4.3 Secure Development Policy

Purpose and Scope

The purpose of this document is to define basic rules for secure development of software and systems.

This document is applied to the development and maintenance of all services, architecture, software and systems that make up Sord's product(s)/service(s).

Users of this document are all employees and applicable contractors who work on development and maintenance at Sord.

Secure Development and Maintenance

Securing the Development Environment

Access to the development environment is restricted only to authorized employees via logical access control. Development, testing, and production environments are logically separated and access to them is enforced.

Secure Engineering Principles

Jonathan Gautsch issues procedures for secure information system engineering, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum-security standards which must be complied with.

The same secure engineering principles are applied to outsourced development.

Security Requirements

When acquiring new information systems or developing or changing existing ones, the appropriate project team must document the applicable security requirements.

Security Requirements Related to Public Networks

Jonathan Gautsch is responsible for defining security controls related to information in application services passing over public networks:

  • the description of authentication systems to be used

  • the description of how confidentiality and integrity of information is to be ensured

  • the description of how non-repudiation of actions will be ensured

Jonathan Gautsch is responsible for defining controls for online transactions, which must include the following:

  • how misrouting will be prevented

  • how incomplete data transmission will be prevented

  • how unauthorized message alteration will be prevented

  • how unauthorized message duplication will be prevented

  • how unauthorized data disclosure will be prevented

Checking and Testing the Implementation of Security Requirements

Jonathan Gautsch is responsible for defining the methodology, responsibilities and the timing of checking whether all specified security requirements have been met, and whether the system is acceptable for production.

Repository and Version Control

Sord utilizes code version control management tools to track and manage code development, testing, and merges with production. Only employees with a business need have access to code version control management tools based on the principle of least privilege.

Change Control

Changes in the development and during the maintenance of the systems must be done according to the Change Management Policy.

Protection of Test Data

Confidential and restricted data, as well as data that can be related to individual persons must not be used as test data. Exceptions may be approved only by Jonathan Gautsch, in which case Jonathan Gautsch must define how such test data are protected.

Required Security Training

Jonathan Gautsch defines the level of security skills and knowledge required for the development process. All engineers must review the OWASP Top 10 as defined in the Change Management Policy.

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.

Previous4.2 Network Security PolicyNext4.4 Configuration and Asset Management Policy

Last updated