Back

Test new hardware or upgraded hardware and software against predefined performance requirements.


CONTROL ID
06740
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facilities, assets, and services acceptance procedures., CC ID: 01144

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • For basic software such as an operating system and software products (including middleware), it is necessary to collect the revision information from vendors and study a necessary response. (P48.5. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to pay attention to the latest trends in security technology and to correctly evaluate the stability, compatibility, and usability of such a technology before adopting it. (P137.3. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Banks need to carry out due diligence with regard to new technologies since they can potentially introduce additional risk exposures. A bank needs to authorise the large scale use and deployment in production environment of technologies that have matured to a state where there is a generally agreed … (Critical components of information security 13) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The purpose of the service validation and testing practice is to ensure that new or changed products and services meet defined requirements. The definition of service value is based on input from customers, business objectives, and regulatory requirements, and is documented as part of the value chai… (5.2.17 ¶ 1, ITIL Foundation, 4 Edition)
  • Review hardware and software technologies at least annually to confirm whether they continue to meet the organization’s PCI DSS requirements. (For example, a review of technologies that are no longer supported by the vendor and/or no longer meet the security needs of the organization.) (A3.3.2 ¶ 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Hardware and software technologies are reviewed at least once every 12 months to confirm whether they continue to meet the organization's PCI DSS requirements. (A3.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: (12.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Review the results of the recent reviews of hardware and software technologies to verify reviews are performed at least once every 12 months. (A3.3.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to review hardware and software technologies to confirm whether they continue to meet the organization's PCI DSS requirements. (A3.3.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation for the review of hardware and software technologies in use and interview personnel to verify that the review is in accordance with all elements specified in this requirement. (12.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: (12.3.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: (12.3.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. (§ 14.2.9 Health-specific control ¶ 1, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • For (2) desktop computers the entity shall conduct testing according to the SPEC CPU2006 benchmark and disclose results as both: (TC-SC-410a.2. 4, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • For (3) laptops the entity shall conduct testing according to the MobileMark® 2014 v1.5 and disclose results as both: (TC-SC-410a.2. 5, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • For (1) servers the entity shall conduct testing according to the SPEC Power SPECpower_sssj2008 and disclose the results as: overall ssj_ops/watt (TC-SC-410a.2. 3, Semiconductors Sustainability Accounting Standard, Version 2018-10)
  • The product supplier and/or system integrator should provide guidance on how to test the designed security controls. Asset owners need to be aware of the possible ramifications of running these verification tests during normal operations. Details of the execution of these verifications need to be sp… (7.5.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Do the criteria for accepting new Information Systems contain performance requirements and computer capacity requirements? (§ G.6.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information System upgrades contain performance requirements and computer capacity requirements? (§ G.6.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain performance requirements and computer capacity requirements? (§ G.6.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new Information Systems contain evidence that new systems will not adversely affect existing systems (particularly at peak processing times, such as month end)? (§ G.6.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information Systems upgrades contain evidence that new systems will not adversely affect existing systems (particularly at peak processing times, such as month end)? (§ G.6.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain evidence that new systems will not adversely affect existing systems (particularly at peak processing times, such as month end)? (§ G.6.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • VPN devices used to protect control systems should be thoroughly tested to verify that the VPN technology is compatible with the application and that implementation of the VPN devices does not unacceptably affect network traffic characteristics. (§ 6.2.16.2 ICS-specific Recommendations and Guidance ¶ 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Test, evaluate, and verify hardware and/or software to determine compliance with defined specifications and requirements. (T0539, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct trial runs of programs and software applications to ensure that the desired information is produced and instructions and security levels are correct. (T0436, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Test internal developed tools and techniques against target tools. (T0829, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct trial runs of programs and software applications to ensure that the desired information is produced and instructions and security levels are correct. (T0436, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Test internal developed tools and techniques against target tools. (T0829, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Test, evaluate, and verify hardware and/or software to determine compliance with defined specifications and requirements. (T0539, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)