Systems Development and Maintenance (CC-19000, semi-annualaudit)
- The information security requirements shall be included in the analysis and specifications when an application system is being planned and analyzed.
- Whether inputs are verified to confirm their accuracy.
- Legal copyrighted software shall be used.
- Contracts shall be entered into for outsourced work. The terms of contracts entered into for outsourced work shall include an information security agreement and the right to audit the outsourcer's information security.
- When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
- All documents and handbooks shall be properly maintained and controlled.
- Specially appointed personnel shall be responsible for maintaining application systems.
- Management of changes to application systems:
- Files that contain programs, data, and job control commands for formal and test operations shall be stored separately.
- When a program is modified, its documentation shall be promptly updated.
- The company shall regularly (at least semi-annually) scan its information system for vulnerabilities.When potential vulnerabilities are identified, it is advised to evaluate the associated risks or install software patches and retain a record (applicable to securitiesfirmsplacing orders online, but not applicable to those doing so via telephone or in the traditional manner).