| |
Security of Programs and Applications
- Each access coordinator will maintain a mechanism to restrict access to programs and applications which process confidential and/or sensitive information. This mechanism will be based on user electronic identifiers (IDs).
- Each access coordinator will maintain a mechanism that allows the owner of a program or application which processes confidential and/or sensitive information to designate the set of users who can modify the program or application.
- Data and system managers having responsibility for confidential and/or sensitive information will participate in the development of application test data for all such information.
- Employees developing, modifying or testing programs or applications which are used to generate, modify or delete confidential and/or sensitive information will test programs and applications against appropriately masked test data.
- Data and system managers, as applicable, are responsible for ensuring that new and changed programs that process confidential and/or sensitive information move from test/development to production via an auditable change control process.
- Data and system managers, as applicable, are responsible for ensuring that employees who develop, modify or test programs of applications which are used to generate, modify or delete confidential and/or sensitive information dispose of test output appropriately.
- Data managers who establish data security levels are responsible for ensuring that access to applications is consistent with restrictions on data access.
- Data and system managers, as applicable, are responsible for ensuring that test functions are kept either physically or at a minimum logically separate from production functions.
- Data and system managers, as applicable, are responsible for ensuring that copies of production data are not used for testing unless the data have been classified as not confidential and/or sensitive information, or unless all staff and contractors with access to the test data are authorized to access it.
- Data and system managers, as applicable, are responsible for ensuring that appropriate information security and audit controls for confidential and/or sensitive informationshall be incorporated into new systems.