Chapter 6 Acquisition of Systems and Services |
| Article 18 | (System Development Life Cycle – Requirement Analysis and Design Stage)
- An organization shall ascertain the safety requirements (including confidentiality, availability, integrity) of the information and communication system during the stage of requirement analysis of the system.
- An organization shall, according to the functions and requirements of a core system, identify and perform risk analyses and assessments of threats that may impact the system. It is advisable for a non-core system to identify and perform risk analyses and assessments of threats.
- An organization shall reflect the results of a core system risk assessment in the items for review at the requirement stage and propose modifications to the safety requirements. It is advisable for a core system to so modify according to the risk assessment results.
|
|
| Article 19 | (System Development Life Cycle – Development and Testing Stage)
- The information and communication system shall implement necessary control measures with regard to safety requirements.
- The information and communication system shall take notice of and prevent common software flaws and implement necessary control measures.
- When an error occurs in the information and communication system, the user page only shows a short error message and code, excluding details of the error.
- It is advisable for an organization offering online ordering services to perform “source code scan” for purposes of safety testing of its core systems.
- It is advisable for the core systems of a type 1 organization to be equipped with an alert mechanism against serious errors.
- An organization offering online ordering services shall perform regular vulnerability scans of the information and communication system (at least on a biannual basis) for purposes of safety testing.
- An organization offering online ordering services shall perform regular penetration tests on the core systems which offer online services for purposes of safety testing.
|
|
| Article 20 | (System Development Life Cycle – Deployment, Maintenance and Operation, and Outsourcing Stage)
- An organization shall update and rectify the information and communication system against relevant security threats and flaws and also disable unnecessary services and portals in the deployment environment.
- An organization shall inspect the existing information and communication system, set and use quality passwords, and avoid using default passwords.
- An organization shall implement version control and management revision during the maintenance and operation stage of the development life cycle of the information and communication system.
- If an organization outsources the development of the information and communication system, it shall incorporate by level the safety requirements (including confidentiality, availability, integrity) of the system of each stage of the development life cycle in the outsourcing contract.
|
|
| Article 21 | (Acquisition Process and System Documents)
- The official operating environment of the information and communication system shall be separated from the development and testing environments.
- An organization shall store and mange documents pertaining to the development life cycle of the information and communication system.
|
|