System Acquisition Development and Maintenance. 9.1. Within the software development lifecycle, production data will not be used in testing. In the event that testing requires the use of production data, then the express permission of the Controller will first be obtained.
System Acquisition Development and Maintenance. 9.1 The Supplier shall ensure that development activities are carried out in accordance with a documented system development methodology.
9.2 The Supplier shall maintain segregation of the Supplier’s development and test environments to reduce the risks of unauthorised access or changes to the operational system.
9.3 The Supplier shall ensure that information security and secure coding standards for the system under development shall be followed when designing the system.
9.4 The Supplier shall ensure that all system requirements (including functional and technical specifications and information security requirements) shall be documented and agreed before detailed design commences.
9.5 The Supplier shall ensure that quality assurance of key information security activities is performed during the development lifecycle.
9.6 The Supplier shall ensure that system build activities shall be carried out in accordance with Good Industry Practice, performed by individuals with the relevant skills and provided with the relevant tools. The Supplier shall inspect all system build activities to identify unauthorised modifications or changes which may compromise security controls.
9.7 The Supplier shall ensure that all elements of the Supplier Systems are tested at all stages of the software development lifecycle before the system is promoted to the live environment.
9.8 The Supplier shall undertake post-implementation reviews for all major changes.
9.9 The Supplier shall ensure that segregation of duties is in place for system development, including ensuring that system developers do not have access to the live environment, unless in an emergency. Such activities in these circumstances shall be logged and subject to independent review.
System Acquisition Development and Maintenance. 9.1. Security requirements of information systems
System Acquisition Development and Maintenance i. Security Requirements. Cisco shall adopt security requirements for the purchase, use, or deve- lopment of information systems, including for application services delivered through public net- works.
System Acquisition Development and Maintenance. ● Processor has policies for secure development, system engineering and support. Processor conducts appropriate tests for system security as part of acceptance testing processes.
System Acquisition Development and Maintenance. Supplier shall: (i) use separate physical and logical development/test and pro- duction environments and databases; (ii) maintain written change management and secure application/system development procedures, including procedures to manage software on the network so that only authorized software is installed and can execute; (iii) maintain tools or services to identify malicious programming and code, including unauthorized or unmanaged software; and (iv) manage the security life-cycle of software to timely prevent, detect, and remediate security vulnerabilities.
System Acquisition Development and Maintenance. Establishes security requirements for the procurement and deployment of technology solutions, as well as the requirements for internal development and support processes.
System Acquisition Development and Maintenance. Fidelity will maintain a secure development methodology that incorporates security throughout the development lifecycle, including application development policies, security training of application developers, and secure code reviews and penetration tests of externally facing web applications (i.e., NetBenefits® and Plan Sponsor Webstation®). Fidelity will do the following as part of its system acquisition, development and maintenance processes:
a. develop and configure applications and databases in a manner which is designed to protect the confidentiality, integrity and availability of data;
b. develop web applications in accordance with security best practices (e.g., OWASP Top Ten), and reasonable steps to verify that web applications are configured to protect against the OWASP Top Ten vulnerabilities;
c. implement separate environments for production, development, and test;
d. conduct secure code reviews, including open source reviews, and penetration testing of NetBenefits and Plan Sponsor Webstation® or equivalent, using automated scanning tools and manual analysis, on at least an annual basis. Fidelity will ensure that identified vulnerabilities are remediated in accordance with documented policies that prioritize remediation based on risk; and,
e. manage source code in accordance with documented procedures that restrict access and verify the integrity of code prior to deployment.
System Acquisition Development and Maintenance. If Supplier develops software for use by Canary and/or Canary clients or for use in Processing Personal Information, Supplier must adhere to industry best practices and standards for Secure Software Development Lifecycle (SSDLC), including all of, but not limited to, the following techniques:
a. Consistently executed secure code reviews and testing either through manual peer review or via a code scanning solution;
b. Leveraging security guidelines from one or all of the following industry best practices and standards – OWASP Top 10, SANS Top 25 and Cloud Security Alliance;
c. Protection of test data and content and removal of test data and content before deployment to production;
d. System acceptance testing; and
e. System change control and approvals before deployment to production.
System Acquisition Development and Maintenance. NTT has a Security Architecture and Design Policy and supporting standards and procedures to ensure that security by design principles are applied within the software development life -cycle.