Page 279 - Garis Panduan Perolehan Teknologi Maklumat & Komunikasi (ICT) Kerajaan
P. 279
LAMPIRAN 5A2
CONTOH SCHEDULE UNTUK SECURITY MEASURE
I. Application Development Process
The Vendor shall:
(a) provide Purchaser written documentation that:
(i) details its application architecture and design, development process;
and
(ii) identifies the measures that will be taken at each point in that process
to design, develop, assure, maintain, and manage the application
securely;
(b) conduct peer-review of all code by at least one other individual as identified by
the Purchaser against the security requirements and coding guidelines before
it is considered ready for testing;
(c) promptly provide a written report to the Purchaser on any security issue
identified during the application development lifecycle, including, but not
limited to, those arising in connection with requirements, design,
implementation, testing, deployment, or operation; such report shall be
accompanied by a risk assessment and an outline of the actions required to
mitigate that risk; and
(d) establish a plan for knowledge transfer to enable the Purchaser to maintain
the secure operation of the application once it has been deployed into the
production environment.
II. Vulnerabilities, Risks, And Threats
The Vendor shall:
(a) utilize its best efforts to identify, document, and mitigate vulnerabilities,
threats, and risks as early as possible during the application development
lifecycle;
(b) document how it will identify the key risks to the information that will be
resident in the application and to the functions supported by the application. In
order to determine and prioritize risks, enumerate vulnerabilities, and
understand the impact particular attacks might have on the application, the
Vendor shall, at a minimum, conduct a threat assessment and analysis of
1
