Systems Development: Difference between revisions
Jump to navigation
Jump to search
| Line 8: | Line 8: | ||
* '''Development Methodology:''' All in-house developed software that runs on production systems must adhere to a recognized development methodology (SDM). This methodology must ensure that software is properly documented, tested, and includes adequate control measures before being used for critical Bloomex information. | * '''Development Methodology:''' All in-house developed software that runs on production systems must adhere to a recognized development methodology (SDM). This methodology must ensure that software is properly documented, tested, and includes adequate control measures before being used for critical Bloomex information. | ||
* '''System Ownership and Custodianship:''' Each production system must have designated Owners and Custodians responsible for the critical information processed by the system. | * '''System Ownership and Custodianship:''' Each production system must have designated Owners and Custodians responsible for the critical information processed by the system. | ||
* '''Risk Assessment:''' IT | * '''Risk Assessment:''' IT must conduct periodic risk assessments of production systems to ensure that controls are adequate. | ||
* '''Access Control:''' Production systems must have an access control system to limit access and privileges to authorized users only. A designated systems administrator who is not a regular user must manage access to all production systems. | * '''Access Control:''' Production systems must have an access control system to limit access and privileges to authorized users only. A designated systems administrator who is not a regular user must manage access to all production systems. | ||
| Line 19: | Line 19: | ||
==== User Programming ==== | ==== User Programming ==== | ||
* '''Authorization Requirement:''' Users are not permitted to write production computer programs unless explicitly authorized by the Chief | * '''Authorization Requirement:''' Users are not permitted to write production computer programs unless explicitly authorized by the Chief Technology Officer. | ||
* '''Exclusions:''' The creation of spreadsheet formulas, automatic execution scripts, or databases is not considered programming under this policy. | * '''Exclusions:''' The creation of spreadsheet formulas, automatic execution scripts, or databases is not considered programming under this policy. | ||
* '''Security Parameters:''' Both users and programmers must avoid embedding user IDs, readable passwords, encryption keys, or other security parameters in any file. | * '''Security Parameters:''' Both users and programmers must avoid embedding user IDs, readable passwords, encryption keys, or other security parameters in any file. | ||
Latest revision as of 19:12, 2 September 2024
Production System Definition
- Production System: A production system is any system designated for regular use to process critical information for Bloomex. The designation of a production system is assigned by the Enterprise Systems Manager, regardless of its physical location.
Special Production System Requirements
- Development Methodology: All in-house developed software that runs on production systems must adhere to a recognized development methodology (SDM). This methodology must ensure that software is properly documented, tested, and includes adequate control measures before being used for critical Bloomex information.
- System Ownership and Custodianship: Each production system must have designated Owners and Custodians responsible for the critical information processed by the system.
- Risk Assessment: IT must conduct periodic risk assessments of production systems to ensure that controls are adequate.
- Access Control: Production systems must have an access control system to limit access and privileges to authorized users only. A designated systems administrator who is not a regular user must manage access to all production systems.
Separation between Production, Development, and Test Systems
- Environment Separation: Where feasible, production, development, and test environments must be kept separate to prevent interference and ensure security.
- Security Fixes: Security fixes provided by vendors must undergo the SDM testing process and be promptly installed in production systems.
- Change Control: IT Systems, Enterprise Application, and Functional Support Departments must adhere to formal and documented change control processes for all production system changes. All non-approved application program-based access paths must be removed or disabled before moving software into production. Documentation of these changes must be maintained for audit purposes.
User Programming
- Authorization Requirement: Users are not permitted to write production computer programs unless explicitly authorized by the Chief Technology Officer.
- Exclusions: The creation of spreadsheet formulas, automatic execution scripts, or databases is not considered programming under this policy.
- Security Parameters: Both users and programmers must avoid embedding user IDs, readable passwords, encryption keys, or other security parameters in any file.