§ I.A, OMB Circular A-123, Management's Responsibility for Internal Control)