Secure SystSecure Systems Development Standardsems Development Standards.docx

7/30/2019 Secure SystSecure Systems Development Standardsems Development Standards.docx

1/16

Department of EnvironmentalProtection

STD-09061813.1.0 Page 1 of 16

Application Security Requirements

Purpose

This document provides developers, security managers and product evaluators theminimum security requirements that all applications deployed in the DEP enterpriseenvironment must comply with.

Scope

An application is defined as a System or network-level routines and programsdesigned by (and for) system users and customers that support specific business-oriented processes, jobs, or functions. An application can be general in nature orspecifically tailored to a single or limited number of functions.

This standard applies to all applications deployed in the DEP enterprise environment,whether developed internally or by external vendors. This standard also applies tocommercial off-the-shelf software products.


2/16

Deviation from UseAny deviation from this standard shall be documented in associated project and

contract documentation. For contracts, deviation from standard shall be documentedand approved by the DEP contract manager. For non-contract work, deviation fromuse shall be documented in the project plan/scope of work and approved by theproject manager.

AppendixChecklist: Security Requirements for Applications

Approved by R. John Willmott, CIO __________6/18/09_____________

Approval Date


3/16

Appendix

Security Requirements Checklist

Page 3 of 16

Appendix

Checklist: Security Requirements for Applications

Instructions: Complete the following checklist and submit to the DEP Information Security Manager for review and approval

before deploying any application in the DEP enterprise application environment. Indicate if the application underevaluation meets, performs or complies with the intent of the given policy by stating Yes, No, or NA for each listedpolicy or statement. Attach comments to clarify statements as needed.

Vendor Product or DEP application name: _______________________________________________________

Policy

Source

Security

Category

Policy Statement Specific Requirements Question to Pose Developer Yes/No/NA

DEP 390 AccessControl

Access to data files andprograms will be limited tothose individuals authorized toview, process, or maintainparticular systems. Theprinciples of least access,separation of functions, andneed to know will be applied inthe determination of userauthorizations.

A user will be allowed tomanipulate data only in

constrained ways, which aredesigned to preserve or ensurethe integrity of the data andthe process.

Each user of an informationresource that can beaccessed by multiple userswill be assigned a uniqueuser identification code orusername and password.

Exceptions are authorizedfor:Public users of informationresources or group userswhere such access isauthorized;

Situations where risk analysisdemonstrates no need forindividual accountability ofusers.

Are unique identificationcodes and passwordsprovided by the multi-userapplication or system, suchthat only authorized usershave access?

For financial or otherapplications that may besusceptible to fraudulentactivities, is there adequateseparation of functions toensure controlled

execution?Are audit logs created bythe application or system toensure transactions aredate/time stamped along


4/16

Appendix


Page 4 of 16

Policy

Source

Security

Category


For tasks that are susceptible tofraudulent activities or otherunauthorized activity, owners

will ensure adequateseparation of functions forcontrolled execution.

Evidence, such as signatures,will be required to showindividual accountability fortransaction origination,authorization, and approval forfinancial, critical or sensitiveinformation.

with who made thetransaction?

DEP 390 AccessControl

User identification will beauthenticated before thesystem grants the user accessto information availablethrough that system.

Are users IDs and passwordsused to authenticateauthorized users beforeaccess to the appropriatelevel of access?

DEP 390 TransactionControls

If transaction controls arerequired, the user identificationcode will be traceable to theuser for the lifetime of therecords and reports in whichthey appear.

For financial or otherapplications that may besusceptible to fraudulentactivities, is there adequateseparation of functions toensure controlled

execution?

Are audit logs created bythe application or system toensure transactions aredate/time stamped along


5/16

Appendix


Page 5 of 16

Policy

Source

Security

Category


with who made thetransaction?

DEP390 Software andProprietaryCode Control

Contracts for programmingwork by outside personnel willindicate ownership of all rightsto the software and associateddocumentation.

Contracts with vendors oflicensed or proprietarysoftware will clearly define thelimits of use of the software.

During the initial applicationneeds phase, has it beendetermined who will ownthe finished application? Isit documented?

