11.1 Information security requirements analysis and specification
The information security related requirements shall be included in the requirements for new
information systems or enhancements to existing information systems.
11.2 Securing application services on public networks
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
11.3 Protecting application services transactions
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
11.4 Secure development policy
Rules for the development of software and systems shall be established and applied to developments within the organization.
11.5 System change and control procedures
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
11.6 Technical review of applications after operating platform changes
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
11.7 Restrictions on changes to software packages
Modifications to software packages shall be discouraged, limited to necessary changes and all changes should be strictly controlled.
11.8 Secure system engineering principles
Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.
11.9 Secure development environment
Ocorian shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
11.10 Outsourced development
Ocorian shall supervise and monitor the activity of outsourced system development.
11.11 System security testing
Testing of security functionality shall be carried out during development.
11.12 System acceptance testing
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.
11.13 Protection of test data
Test data shall be selected carefully, protected and controlled