Policy Owner: Principal Engineer
...
| Anchor | ||||
|---|---|---|---|---|
|
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
...
Production
Contains applications ready and approved for use by customers and storage of customer data.
Changes are controlled and subject to prior approval and testing.
Access is restricted to users who have fulfilled the requirements of access to customer data and have a business need.
Test
Contains applications not fully approved for use by customers or storage of customer data.
Available for customers to perform validation or acceptance tests.
Must not contain customer data, except data provided by customers for the purpose of validating functionality
Changes are coordinated to ensure no conflicts between team members in use of the environment.
Segmented from production and does not access or share production resources.
Local Development
Segmented from production and does not access or share production resources.
Contains applications under active modification. Typically operated on a developer’s desktop or laptop.
Must not contain customer data.
...
| Anchor | ||||
|---|---|---|---|---|
|
Application code should be scanned prior to deployment. Patches to address application vulnerabilities that materially impact security should be deployed within 90 days of discovery.
| Anchor | ||||
|---|---|---|---|---|
|
...
Test data shall be selected carefully, protected and controlled. Confidential customer data shall be protected in accordance with all contracts and commitments. Customer data shall not be used for testing purposes without the explicit permission of the data owner and the Managing Director.
| Anchor |
|---|
...
The acquisition of third-party systems and software shall be done in accordance with the requirements of the CloudCard Third-Party Management Policy.
| Anchor | |||
|---|---|---|---|
|
Software developers shall be provided with secure development training appropriate to their role at least annually. Training content shall be determined by management but shall address the prevention of common web application attacks and vulnerabilities. The following threats and vulnerabilities should be addressed as appropriate:
prevention of authorization bypass attacks
prevention of the use of insecure session IDs
prevention of Injection attacks
prevention of cross-site scripting attacks
prevention of cross-site request forgery attacks
prevention of the use of vulnerable libraries
| Anchor | ||||
|---|---|---|---|---|
|
...
Any known violations of this policy should be reported to the Principal Engineer. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Version | Date | Description | Author | Approved by |
1.0 | 2020-11-24 | First Version | Luke Rettstatt | |
2.0 | 2023-03-26 | Update to SOC Template | Ryan Heathcote | Tony Erskine |
3.0 | 2024-08-02 | Annual Review | Ryan Heathcote | Tony Erskine |