Best Practices for System/Application Domain Compliance

The System/Application Domain is broad from the application to all supporting services within the operating system. This domain provides a final layer of control needed to secure the customer’s data and the organization’s sensitive information. Applying the best practices will reduce failure rates, optimize development time, and provide secure code. As a result, the collective best practices will lead to processes that over time will promote a security-conscious culture.

The following is a list of best practices examples that auditors should consider when assessing the System/Application Domain:

• Compliance with software licenses

• Software complies with regulatory requirements

• Use of encryption where feasible

• Assessment of all SDLC phases

• Security and backup of source code

• Adoption of secure coding practices

• Use of code analyzers to identify software vulnerabilities

• Limiting the use of local system accounts

• Configuration of service accounts such as making service accounts noninteractive

• Deployment of DLP tools

• Monitoring for new secure coding practices

• Not using production data in an application test environment

• Ensuring systems and applications are patched regulatory

• Ensuring applications have appropriate logging and monitoring

• Layered security to support applications such as enhance database security

• Validating all data input