Policy
Policy Name
Application Security Policy

Overview
Applications developed, purchased or obtained to support the business must be designed and implemented to meet security requirements.  Data must be protected in accordance to the Data Classification Policy.

Statement
The following application security controls are required:
  • Applications must be developed or configured to address known vulnerabilities and threats.
  • Applications must be tested for vulnerabilities and remediated prior to release to production.
  • Applications must be developed in a non-production environment separate from production.
  • Applications must be developed and implemented to ensure confidentiality, integrity and availability of information.
  • Data transmissions that include confidential or sensitive data must be encrypted. See Encryption Policy for approved encryption algorithms.
  • Applications used to support the business must be authorized through established processes.

Justification

The following benefits will be achieved: 

  • Establishment of process to check and remediate applications to reduce risk to organization
  • Define minimum security requirements applications must meet prior to placing into production

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up and including termination of employment or contract.

Topics
Application Security