2.4.17 Development Infrastructure
This Section covers the infrastructure requirement needed for a secure development and manufacturing site. The requirements include recommendations for physical security and processes for asset management, development and release for the products.
| Req No | Requirement | Primary Keyword | Secondary Keyword | Compliance Class And Applicability |
|---|---|---|---|---|
| 2.4.17.1 | A documented Software Development Lifecycle ( SDLC ): this should be in diagram or words and should cover the security aspects, threats and mitigations | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.2 | A documented final release process: There is a controlled release process with unique version tagging, release checklist and stakeholder signoff | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.3 | An Asset management policy for security related equipment: There is a controlled record of development hardware equipment, how is the equipment tracked and maintained? e.g. development PCs/Laptops and secure hardware build servers, HSMs etc | Business | Policy | Mandatory for Class 1 and above |
| 2.4.17.4 | There is a defined Document Management classification process and management plan for material that contains security related information: Document Marking "Confidential", "Secret" etc and a definition of these classes, along with a management policy for the classes , and staff awareness | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.5 | There are Data Backup processes for critical and secret data: There is a process to backup critical code and secret assets. The secret assets should be segregated and backed up securely. The backups should follow backup policy and procedures and should be tested for resilience and recoverability | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.6 | Access Control, both Physical and for code repositories, and build artifacts: There is physical security in the office (locked doors, access logs) to limit access to authorised people only. Corporate data networks shall be secured and managed (i.e. secure login, data access control and logs). | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.7 | Secure Assets and Key Management: A Policy and process to manage and keep assets secure e.g. secure signing facility, access control logs, audit trail of access, policy when assets moved/copied from secure facility | Business | Policy | Mandatory for Class 1 and above |
| 2.4.17.8 | Security Risk Assessment: All work must be covered by an up to date risk assessment (RA), including a process to create and maintain it. The RA is reviewed during the project, and at the release point to accept the severity of all risks based on product expectations and risk appetite. | Business | Process | Mandatory for Class 1 and above |
| 2.4.17.9 | Data destruction: There is a policy regarding the lifetime of secure and/or private data and a process for its destruction. This should align with relevant geographic regulations/policies. | Business | Policy | Mandatory for Class 1 and above |
| 2.4.17.10 | HR Security Policy: There is a policy and process to manage employees and any authorised visitors (i.e. ID checks, signed agreements on confidentiality, non disclosure, code of conduct, ethics etc) - this should cover both on-boarding and termination. | Business | Policy | Mandatory for Class 1 and above |