The System/Application Domain is broad from the application to all supporting services within the operating system. This domain provides a final layer of control needed to secure the customer’s data and the organization’s sensitive information. Applying the best practices will reduce failure rates, optimize development time, and provide secure code. As a result, the collective best practices will lead to processes that over time will promote a security-conscious culture.
The following is a list of best practices examples that auditors should consider when assessing the System/Application Domain:
Compliance with software licenses
Software complies with regulatory requirements
Use of encryption where feasible
Assessment of all SDLC phases
Security and backup of source code
Adoption of secure coding practices
Use of code analyzers to identify software vulnerabilities
Limiting the use of local system accounts
Configuration of service accounts such as making service accounts noninteractive
Deployment of DLP tools
Monitoring for new secure coding practices
Not using production data in an application test environment
Ensuring systems and applications are patched regulatory
Ensuring applications have appropriate logging and monitoring
Layered security to support applications such as enhance database security
Validating all data input