Application and Interface Security

A key component of the Information Security Program are application and interface security policies.

Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

AIS Control Domains

AIS-01: Application Security - Development Methodology Policy, Application Security Policy

  • AIS-01.1: Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034) to build in security for your Systems/Software Development Lifecycle (SDLC)?


*Policy: Development Methodology
*SOP: None
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts: Docusign
*Systems: None
*Related Jira Ticket(s): OD-203

  • AIS-01.2: Do you use an automated source code analysis tool to detect security defects in code prior to production?


*Policy: Development Methodology
*SOP: SOP_0001_Source_Code_Analysis
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts: Generated from source code review, stored in Box
*Systems: Automated source code analysis tool
*Related Jira Ticket(s): IT-78

  • AIS-01.3: Do you use manual source-code analysis to detect security defects in code prior to production?


*Policy: Development Methodology
*SOP: SOP_0003_Manual_Code_Review
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts: Ask CAIQ
*Systems: New, Automated source code analysis tool
*Related Jira Ticket(s): OD-204

  • AIS-01.4: Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?


*Policy: Modify Development Methodology
*SOP: None
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts: Ask CAIQ
*Systems: None
*Related Jira Ticket: OD-203

  • AIS-01.5: (SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?


*Policy: Modify Development Methodology
*SOP: SOP_0003_Manual_Code_Review
*Audits: AU_0002_Annual_Engineering_Review (Annual or more frequent)
*Artifacts: Jira
*Systems: None
*Related Jira Ticket: OD-205

AIS-02: Customer Access Requirements - Compliance Policy, Application Security Policy

  • AIS-02.1: Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?


*Policy: Modify Corporate Compliance Policy
*SOP: None
*Audits: AU_0001_Annual_Mgmt_Review
*Artifacts: None
*Systems: Salesforce (OCN Account)
*Related Jira Ticket(s): OD-207 Need to add subtask

  • AIS-02.2: Are all requirements and trust levels for customers’ access defined and documented?


*Customer administrator controls all auth levels for their users. Reference Application Security
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
*Guidance: Contact CSA

AIS-03: Data Integrity -

  • AIS-03.1: Does your data management policies and procedures require audits to verify data input and output integrity routines?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
*Guidance: CSA, Google Cloud states: The intent of this controls does not apply to Google Cloud Platform. However, Google conducts integrity
checks on data written to its storage systems to ensure availability and replication.

  • AIS-03.2: Are data input and output integrity routines (i.e. MD5/SHA checksums) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?


*Policy: Modify Development Methodology
*SOP: None
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts: None
*Systems: None
*Related Jira Ticket(s): OD-208

AIS-04: Data Security / Integrity - FedRAMP Program

  • AIS-04.1: Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS)?


*Policy: Modify Development Methodology
*SOP:
*Audits: AU_0002_Annual_Engineering_Review
*Artifacts:
*Systems:
*Related Jira Ticket(s): OD-208
*Guidance: Google defines a data security architecture conducive to its operational needs and has demonstrated that
this architecture satisfies industry standards such as FedRamp, NIST 800-53, SOC 2/3 and ISO 27001
security objectives.

Related Documents

  • None