DEP 390 Confidentiality Information exempted from

Government-in-the-Sunshine orPublic Records Laws should bekept confidential usingappropriate security measuresincluding in part:

Passwords, permissions,access/user IDs, transactioncontrols, firewalls, andencryption;

Avoiding the transmission ofconfidential information via ITResources, unless encrypted

Data which is exempted

from disclosure under theFreedom of Information ActPublic Law 93-502) or whosedisclosure is forbidden by thePrivacy Act (PublicLaw 93-579) will not betransmitted over the Internetunless encrypted (FloridaStatutes 815 and 119.07).Note: Logon IDs andpasswords are classified assensitive information as perthe Data Security Policy(STO-2002-85-9).

No state computer or subnetthat is accessible via the

Will the application create,

store, transmit, or presentconfidential or sensitivedata? If so, what means willbe used to preventunauthorized access?How will it be transmittedsecurely?

How will it be storedsecurely?


6/16

Appendix


Page 6 of 16

Policy

Source

Security

Category


Internet shall store private orsensitive information withoutthe use of firewalls or some

other means to protect theinformation.

DEP 390 Confidentiality A sufficient history oftransactions will be maintainedfor each session involvingaccess to critical orconfidential information topermit an audit of the systemby tracing the activities of

individuals through the system.

In addition to system start-upand shutdown times,transaction history journals forcritical or confidentialinformation should log thefollowing at a minimum:

Update transactions,Date, time of activity,User identification,Sign-on and sign-off activity,and Confidential displaytransactions.

How will applicationtransactions berecorded/logged to permitauditing?

When will these transactionsbe made available or

readable by authorizedstaff?

DEP 390 PasswordControl

Passwords must never beencrypted when electronicallystored or if e-mailed; neverclear text.

Does the applicationgenerate passwords orotherwise store them in adatabase or file? If so, arethey encrypted? Are theytransmitted encrypted?


Strong passwords will be usedand shall have these minimumcharacteristics:

Does the applicationrequiring a password use asystem or method thatensures a minimum strong


7/16

Appendix


Page 7 of 16

Policy

Source

Security

Category


Have a length of 7 or morealphanumeric characters forWindows based systems, 8 or

more for Unix based systems

Contain both upper and lowercase characters (e.g. a-z, A-Z)

Have digits and punctuationcharacters as well as letters(e.g. 0-9,!@#$%^&*(){}[]:;?,./)

Are not words in any language,

slang, dialect, or jargon

password is required by theuser?


All user-level passwords (e.g.,email, desktop computer, etc.)must be changed at leastevery 90 days.

*may only apply at user level,not application level.

Does the application expirepasswords within 90 days oruses a system wherebyusers must changespasswords within thisperiod?


Passwords shall be treated assensitive confidentialinformation and shall not beshared with anyone.

Are passwords handled assensitive confidential byencrypting duringcollection, storage, ortransmission?


Passwords must not be storedin readable format on anysystem.

Are passwords storedencrypted?


Application developers mustensure their programs contain

Does the application allowrole management to ensure


8/16

Appendix


Page 8 of 16

Policy

Source

Security

Category


the following securityprecautions:

1) Should supportauthentication of individualusers, not groups

2) Should not store passwordsin clear text or in any easilyreversible form

3) Should provide for some sortof role management, such thatone user can take over the

functions of another withouthaving to know the others

password

authorized staff can obtainaccess without knowing theothers password for the

purpose of data recoveryor system maintenance?

Does the applicationensure that authenticationis at the user level, notgroup level, to ensureaccountability by user?

DEP 390 Data Integrity Controls will be established toensure the accuracy andcompleteness of data. Usermanagement will ensure datacomes from the appropriatesource for the intended use.

The owner will establish controlscommensurate with the valueof information beingmaintained in the system.

Examples of controls are:

parity checks,control totals,selected field verification,time stamps and sequencenumbering,reconcile data submittedagainst data processed andreturned,batch log of data submittedfor processing, andencryption of stored data.

Are controls established toensure the integrity of dataentered by authorized usersis obtained, transmitted,and stored?

