Back

Follow the system's operating procedures when testing new hardware or upgraded hardware and software.


CONTROL ID
06742
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facilities, assets, and services acceptance procedures., CC ID: 01144

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To ensure security, it is necessary to act comprehensively by combining the following measures. It is necessary to pay attention to the latest trends in security technology and to correctly evaluate the stability, compatibility, and usability of such a technology before adopting it. (P13.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For security technology used to connect to the Internet, it is necessary to pay attention to the latest trends and to correctly evaluate the stability, compatibility, and usability of such a technology before adopting it. (P14.8. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Rules shall be defined on the identification of all applications developed or run by the organisational unit's end users, on documentation, on the coding guidelines and on the testing methodology, on the protection requirements analysis and on the recertification process for authorisations (e.g. in … (II.6.44, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The likelihood of critical business applications and technical infrastructure malfunctioning should be reduced by ensuring compliance with common or industry security standards for hardware and software. (CF.20.03.02c, The Standard of Good Practice for Information Security)
  • The likelihood of critical business applications and technical infrastructure malfunctioning should be reduced by ensuring compliance with common or industry security standards for hardware and software. (CF.20.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Changes to the production environment shall be documented, tested and approved prior to implementation. Production software and hardware changes may include applications, systems, databases and network devices requiring patches, Service Packs, and other updates and modifications. (RM-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Do the criteria for accepting new Information Systems contain the preparation and testing of operating procedures? (§ G.6.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information Systems upgrades contain the preparation and testing of operating procedures? (§ G.6.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain the preparation and testing of operating procedures? (§ G.6.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new Information Systems contain effective manual procedures? (§ G.6.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information Systems upgrades contain effective manual procedures? (§ G.6.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain effective manual procedures? (§ G.6.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • All DoD test and development performed in cloud infrastructure must be categorized IAW the T&D Zone descriptions in the Enclave T&D STIG Overview document and comply with the security requirements in the associated Enclave T&D STIG. (Section 5.14 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)