Technical security architecture

Application security architecture

Application security architecture document

Architecture control board

Data model

Data security architecture document

Data security architecture

Platform security architecture

Platform security architecture document

Enterprise architecture governance

Security in the system development lifecycle

Security requirements of information systems

Security requirements analysis and specification

Define information system security requirements

Information system security requirements analysis and specification

Separation of development, test and operational facilities

System planning and acceptance

Including cost of security in information system projects

Planning for security in information systems

Consulting with security early in the SDLC

Reviewing IT security risks in each system development phase

IT security risk management in the SDLC

Separation of development, test and operational environments

Technical security controls for sensitive systems

Security of system files

Control of operational software

Protection of system test data

Control of system test data

Access control to program source code

Cryptographic controls

Policy on the use of cryptographic controls

Key management

Correct processing in applications

Input data validation

Control of internal processing

Message integrity

Output data validation

Outsourced software development

Security in outsourced software development

Outsourced software development

Assurance of security for information systems

Information system security certification

Testing of technical security controls in information systems

Information system security accreditation

System security assurance approval certificate

Security certification report document

Review of system security assurance approval certificate

Technical compliance checking

Compliance with security policies and standards

Technical security of COTS software applications

Electronic commerce services

Mainframe applications

Large applications (ie. Oracle, SAP, Peoplesoft, ERP, CRM)

Desktop office applications

Web applications

Security of virtualized software

Virtualized hardware servers

Virtualized software applications

Electronic messaging

Business information systems

Electronic commerce

On-line transactions

Publicly available information

System acceptance

System acceptance testing

Prevention of data leakage

Information leakage

Control of system core dump and crash dump data

Restriction of use of production data for testing or in testing environments

Control of information system documentation

Control of information system data

Control of system-generated error data (release of IT info to external 3rd service)

Protection against malicious and mobile code

Anti-virus protection

Protection against malicious and mobile

Controls against malicious code

Controls against mobile code

User information security protection measures for information systems, equipment, devices and services

User responsibilities

Password use

User information security in the office

Password use

Unattended user equipment

Unattended user workstation, equipment and devices

Clear desk and clear screen policy

User information security for mobile computing and teleworking

Mobile computing and teleworking

Mobile computing and communications

Teleworking

Ensure secure wired and wireless communications

Maintain secure configuration

Utilize only organization-issued and configured equipment, devices and services

Encryption of hard-drives and portable storage devices

Protect passwords