DEP390 Transaction Owners will establish Examples of controls are: What transaction controls


9/16

Appendix


Page 9 of 16

Policy

Source

Security

Category


Controls transaction controlscommensurate with the valueof information being

maintained in the system.

design, implementation,operation, maintenance and

use of system acting as acheck upon each other;

access rights to data andprograms based on specific

job requirements of users aswell as data processingorganizations;

separation of responsibilitiesto prevent a single individual

from violating the protectionmechanisms of the system;

not allowing informationprocessing personnel tooriginate or authenticatetransactions;

separate responsibilities ofdevelopment, testing, andmaintenance; and

restrict programmers andanalysts from havingunlimited access toprograms and data files usedfor production runs.

are in place to ensureinformation is controlledcommensurate with its

value?

If related to financial data,are transactions recorded,along with the useridentification, in order totrack responsibility of eachtransaction?


10/16

Appendix


Page 10 of 16

Policy

Source

Security

Category


DEP390 Testing The test environment will bekept either physically or

logically separate from theproduction environment.Copies of production data willnot be used for testing unlessthe data has been desensitizedor unless all personnel involvedin testing is otherwiseauthorized access to the data.

Are the applicationdevelopment, testing, and

production environmentsseparated?

DEP390 TestingControls

All program changes will beapproved beforeimplementation to determine

whether they have beenauthorized, tested, anddocumented

Are change managementprocesses established toensure program changes

are tested and approvedbefore production?

DEP390 GeneralApplicationSecurity

Network access to anapplication containing criticalor confidential data, and datasharing between applications,will be as authorized by theapplication owners and willrequire user authenticationvalidation.

The owner of applicationscontaining non-critical ornon-confidential data willlikewise establish criteria foraccess and user validation,

Are only authorized usersallowed access throughproper validation, to theapplication containingcritical or confidentialdata?


11/16

Appendix


Page 11 of 16

Policy

Source

Security

Category


particularly on systemsauthorized for public use.

DEP390 Encryption While in transit, information

which is confidential orinformation which in and ofitself is sufficient to authorizedisbursement of state funds willbe encrypted if pendingstations, receiving station,terminals, and relay points arenot all under positive statecontrol, or if any are operatedby or accessible to personnelwho have not been authorized

access to the information,except under the followingconditions:

The requirement to transfersuch information has beenvalidated and cannot besatisfied with information,which has been desensitized.

The Department Head hasdocumented his acceptanceof the risks of not encryptingthe information based onevaluation of a risk analysis,which evaluates the costs ofencryption against exposures.

Compliance with the STO

Encryption Policy ismandatory for all agencies.DEP must determine if it hasdata which requires theprotection dictated here.

Does the application

involve the collection,transmission, or storage ofconfidential information orstate fund disbursementsdata? If so, is the dataencrypted such that onlyauthorized users areallowed access?


12/16

Appendix


Page 12 of 16

Policy

Source

Security

Category


The need for encryption will bedetermined based on risk

analysis.BestPractice

Encryption Activities that store or transmitsensitive information mayrequire encryption to ensurethat the information remainsconfidential. These activitiesmight be part of a mainframeclient/server application,sending information via theInternet, or the protection of anindividuals e-mail and

personal files at the desktop.

If the application willhandle confidential/sensitive information, arethere provisions to ensurethe information is firstencrypted?

BestPractice

Encryption Encrypt information placed onan external public network(e.g. Internet) if confidential orsensitive, or required by Federalregulations on consumerprivacy. The same applies forIntranets when informationshould not be viewed by thegeneral computer user.

Examples of such informationis HR data, health relateddata on individuals, audittrails/logs, security eventdata, passwords, etc.

If the application containsor presents confidentialinformation, is it encryptedto ensure only authorizedusers can access it?

BestPractice

Encryption An individual user must useapproved encryption productsand processes for sendingencrypted mail, protectiondesktop files, etc.

May apply to applicationdevelopment?

If encryption is required, dothe methods and tools usedfor encryption follow theestablished standards?

