Technology Development & Acquisition Controls
Purpose
Bramble ensure that security and privacy principles are implemented into any products/solutions that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated.
Scope
This control applies to all Bramble production systems.
Ownership
This control is owned by Business Operations and Security Operations.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| TDA-01 | Technology Development & Acquisition | Bramble Group Corp. has implemented mechanisms for tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs. | Does the organization facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs? | 1. Examine the policies, procedures and related documents associated mechanisms used to support development and acquisition strategies to meet business needs. | 1. Examine development, contract and procurement tools and methods including control activities and training for evidence that these tools and methods support the technological development of the business. |
| TDA-02 | Security Requirements | Bramble Group Corp. has implemented mechanisms to include technical and functional specifications, explicitly or by reference, in system acquisitions based on an assessment of risk. | Does the organization include technical and functional specifications, explicitly or by reference, in system acquisitions based on an assessment of risk? | 1. Examine the policies, procedures and related documents associated with technical requirements and functional specifications of system acquisitions based on risk assessment. | 1. Examine the full population of risk assessments during the examination period. 2. Based on the risk assessment, examine technical requirements and functional specifications of the integration or acquisition of the system for evidence that specifications were followed according to the risk assessment. |
| TDA-15 | Developer Threat Analysis & Flaw Remediation | Bramble Group Corp. has implemented mechanisms to require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party. | Does the organization require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party? | 1. Examine the policies, procedures and related documents associated with the Security Test and Evaluation (ST&E) plan and implementation. | 1. Examine ST&E(s) completed and implemented during the examination period. 2. Evaluate the ST&E for implementation, assessment, communication and remediation under the witness of an independent party. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.