Commentary

It is essential for those organisations that are able to commission or design their own systems and applications to take every opportunity to make those systems fail-safe by the use of in-built controls. It is also essential that any purchased software has suitable controls built in to it and the inclusion of such controls is considered as a part of the acquisition process. This Clause is intended primarily as a guide to the technical team and for the advice of smaller organisations who do not undertake their own development programmes. Organisations who maintain such software development teams will doubtless be aware of the controls required to safeguard their final production systems.

The physical separation between versions of software under development and those 'frozen' and released into the change control process is an essential aspect of good system control. Developers are often obliged to use extreme cases of input data in order to test the limits of their software. The overlap between these environments where 'test' information can suddenly become 'real' is known to be the source of many computer frauds, e.g. the junior software program writer who gives himself the Managing Director's authority to approve expenses 'just to test the system'.

Encryption is the technique of mathematically altering the binary code in the computer to produce a number that can only be unscrambled by reversing the mathematics. The problem with mathematics is that it just happens to be the subject that computers are especially good at and determined hackers are often able to break the code. Encryption algorithms are not much better than passwords unless they are very complex and correspondingly expensive. However, if your assets are that important to your organisation then encryption may be worth the cost.

It is essential to review the levels of protection that are incorporated into the operating systems on a regular basis. It is not uncommon for the value of a particular part of the organisation to change over the years and for the locks on the doors to be forgotten.

It is also worth considering that even smaller organisations do sometimes commission software developers to build customised software for them. When third parties are involved, it is even more important to be sure that if the software which you have commissioned has been cleaned up before it is released into the 'production' environment. The fact that the rogue junior programmer is not actually an organisational employee, may just serve to compound the problem if the worst comes to the worst.

As a general rule, if the organisation is not large enough to support an in-house software development team they will probably be better off sticking with proprietary software in its shrink-wrapped form and resisting the urge to modify it into a unique package.

All organisations must keep up to date on technical vulnerabilities and ensure that they have applied appropriate protection to their systems to address published vulnerabilities.

An Introduction To Information, Network and Internet Security
Commentary It is essential for those organisations that are able to commission or design their own systems and applications to take every opportunity to make those systems fail-safe by the use of in-built controls. It is also essential that any purchased software has suitable controls built in to it and the inclusion of such controls is considered as a part of the acquisition process. This Clause is intended primarily as a guide to the technical team and for the advice of smaller organisations who do not undertake their own development programmes. Organisations who maintain such software development teams will doubtless be aware of the controls required to safeguard their final production systems. The physical separation between versions of software under development and those 'frozen' and released into the change control process is an essential aspect of good system control. Developers are often obliged to use extreme cases of input data in order to test the limits of their software. The overlap between these environments where 'test' information can suddenly become 'real' is known to be the source of many computer frauds, e.g. the junior software program writer who gives himself the Managing Director's authority to approve expenses 'just to test the system'. Encryption is the technique of mathematically altering the binary code in the computer to produce a number that can only be unscrambled by reversing the mathematics. The problem with mathematics is that it just happens to be the subject that computers are especially good at and determined hackers are often able to break the code. Encryption algorithms are not much better than passwords unless they are very complex and correspondingly expensive. However, if your assets are that important to your organisation then encryption may be worth the cost. It is essential to review the levels of protection that are incorporated into the operating systems on a regular basis. It is not uncommon for the value of a particular part of the organisation to change over the years and for the locks on the doors to be forgotten. It is also worth considering that even smaller organisations do sometimes commission software developers to build customised software for them. When third parties are involved, it is even more important to be sure that if the software which you have commissioned has been cleaned up before it is released into the 'production' environment. The fact that the rogue junior programmer is not actually an organisational employee, may just serve to compound the problem if the worst comes to the worst. As a general rule, if the organisation is not large enough to support an in-house software development team they will probably be better off sticking with proprietary software in its shrink-wrapped form and resisting the urge to modify it into a unique package. All organisations must keep up to date on technical vulnerabilities and ensure that they have applied appropriate protection to their systems to address published vulnerabilities.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security