Back

Implement security controls during the system implementation integration process.


CONTROL ID
11556
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle implementation phase., CC ID: 06268

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The project life cycle methodology should define clearly the roles and responsibilities for the project team and the deliverables from each phase. It also needs to contain a process to ensure that appropriate security requirements are identified when formulating business requirements, built during p… (4.2.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A licensed or registered person should grant remote access to its internal network on a need-to-have basis and implement security controls over such access. (2.3. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • System owners implement identified security controls within each system and its operating environment. (Security Control: 1635; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers. (Security Control: 1424; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Recognized security processes and controls shall be implemented during the integration process of the authentication element. (§ 4.3.3.1 Security Policy, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The governing body should monitor the types of decision and output generated by automated systems and direct management to ensure that such systems are configured to operate within acceptable bounds by implementing appropriate controls. Such controls should provide the governing body with appropriat… (§ 6.3 ¶ 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Safety. Where the use of an AI system carries a significant risk of physical or emotional harm, the organization should be especially alert to the nature and consequences of that harm. Where necessary, the organization should put in place appropriate systems for the ongoing management of safety as w… (§ 6.7.3 ¶ 1 Bullet 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Mission Owners must address defense-in-depth security / protective measures across all information impact levels when implementing systems/applications on IaaS / PaaS which include, but are not limited to, the following: (Section 5.10.6 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Implement Host Based Security System (HBSS) IAW DoD policy. (Section 5.10.6 ¶ 1 Bullet 12, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Including information security risks when developing, implementing, or updating products. (App A Objective 12:8 d., FFIEC Information Technology Examination Handbook - Management, November 2015)