Policy Reference

Category Application Design and Development
Approval Date  
Scope All Personnel

 


Purpose

Testing new applications and upgrades prior to implementation is  an integral part in producing a stable application environment.   During testing, however, standard practices should be followed to limit any risk to the production environment.


Policy

  1. ITS will work with department personnel to translate business requirements into a high-level design specification for software development and software configuration, taking into account the City's technological directions and information architecture.
  2. Departments must coordinate the implementation of upgrades and migrations to existing applications with ITS.
    1. All version upgrades and major configuration changes must be evaluated to ensure security policies and standards are maintained.
    2.  
  3. ITS will develop all software, applications, and databases based on secure coding and privacy guidelines.
  4. ITS  will establish a separate test environment for testing of new or major upgrades to applications and systems.
  5. ITS  will ensure that the test and development environments are separate from each other, with access control in place to enforce that separation.
  6. ITS  will work with department personnel to ensure that custom applications and software configurations have been reviewed for security and privacy purposes prior to the release of the system to production.
  7. ITS and department personnel will ensure that all test data, accounts, usernames, and passwords are removed prior to the release of the system to production.

Compliance

  1. The organization must use PCI DSS requirements and industry best practices when developing new software and ensure information security is incorporated throughout the software lifecycle.
    Verify the lifecycle documentation ensures that security is included throughout the lifecycle of the development process.   § 6.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  2. The initial system security plan developed at the start of the system development process should include the development, documentation, and deployment of media sanitization controls.   § 4.1, Guidelines for Media Sanitization, NIST Special Publication 800-88, September, 2006  
  3. The organization should develop a formal systems development lifecycle methodology for the development, acquisition, implementation, and maintenance of the system and components. ¶ .17 § 3.8, ¶ .20 § 3.11, ¶ .24 § 3.12, ¶ .29 § 3.11, AICPA Suitable Trust Services Principles and Criteria
  4. The development and production environments should be separated. § 5.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1