Back

Establish, implement, and maintain an application security policy.


CONTROL ID
06438
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Conduct application security reviews, as necessary., CC ID: 06298


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Application security (Critical components of information security 1) 2) q. ix., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The following are the important Application control and risk mitigation measures that need to be implemented by banks: (Critical components of information security 11) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ensuring that adequate controls are built into the application through active involvement in the application design, development, testing and change process (Critical components of information security 11) c.2. Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Robust web application frameworks are used to aid in the development of secure web applications. (Security Control: 1239; Revision: 3, Australian Government Information Security Manual)
  • Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually. (Security Control: 1582; Revision: 0, Australian Government Information Security Manual)
  • Ongoing security of existing software would also typically be considered as part of change management and as new vulnerabilities are identified. Typical factors to consider include: (Attachment D 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • processes and solutions to secure websites and applications that can be directly attacked from the internet and/or the outside, that can serve as an entry point into the internal ICT systems. In general these include a combination of recognised secure development practices, ICT system hardening and … (Title 3 3.3.4(b) 55.h(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Address application security and availability requirements in response to identified risks and in line with the organisation's data classification, information architecture, information security architecture and risk tolerance. (AI2.4 Application Security and Availability, CobiT, Version 4.1)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at lea… (AIS-01, Cloud Controls Matrix, v4.0)
  • The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, CRI Profile, v1.2)
  • The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Does the information security policy contain an application security policy? (§ B.1.9, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures). (CM.5.074, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Mobile application. (AppE.7 Objective 5:4 b. Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • systems and application development and quality assurance; (§ 500.03 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)