The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.
New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.
Current configurations of devices, data systems and networks are documented and a log is maintained of configuration changes.
Changes to configurations must be controlled and go through the change management procedure. Only authorized personnel are allowed to make changes to the configurations.
Configuration information may include e.g.:
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.