System Development and Maintenance
This section contains the following sub-sections:

10.1 Security requirements of systems - security requirements should be analyzed, fully identified and agreed at the earliest stage of the systems development process.

10.2 Security in application systems - data entry, processing and output validation controls and message authentication should be included as appropriate (according to risk).

10.3 Cryptographic controls - a cryptography policy should be defined, covering roles and responsibilities, digital signatures, non-repudiation, management of keys and digital certificates etc.

10.4 Security of system files - access to system files (both executable and source code) and test data should be controlled.

10.5 Security in development and support processes - application system managers should be responsible for controlling application system access and changes, including system patches. Vendor-supplied applications should ideally not be modified. Checks should be made for covert channels and Trojans if these are a concern. A number of controls are outlined for outsourced development.

Recently Changed
Certification (ages ago)
risk treatment plan (ages ago)
Spanish (ages ago)