2 Systems development and maintenance in ITIL

ITIL2 Systems development and maintenance in ITIL

Eindhoven ¥ +31 40 246 02 20 E-mail: info@imf-online.com E-mail:mikmurphy@deloitte.nl Lesson VIII: Systems Development and Maintenance TABLE OF CONTENTS LESSON VIII SYSTEMS DEVELOPMENT AND MAINTENANCE 1. Introduction …………………………………………………………………………….. 4 1.1 Systems development and maintenance in ISO/IEC 17799…………… 4 1.2 Systems development and maintenance in ITIL ………………………….. 4 1.3 Application management in ITIL ……………………………………………….. 5 1.4 Security organisation and application management …………………….. 8 Systems development and maintenance ……………………………………. 9 2.1 Section 10.1: security requirements of systems ……………………………. 9 2.1.1 Subsection 10.1: security requirements analysis and specification …………………………………………………………………………….. 9 2.2 Section 10.2: security in application systems …………………………….. 11 2.2.1 Subsection 10.2.1: input data validation …………………………. 12 2.2.2 Subsection 10.2.2: control of internal processing ……………. 14 2.2.3 Subsection 10.2.3: message authentication……………………… 17 2.2.4 Subsection 10.2.4: output data validation ……………………….. 18 2.3 Section 10.3: cryptographic controls…………………………………………. 19 2.3.1 Subsection 10.3.1: policy on the use of cryptographic controls ……………………………………………………………………….. 19 2.3.2 Subsection 10.3.2: encryption ……………………………………….. 21 2.3.3 Subsection 10.3.3: digital signatures ………………………………. 22 2.3.4 Subsection 10.3.4: non-repudiation services …………………… 24 2.3.5 Subsection 10.3.5: key management ………………………………. 24 2.4 Section 10.4: security of system files ………………………………………… 29 2.4.1 Subsection 10.4.1: control of operational software ………….. 30 2.4.2 Subsection 10.4.2: protection of system test data ……………. 32 2.4.3 Subsection 10.4.3: Access control to program source library………………………………………………………………………….. 33 2.5 Section 10.5: security in development and support processes ……. 36 2.5.1 Subsection 10.5.1: change control procedures ………………… 36 2. 40312 © International Management Forum 2004 – VIII – 2 – Lesson VIII: Systems Development and Maintenance 2.5.2 2.5.3 2.5.4 2.5.5 3. Subsection 10.5.2: technical review of operating system changes ……………………………………………………………………….. 39 Subsection 10.5.3: restrictions on changes to software packages ……………………………………………………………………… 41 Subsection 10.5.4: covert channels and trojan code ………… 42 Subsection 10.5.5: outsourced software development ……… 44 — – VIII – 3 – Lesson VIII: Systems Development and Maintenance 3. Security practice guidelines for application management We now turn our attention to some good practices organisations should consider in order to ensure that their development and maintenance process protects IT security. 3.1 Threats Threats are dynamic.

Changes in the political, economic, and technical environment can change the likelihood of business damage arising from a specific risk.organisations need to monitor these environments to ensure that their assessment of each risk remains accurate, and at each increased change in threat level, or new threat, review the adequacy of the controls that manage the risk.

This requires a link between the strategic risk management process and application management.

For organisations that implement ITIL change management, this link will feed into the change advisory board.

They have the authority to mandate any analysis work that may be necessary, and the seniority to sway the budget holders if the results indicate the need for remedial work. 3.2 Development management It is surprising how many organisations fail to manage their systems development and maintenance activities adequately.

This lesson addresses only ICT security management, and we therefore consider only those management activities that affect security management.

One individual should have overall responsibility for all development and maintenance activities.

All projects should have a ‘business owner’, who can represent the business processes for whom the projects are being conducted. 40312 © International Management Forum 2004 – VIII – 4 – Lesson VIII: Systems Development and Maintenance Individuals who have responsibility for key tasks (such as defining requirements, testing, and implementation) should have the necessary technical skills and training.

Management should promote awareness of security, and equip development and maintenance staff with adequate tools to perform their security related duties.

Development staff should have no involvement in the operational running of live computers and networks.

It is better for organisations to rely on standard development techniques and technologies than on gifted individuals whose loyalty they may not be able to guarantee.

All development and maintenance projects should start with a risk assessment, and should manage the risks throughout the life of the project.

They should hand their risk assessment over to an operational risk management process when applications go live. 3.3 Development methodology Organisations need to use a documented systems development methodology to ensure that systems under development capture all business requirements including those of information security.

The development methodology must require all users to consider security at key stages of development, namely requirements definition, testing, and implementation.

There should be a security architect whose job it is to keep the development methodology in step with developments in security design and implementation.

Management should verify that development staff have adequate training in the use of the methodology.

Feedback from compliance verification should be able to trigger remedial training.

Management should enforce the methodology by audits of work products.

These really have to be part of the acceptance process for work products to have any value.

There is no value in rejecting the specification when it has already been implemented in code and tested.

Recently, the UK’s National

Read more about 2 Systems development and maintenance in ITIL :

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and 2 Systems development and maintenance in ITIL
ITIL - 2 Systems development and maintenance in ITIL
ITIL and 2 Systems development and maintenance in ITIL
ITIL - 2 Systems development and maintenance in ITIL

Recommended For You

Leave a Reply