Prices
Free Trial

Acquisition, Development and Maintenance

The lifecycle of purchasing and developing network and information systems should be secured in all of its phases from planning, implementation and maintenance.

Table of Contents

The lifecycle of purchasing and developing network and information systems should be secured in all of its phases from planning, implementation and maintenance.

Acquisition, Development and Maintenance

You must ensure the cybersecurity of network and information systems from acquisition and development, implementation, operation, phase-out, and disposal of each component in the systems.

Requirements

Your organisation must document the cybersecurity procedures for:

  • The acquisition of network and information systems or services from third parties,
  • The development and maintenance of network and information systems,
  • Disposal of network and information systems,

These procedures must be based on your organisation’s information system security policy and should be linked to its risk management policy and supplier management procedures.

You may also consider the following:

  • ensure that security updates are available from the manufacturer for the expected lifetime of the product,
  • establish, document, implement, and monitor configurations, including patches and updates for hardware, software, services, and networks,
  • specify and apply procedures for change management,
  • ensure that changes, repairs, and maintenance of network and information systems follow your change management procedures,
  • perform tests ranging from configuration reviews to full tests of overall network and information security,
  • manage risks arising from the acquisition of IT services, systems, or products from suppliers and service providers throughout their lifecycle, 
  • set and enforce clear requirements for secure software and system development when acquiring or developing network and information systems. These requirements should cover all development phases, for example through Security by Design,
  • separate systems into networks or zones based on business needs and criticality based on your risk assessments,
  • protect network and information systems from malicious or unauthorised software by introducing measures to detect or prevent malware.

Documentation

You should review your lifecycle management processes for procured and internally developed IT services, systems, or products at regular planned intervals and after major incidents. These reviews should be documented.

Vulnerability Management

You should establish vulnerability management procedures to discover vulnerabilities and implement appropriate measures to reduce the likelihood of them being exploited at any stage of the information system lifecycle. Furthermore, sharing information about vulnerabilities can also help others become aware of weaknesses in their own systems.

Requirements

Your organisation must have procedures on how to handle vulnerabilities that may affect network and information systems. These procedures must enable you to gather information about technical vulnerabilities, assess your own exposure to them, and take appropriate action to manage them.

To manage vulnerabilities you should do the following:

  • stay updated on vulnerability information from various sources, such as national CSIRTs and suppliers or service providers,
  • implement vulnerability management procedures and document the reasoning for not choosing to remediate vulnerabilities,
  • carry out vulnerability scans at regular intervals and after major changes or security incidents, and document the results. In OT environments passive monitoring and traffic analysis may be used instead, since active scans may cause disruptions or downtime. You should support these vulnerability scans by regular security reviews of system configurations,
  • align vulnerability management with change management and incident handling processes,
  • ensure that critical vulnerabilities are addressed without unnecessary delay.

You may also consider establishing a Coordinated Vulnerability Disclosure policy covering your systems. Significant incidents must be reported, and vulnerabilities that are not yet accessible to the public should be shared with your national CSIRT.

Documentation

You should record observations of your vulnerability scans, and document your findings, and the actions taken. You should monitor your sources of vulnerability information at planned intervals, and document relevant vulnerabilities.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.