Data/function/processes

Technical/Information Systems
System Interfaces
o Detail what happens when other applications interface (manually or electronically) with
this application.
o Document what is received from and what is sent to these other applications.
o Determine how end-users verify or establish assurances that interfaces are providing
complete, accurate and authorized data.
Secure coding during Software development via secure coding training of developers or certified
organization
End-Users
o Evaluate whether user access coincides with assigned responsibility.
o Determine from end-user management what they perceive to be the risks, exposures
and limitations associated with the system.
o Evaluate this training to determine if it is adequate, current and available for new
people.

System Interfaces
o Detail what happens when other applications interface (manually or electronically) with
this application.
o Document what is received from and what is sent to these other applications.
o Determine how end-users verify or establish assurances that interfaces are providing
complete, accurate and authorized data.
File Handling
o Determine the retention periods for the various key application data files.
- Evaluate if the retention periods satisfy management reporting, IRS reporting, other
legal and internal accounting requirements.

Backup and Recovery:- RPO/RTO

o Identify the key system files and evaluate whether the files are appropriate.
- Determine how often key files are backed up.
- Determine if copies of these backup files are stored at a suitable off-site facility
o Verify that the off-site backup file storage facilities are secure.
o Determine if application recovery plans exist (both technical and end-user) for restoring
from short-term and long-term interruption of computer processing.
o Verify that these plans address both technical restoration needs and alternative end-
user processing procedures.
- Determine if these application recovery plans have been tested

Identify all subsystems

o Identify all subsystems associated with this application. Middleware and security

Data Origin
o To determine that controls over the preparation, collection, and processing of source
documents ensure the accuracy, completeness, and timeliness of data before they reach the
application.
 Data Input
o To determine that manual and automated controls over data entry (batch or online),
data validation, error identification and reporting, and error correction and reentry are
effective to ensure that data are completely and accurately entered into the application.

Processing
o To determine that controls over application programs and related computer operations
ensure the accuracy, completeness, and timeliness of data during batch or real time
processing.
Data Output
o To determine that controls over balancing and reconciliation, distribution of output,
handling of negotiable documents, and output retention are effective to ensure that output
is accurate and distributed to authorized personnel on a timely basis.
Review change control
o change control as a set of six steps
1. Record / Classify
2. Assess
3. Plan
4. Build / Test
5. Implement
6. Close / Gain Acceptance

Application Development

ID Control Public Private Restricted

AS- Application development includes reviews for security Recommended Recommended Required
1 vulnerabilities throughout the development lifecycle

AS- Application change control procedures are documented and Recommended Recommended Required
2 followed

AS- Controls are in place to protect the integrity of application Recommended Recommended Required
3 code

AS- Application validates and restricts input, allowing only those Required Required Required
4 data types that are known to be correct *

AS- Application executes proper error handling so that error Required Required Required
5 messages do not reveal potentially harmful information to
unauthorized users (e.g. detailed system information,
database structures, etc.)

AS- Default and/or vendor supplied credentials are changed or Required Required Required
6 disabled prior to implementation in a staging or production
environment

AS- Functionality that allows the bypass of security controls is Required Required Required
7 removed or disabled prior to implementation in a staging or
production environment

Session Management

ID Control Public Private Restricted

AS- Application sessions are uniquely associated Recommended for READ access; Required Required
8 with an individual or system Required for all other access

AS- Session identifiers are generated in a manner Required Required Required

9 that makes them difficult to guess

AS- Session identifiers are regenerated a change Required Required Required

10 in the access profile of a user or system *

AS- Active sessions timeout after a period of Recommended Required Required

11 inactivity

Vulnerability Management

ID Control Public Private Restricted

AS- Applications are periodically tested for security Recommended Recommended Required
12 vulnerabilities (e.g. vulnerability scanning, penetration
testing, etc.)

AS- Application security patches are deployed in a timely Required Required Required
13 manner

Application Logging

ID Control Public Private Restricted

AS- Successful attempts to access an Required for privileged Required for privileged Required
14 application are logged access; Recommended for access; Recommended for
all other access all other access

AS- Failed attempts to access an Required for privileged Required for privileged Required
15 application are logged access; Recommended for access; Recommended for
all other access all other access

AS- Attempts to execute an Recommended Recommended Recommended

16 administrative command are
 logged *

AS- Changes in access to an Required Required Required

17 application are logged (e.g.
adding, modifying or revoking
access)

AS- Application logs are reviewed on Recommended Recommended Required

18 a periodic basis for security
events

AS- Application logs are protected Required Required Required

19 against tampering

Supplemental Guidance
AS-05: Input validation plays an important part in application security. For example, if a data entry
field is asking for a phone number, the application should validate that the value entered matches a
format similar to (###) ###-####. If a data entry field is asking for a date, the application should
validate that the value entered matches a format similar to MM/DD/YYYY. If an application does not
have controls in place to validate input, a malicious user may be able to enter data that results in
unintended consequences, such as application failure or unauthorized access to potentially sensitive
data.
AS-12: Not only should a session identifier (SID) be unique to an individual or system but it should
also be unique to an individual's or system's access profile. For example, a user has a certain access
profile prior to authenticating. This access profile may consist of limited functionality and access to a
very limited subset of data. Once authenticated, a user may have access to increased functionality
and a larger data set. A new SID should be generated and associated with this authenticated access.
Similarly, a user may be able to enter a secondary set of credentials in order to gain access to
administrative functionality. A new SID should be generated and associated with this administrative
access. If a user has both a user session and an administrative session active, that user would have
two different SIDs associated with two different sets of actions.
AS-16: PAM/Administrative commands are those commands that typically require some level of
privileged access to execute. For example, adding and deleting users of an application, resetting a
user's password and modifying how an application is configured are all examples of administrative
commands that should be logged. Execution of administrative commands may occur through some
type of command-line interface or they may occur through access to a graphical user interface. The
full scope of administrative commands that should be logged may vary from application to application
depending on the applications inherent functionality, the platform(s) it runs on top of or interacts
with.