Back

Assign the role of information security management as a part of developing systems.


CONTROL ID
06823
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the overall system development project management roles and responsibilities., CC ID: 00991

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Data management systems (data managers) (C4.2. ¶ 3(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Assign security experts. (§ 2.1.1, Microsoft Simplified Implementation of the Security Development Lifecycle (SDL), 1.0)
  • Before coding or acquisition work begins, system designs should be reviewed by an Information Security specialist (e.g., to check that security architecture principles have been applied). (CF.18.02.07c, The Standard of Good Practice for Information Security)
  • Before coding or acquisition work begins, system designs should be reviewed by an Information Security specialist (e.g., to check that security architecture principles have been applied). (CF.18.02.07c, The Standard of Good Practice for Information Security, 2013)
  • Determine whether management uses applications that were developed by following secure development practices and that meet a prudent level of security. Determine whether management develops security control requirements for applications, whether they are developed in-house or externally. Determine w… (App A Objective 6.27, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should use applications that have been developed following secure development practices and that meet a prudent level of security. Management should develop security control requirements for all applications, whether the institution acquires or develops them. Information security personne… (II.C.17 Application Security, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization defines and documents information security roles and responsibilities throughout the system development life cycle. (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies individuals having information security roles and responsibilities. (SA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents information security roles and responsibilities throughout the system development life cycle. (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies individuals having information security roles and responsibilities. (SA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents information security roles and responsibilities throughout the system development life cycle. (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies individuals having information security roles and responsibilities. (SA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents information security roles and responsibilities throughout the system development life cycle. (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies individuals having information security roles and responsibilities. (SA-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)