This Control has the following implementation support Control(s):
Include allow lists of protocols, domains, paths and ports in the application security policy., CC ID: 16852
Conduct application security reviews, as necessary., CC ID: 06298
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Application security (Critical components of information security 1) 2) q. ix., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The following are the important Application control and risk mitigation measures that need to be implemented by banks: (Critical components of information security 11) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Ensuring that adequate controls are built into the application through active involvement in the application design, development, testing and change process (Critical components of information security 11) c.2. Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Robust web application frameworks are used to aid in the development of secure web applications. (Security Control: 1239; Revision: 3, Australian Government Information Security Manual, March 2021)
Cryptographic hash rules, publisher certificate rules and path rules used for application control are validated at least annually. (Security Control: 1582; Revision: 0, Australian Government Information Security Manual, March 2021)
The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented. (G3:, Australian Government Information Security Manual, June 2023)
The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented. (G3:, Australian Government Information Security Manual, September 2023)
Ongoing security of existing software would also typically be considered as part of change management and as new vulnerabilities are identified. Typical factors to consider include: (Attachment D 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
processes and solutions to secure websites and applications that can be directly attacked from the internet and/or the outside, that can serve as an entry point into the internal ICT systems. In general these include a combination of recognised secure development practices, ICT system hardening and … (Title 3 3.3.4(b) 55.h(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
Address application security and availability requirements in response to identified risks and in line with the organisation's data classification, information architecture, information security architecture and risk tolerance. (AI2.4 Application Security and Availability, CobiT, Version 4.1)
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Verify that the application has protection from subdomain takeovers if the application relies upon DNS entries or DNS subdomains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage … (10.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at lea… (AIS-01, Cloud Controls Matrix, v4.0)
The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, CRI Profile, v1.2)
The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Does the information security policy contain an application security policy? (§ B.1.9, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures). (CM.5.074, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Mobile application. (AppE.7 Objective 5:4 b. Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Maintaining the integrity and security of system data and software is a key component in contingency planning. Data integrity involves keeping data safe and accurate on the system's primary storage devices. There are several methods available to maintain the integrity of stored data. These methods u… (§ 5.1.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
systems and application development and quality assurance; (§ 500.03 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
systems and application security and development and quality assurance; (§ 500.3 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