DEP390 Data Backup Data and software essential tothe continued operation of

The information owner willdetermine what information

Are backup proceduresand schedules


13/16

Appendix


Page 13 of 16

Policy

Source

Security

Category


critical agency functions will bebacked up. The securitycontrols over the backup

resources will be as stringent asthe protection required of theprimary resources

must be backed up, in whatform, and how often, inconsultation with BIS

incorporated into theplanning, based on thevalue of the information?

DEP390 DisasterRecovery /businessresumption

All critical information resourcefunctions crucial to thecontinuity of governmentaloperations should have writtenand cost-effective disasterrecovery plans to provide forthe prompt and effectiverecovery of these critical

functions after a disaster hasoccurred.

A backup recovery plan foreach application should existas part of the agency overallCOOP business recoveryplan.

Are backup tapesscheduled and recoveryplans drafted specific tothe needs of theapplication such that itcould be fully recoveredand brought back intoproduction?

DEP 390 HardwareSystemAcquisitions

The owner will establishappropriate informationsecurity controls for newhardware systems. Each phaseof systems acquisition willincorporate correspondingdevelopment or assurances ofsecurity and appropriatecontrols relating to security,development anddocumentation.

If new hardware systemsare bought to support theapplication, are all securityconfigurations set andadequate on the system, toensure hosted applicationsare not compromised?

DEP 390 ApplicationDevelopment

Computer security needs mustbe addressed as part of theInformation SystemsDevelopment Methodology

Is application securityaddressed throughout theISDM process?
http://depnet/bisnet/applications/docs/isdm2.pdfhttp://depnet/bisnet/applications/docs/isdm2.pdfhttp://depnet/bisnet/applications/docs/isdm2.pdfhttp://depnet/bisnet/applications/docs/isdm2.pdf


14/16

Appendix


Page 14 of 16

Policy

Source

Security

Category


(ISDM) when developing newor making modifications toexisting applications if the

system or data affected bythese applications must beprotected from accidental ormalicious access, use,modification, destruction, ordisclosure.

BestPractice

Data Content Ensuring the privacy,confidentiality, security, andintegrity of the data to thesatisfaction of the audienceand legal authorities.

DEP 390 VirusProtection Systems designed to holdapplications or other servicesmust have virus protection.

When new developmentrequires services and othercomputer hardware, theowner must ensure virusprotection is applied andmaintained to the hostingsystem.

Does the application hosthave virus protection?

DEP 390 SecurityTraining

Personnel responsible forinformation technologyresources must be aware ofthe Information Securitypolicies and must beknowledgeable abouteffective security practices forthe technical environmentunder their control.

Application users must beknowledgeable of theirsecurity responsibilities,based on the level of accessgiven, etc.

Are application userstrained on their securityresponsibilities as it relatesto the use of theapplication?

Best Audit Features Audit Features are enabled. Related to applications
http://depnet/bisnet/applications/docs/isdm2.pdfhttp://depnet/bisnet/applications/docs/isdm2.pdf


15/16

Appendix


Page 15 of 16

Policy

Source

Security

Category


Practices The audit log captures thefollowing: repeated failed loginattempts, unusual processes

run by users, unauthorizedattempts to access restrictedfiles, processes that are run atunexpected times, processesthat terminate prematurely,unusual processes,unexpected shutdowns, andunexpected reboots.

BestPractices

AdministratorAccounts

Administrators Account is

locked out after 3 bad logonattempts.

An application has anadministrator account. Thoseaccounts should lock out

after 5 failed logins, toprevent brute force attemptsto obtain access.

Do applications limit adminaccounts to five failed logins?

BestPractices

User Accounts The user is locked out after 3bad logon attempts.

Do applications that requireaccess control limit a usersfailed attempts to 3 andlock out?

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation ofsecurity features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, orports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.

Place system components that store cardholder data (such as a database) in an internal network zone, segregated fromthe DMZ and other untrusted networks.


16/16

Appendix


Page 16 of 16

Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

Establish an access control system for system components with multiple users that restricts access based on a users needto know, and is set to deny all unless specifically allowed.

Documents

Secure SystSecure Systems Development Standardsems Development Standards.docx