Highlights of IS.014 Secure System and Software Lifecycle Management Standard
EOTSS IS.014 Secure System and Software Lifecycle Management Standard establishes requirements for controls that shall be incorporated in system and software planning, design, building, testing, and implementation, including:
- Information security activities that shall occur during the system and software development life cycle.
- Required controls for supporting system or software development processes such as segregation of environments, prevention and/or protection of confidential production data in test environments.
- The use of version control for software development.
- Requirements for security hardening when building and configuring systems and applications.
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.