...

Anchor_gjdgxs_gjdgxsVanta policy template instructions

This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.

For each policy section

• Consider if this section and its corresponding risks apply to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.

• Replace any highlighted text in angled brackets < >¹ with your own language

• Rewrite the policy language such that it reflects the practices of your organization

Policy completion checklist

1. Use Find to make sure that all text in angled brackets is replaced

2. Proofread your policy for spelling and grammar mistakes

3. Confirm that the policy’s content reflects your organizations practices

4. Add any company-specific letterhead, branding, and formatting

5. Remove this instructions page

6. Export this document as PDF — File > Save As > Change “File Format” to PDF

7. Upload the PDF to Vanta at https://app.vanta.com/policies

More questions?

A good rule-of-thumb is to keep your language at a high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.

Secure Development Policy

Policy Owner: <Policy owner>

Effective Date: <Effective date>

Policy Owner: Principal Engineer

Effective Date: 2023-05-01

Anchor
purpose purpose

Purpose

To ensure that information security is designed and implemented within the development lifecycle software engineering process for applications and information systems.

Anchor

...

scope

...

scope

Scope

All <Company Name> CloudCard applications and information systems that are business critical and/or process, store, or transmit Confidential data. This policy applies to all internal and external engineers and developers of <Company Name> CloudCard software and infrastructure.

Anchor

...

policy

...

policy

Policy

...

_30j0zll_30j0zllThis policy describes the rules for the acquisition and development of software and systems that shall be applied to developments software engineering activities within the <Company Name> CloudCard organization.

...

Anchor

...

change-control change-control

System Change Control Procedures

...

Changes to systems within the development lifecycle engineering process shall be controlled by the use of formal change control procedures. Change control procedures and requirements are described in the <Company Name> CloudCard Operations Security Policy.

Significant code changes must be reviewed and approved by <who can approve code changes, e.g., a developer or manager within the Review Board> at least one other member of the engineering team before being merged into any production branch in accordance with the <name of process, e.g., Check In Process> found here: <link to process outline in company wiki>

Change control procedures shall ensure that development, testing and deployment of changes shall not be performed by a single individual without approval and oversight.

...

Anchor

...

version-control version-control

Software Version Control

...

All <Company Name> CloudCard software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository.

...

Anchor

...

review-after-platform-change review-after-platform-change

Technical Review of Applications after Operating Platform Changes

...

_3znysh7_3znysh7When operating platforms are changed, business critical applications shall be reviewed and tested to ensure that there is no adverse impact on organizational operations or security.

...

Anchor

...

secure-engineering secure-engineering

Secure System Engineering Principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

At a minimum, the following secure-by-design and privacy-by-design principles shall be applied⁴:

Secure-by-design principles:

...

Engineering documentation and technical references can be found in the <name of page with documents, e.g., Development Process Confluence Page> here: <link> Anchor_tyjcwt_tyjcwthttps://sharptop.atlassian.net/wiki/spaces/CCD/overview?homepageId=15859717.

Software developers are expected to adhere to <Company Name>’s CloudCard’s coding standards throughout the development cycleengineering process, including standards for quality, commentingtesting, and security.

...

Anchor

...

development-environment development-environment

Secure Development Environment

...

CloudCard shall establish and appropriately protect environments for system development and integration efforts that cover the entire system development life cycle. The following environments shall be logically or physically segregated:

...

• _buji3ti4uu1pProduction Anchor_addlcmtwlx8s_addlcmtwlx8s

• Test / Staging Anchor_ywxkhkbh069t_ywxkhkbh069t

• Local Development

...

Anchor

...

outsourced-development outsourced-development

Outsourced Development

CloudCard shall supervise and monitor the activity of outsourced system development. Outsourced development shall adhere to all <Company Name> CloudCard standards and policies.

...

Anchor

...

security-testing security-testing

System Security Testing

Testing of security functionality shall be performed at defined periods during the development life cycleengineering process. No code shall be deployed to <Company Name> CloudCard production systems without documented, successful test results and evidence of security remediation activities.

...

Anchor

...

vulnerability-management vulnerability-management

Application Vulnerability Management

...

Application code should be scanned prior to deployment. Patches to address application vulnerabilities that materially impact security should be deployed within 90 days of discovery.

Anchor

...

testing

...

testing

System Acceptance Testing

...

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

Anchor_2s8eyo1_2s8eyo1Prior to deploying code, a Release Checklist MUST be completed which includes a checklist of all Test Plans which show the completion of all associated tests and remediation of identified issues.

...

Anchor

...

customer-data customer-data

Protection of

...

Customer Data

Test data shall be selected carefully, protected and controlled. Confidential customer data shall be protected in accordance with all contracts and commitments. Customer data shall not be used for testing purposes without the explicit permission of the data owner and the <approver of use of customer data as test data, e.g., VP of Engineering>.Managing Director.

...

Anchor

...

third-party-software third-party-software

Acquisition of Third-Party Systems and Software

The acquisition of third-party systems and software shall be done in accordance with the requirements of the <Company Name> CloudCard Third-Party Management Policy⁹.

Anchor

...

training

...

training

Developer Training

...

Software developers shall be provided with secure development training appropriate to their role at least annually. Training content shall be determined by management but shall address the prevention of common web application attacks and vulnerabilities. The following threats and vulnerabilities should be addressed as appropriate:

• prevention of authorization bypass attacks

• prevention of the use of insecure session IDs

• prevention of Injection attacks

• prevention of cross-site scripting attacks

• prevention of cross-site request forgery attacks

• prevention of the use of vulnerable libraries

Anchor

...

exceptions

...

exceptions

Exceptions

Requests for an exception to this Policy must be submitted to the <approver of exceptions to this policy, e.g., VP of Engineering> Principal Engineer for approval.

Anchor

...

enforcement

...

enforcement

Violations & Enforcement

...

_17dp8vu_17dp8vuAny known violations of this policy should be reported to the <receiver of reported violations to this policy, e.g., VP of Engineering>. Principal Engineer. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.anchor_3rdcrjn_3rdcrjn

Version

Date

Description

Author

Approved by

<1

1.

0>

0

<29

2023-

Apr

03-

2020>

26

<First Version>

<OWNER>

<APPROVER>

¹ All fields in this document marked by angled brackets < > and highlighted must be filled in.

² This is a reference to another Vanta policy. If you are not planning on using this policy, describe your company’s change control procedures and requirements here.

³ Describe your company’s version control use here

⁴ Security and privacy by design principles added for v2

⁵ Tailor this section to describe your company’s development environment and SDLC

⁶ This section references outsourced development. If you company does not use outsourced development, remove this section.

⁷ Application vulnerability management added for v2

⁸ Describe your company’s acceptance testing process here

⁹ This is a reference to another Vanta policy. If you are not planning on using this policy, describe your company’s third-party systems and software acquisition processes

...

First Version	Ryan Heathcote	Tony Erskine