Back

Test new hardware or upgraded hardware and software for implementation of security controls.


CONTROL ID
06743
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain facilities, assets, and services acceptance procedures., CC ID: 01144

This Control has the following implementation support Control(s):
  • Test new software or upgraded software for security vulnerabilities., CC ID: 01898
  • Test new software or upgraded software for compatibility with the current system., CC ID: 11654
  • Test new hardware or upgraded hardware for compatibility with the current system., CC ID: 11655
  • Test new hardware or upgraded hardware for security vulnerabilities., CC ID: 01899


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Informing the information security team regarding purchase of an application and assessing the application based on the security policy requirements (Critical components of information security 11) c.2. Bullet 7, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The control system shall provide the capability to employ automated mechanisms to support management of security verification during FAT, SAT and scheduled maintenance. (7.5.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Where modifications have to be made to the base code of external party software packages, a documented customization process should be applied, which takes into account the risk of built-in security controls being compromised. (CF.18.03.04b, The Standard of Good Practice for Information Security)
  • Where modifications have to be made to the base code of external party software packages, a documented customization process should be applied, which takes into account the risk of built-in security controls being compromised. (CF.18.03.04b, The Standard of Good Practice for Information Security, 2013)
  • When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened ( e.g., only those ports, protocols and services that are need), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each … (Annex A: § CLD.9.5.2 Table, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Components shall provide the capability to support verification of the intended operation of security functions according to ISA‐62443‐3‐3 [11] SR3.3. (7.5.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The product supplier and/or system integrator should provide guidance on how to test the designed security controls. Asset owners need to be aware of the possible ramifications of running these verification tests during normal operations. Details of the execution of these verifications need to be sp… (7.5.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide the capability to support verification of the intended operation of security functions during normal operations. (7.5.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Do the criteria for accepting new Information Systems contain an agreed set of security controls? (§ G.6.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information Systems upgrades contain an agreed set of security controls? (§ G.6.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain an agreed set of security controls? (§ G.6.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new Information Systems contain evidence of the effect on the overall security of the organization? (§ G.6.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting Information Systems upgrades contain evidence of the effect on the overall security of the organization? (§ G.6.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Do the criteria for accepting new versions of Information Systems contain evidence of the effect on the overall security of the organization? (§ G.6.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Incorporates confidentiality, integrity, and availability when designing or selecting analytics tools. (App A Objective 3:9b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institutions should implement the appropriate physical and logical security controls to ensure retail payment system transactions are processed, cleared, and settled in an accurate, timely, and reliable manner. Security risk assessments should consider physical and logical security control… (Information Security, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques]. (3.14.7e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Newly identified vulnerabilities are mitigated or documented as accepted risks. (RS.MI-3, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Ensure that acquired or developed system(s) and architecture(s) are consistent with organization's cybersecurity architecture guidelines. (T0090, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assess and monitor cybersecurity related to system implementation and testing practices. (T0504, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that acquired or developed system(s) and architecture(s) are consistent with organization's cybersecurity architecture guidelines. (T0090, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assess and monitor cybersecurity related to system implementation and testing practices. (T0504, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Build, install, configure, and test dedicated cyber defense hardware. (T0335, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)