1.PURPOSE
This document defines the policy for addressing Application Security through appropriate secure coding and configuration practices. All applications must implement adequate security measures to protect the Confidentiality, Integrity, and Availability of data at rest, in use or in motion. This policy is supported by the Application Security Standard. This policy does not conflict, pre-empt, or in any way intervene with the Agency’s responsibility to adhere to all appropriate local, state, and federal laws and guidelines pertaining to information security
2.SCOPE
2.1 This policy applies to all Software Tunnel agencies, offices, departments, organizations and personnel serving on behalf of or serving the government of the Republic of Turkey. This policy is consistent with the laws of the Republic of Turkey.
2.2 All applications that transmit or store data belonging to the Republic of Turkey are subject to this policy. This document covers all externally accessible public applications, internally accessible mission-critical applications, vendor-customizable Commercial Ready (COTS) or in-house developed applications, and cloud-based applications.
2.2 All applications that transmit or store data belonging to the Republic of Turkey are subject to this policy. This document covers all externally accessible public applications, internally accessible mission-critical applications, vendor-customizable Commercial Ready (COTS) or in-house developed applications, and cloud-based applications.
3.DUTIES AND RESPONSIBILITIES
3.1.1 Ensuring the correct and complete implementation of Sudoku cyber security policies across the entire organization.
3.1.2 Ensure that all documentation provided is complete and sufficient to ensure compliance with Sudoku cybersecurity policies across the entire agency.
3.1.3 Ensure that adequate controls are developed and implemented for the Agency that enforce the Application Security Policy.
3.1.4 Ensure that Sudoku policies are reviewed periodically and controls are in place to reflect changes in requirements.
3.1.5 Ensure that all personnel understand their responsibilities regarding the planning and implementation of application security.
3.1.6 Ensure users are appropriately trained and educated on the Application Security Policy, Standards and Procedures.
4.POLICY
4.2 Application Criticality Classification - All applications must be classified based on the level of criticality in accordance with the Data Protection Policy and the System (Application) Classification Questionnaire.
4.3 Data Security - Protecting data’s confidentiality, integrity and availability is a principle that must be maintained at all times. Proper data protection mechanisms
4.4 Application Environment - Application environments must have security mechanisms in place. Development activities may only be conducted in a non-production environment. Separation of duties must be implemented to protect the production environment from unauthorized modification. Change control procedures must be defined to ensure that only authorized changes can be released to production.
4.5 Security Assessment and Releases to Production - Modifications of the application must go through a change release process that includes an appropriate security assessment. Application changes deployed in a production environment must comply with the Sudoku’s security policies and must have the Sudoku Chief Information Security Officer (CCISO) acknowledge the completion of the security assessment. Each release must also have a defined roll-back plan
4.5.1 Security Assessment: Full, quick, and targeted assessment levels must be established to test for vulnerabilities.
4.5.2 Releases to Production: Releases to a production environment are approved based on the vulnerabilities found during the security assessment. All security issues that are discovered during assessments or identified by the Sudoku’s Software Security Assurance Tool must be mitigated based upon their risk levels.
4.6 Business Continuity - Each application must have a defined Business Continuity Plan and a Disaster Recovery plan. These plans ensure that back-up and recovery solutions are implemented in the case of a disruption to the application’s service.
4.7 Application End of Life - Decommissioning an application requires the same security precautions as maintaining it in production. Regulatory requirements regarding data retention and destruction must be considered as the application is decommissioned
0 Yorumlar
Bizimle fikirlerinizi paylaşabilirsiniz.