Secure system acquisition and development

Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.

Sensitive or personal data of users is not copied and used in a development environment.

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Agreement between a cloud service provider and the organization must include requirements for protecting the organization's data and the availability of services, e.g. in the following ways:

• providing a solution based on generally accepted architecture and infrastructure standards in the industry
• managing access rights to meet organizational requirements
• implementing malware control and protection solutions
• processing and storage of the organization's sensitive data in approved locations (e.g. a certain country or legislative area)
• providing support in the event of a data security breach
• ensuring that the organization's data security requirements are met also in subcontracting chains
• li>providing support in the collection of digital evidence
• providing sufficient support when the organization wants to terminate the use of the service
• required backup and secure management of backups, where applicable
• information owned by the organization (possibly, e.g. source code, data filled/created for the service) restored upon request or when the service ends
• notification requirement in relation to significant changes (such as infrastructure, important features, information location or use by subcontractors)

The data and other materials used for testing should be carefully selected and protected.

Production information that contains personal or other confidential information should not be used for testing purposes.

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

• safety requirements of the development environment
• instructions for secure coding of the programming languages used
• safety requirements at the design stage of properties or projects
• secure software repositories
• version control security requirements
• the skills required from developers to avoid, discover and fix vulnerabilities
• compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

• policies for reviewing and approving generated code
• evidence of testing activities performed by the partner
• communication practices
• contractual rights to audit the development process and management tools
• documentation requirements for code generation

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

• Defining and documenting the change
• Assessing the risks and defining the necessary control measures
• Other impact assessment of the change
• Testing and quality assurance
• Managed implementation of the change
• Updating a change log

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

Organization must ensure in advance that the acquired data systems are secure. In order to ensure this, the supplier of the important data system to be acquired must be required to provide sufficient security-related clarifications already at the procurement stage.

The supplier must clarify at least the following:

• There is a system description of the service. Based on the description of the service provider, you must be able to assess the general suitability of the service in question for the customer's use case. The system description must show at least
• The service and implementation models of the service, as well as the related service level agreements (Service Level Agreements, SLAs).
• The principles of the life cycle (development, use, decommissioning) of service provision procedures and security measures, including control measures.
• Description of the infrastructure, network and system components used in the development, maintenance/management and use of the service.
• Principles and practices of change management, especially processes for handling changes affecting security.
• Processing processes for significant events deviating from normal use, for example operating procedures in case of significant system failures.
• Role and division of responsibilities related to the provision and use of the service between the customer and the service provider. The description must clearly show the actions that are the customer's responsibility in ensuring the safety of the service. The service provider's responsibilities must include the obligation to cooperate, especially in the investigation of abnormal situations.
• Functions transferred or outsourced to subcontractors.

The use of production data for testing purposes should be avoided. If confidential information is used in testing, the following security measures should be used:

• all sensitive details should be either deleted or made secure (e.g. anonymisation of personal data)
• testing environments are subject to the same strict access control as production
• copying production data to the test environment is done only with a separate authorization
• production data is removed from the test environment immediately upon completion of testing

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.