I enjoyed presenting on effective controls for software development with Matthew Crabbe and QA Financial. I am pushing the concept of "cyber compliance" to define internal and external requirements for IT assets such as software, data, hardware, services, contracts, and licenses. Cyber compliance is rapidly expanding from licenses, privacy and contracts with IT vendors to outsourcing, software development and business continuity of essential services providers, cloud in particular. #riskmanagement #compliance #itcontrol #CISO #cybersecurity

1. 10 smart controls
for software
development
Prof. Hernan Huwyler, MBA CPA
QA Financial Digital Forum

2. 2
Quality assurance,
testing and IT risk
management for
software and
technology

3. 3

4. Cyber compliance
requirements for developers
10 smart controls
Discussions
Our journey
4

5. Cyber compliance
1
5

6. European Banking Auhority
◉ 3.6.2. ICT systems development
You need to have a policies and controls to
• Set functional and security requirements
• Accept changes to production
• Set a methodology for testing
• Segregate production from testing and development
• Protect the source code integrity
• Keep a register of business-critical applications
6

7. European Banking Auhority
◉ Guidelines on outsourcing
If you outsource the development, you need to
• Identify security and operational risks in contract
• Perform a due diligence on the potential vendors
• Set and enforce security controls in contractual clauses
• Audit the compliance with contractual clauses or certificates
• Develop an exit plan
7

8. ◉ Privacy by design
You need to integrate privacy and data security in the
development design by
• Assessing vulnerabilities and risks affecting privacy
• Minimizing the processing of personal data
• Ensuring that user accesses can be limited to process data
• Planning for encryption and other security protections
8
General Data Protection Regulation

9. 10 smart controls
1
9

10. Define the security-relevant
hardware, software, and
firmware
Assess vulnerabilities of related
components in the software design
10
01

11. Implement a data scrambling
solution to separate
environments
Produce consistent data for testing
and development while protecting
personal and confidential data
11
02

12. Use simplified semantics in the
documentation of developments
Reduce complexity in describing the
correctness of the plans
12
03

13. Quantify risks in engineering
software developments
Use historical data and calibrated
estimations on assumptions to
measure the impact and
probabilities for multiple scenarios
13
04

14. Standardize a list of
requirements in the
development analysis stage
Develop a single list of requirements
for capability, storage, performance,
interface, recovery, testing,
compliance, data definition, licenses
and access technologies (VPN)
14
05

15. Formalize the exception
handling for abnormal events
terminating executions
Ensure that the auto recovery is
activated and logged for analysis of
timeouts and not found, not
selectable, and invisible objects
15
06

16. Separate code from data
Use template engines, frameworks,
and other third party tools to move
values to header files
16
07

17. Define the changes triggering
code refactoring
Control that refactoring is done
before adding or improving new
features and after going to
production
17
08

18. Certificate user access of
developers twice a year
Discuss the least privileges of the
accesses given to developers with
application owners in an holistic
manner
18
09

19. Ensure the comprehensive
coverage of testing emulations
Evaluate solutions for platforms to
test combinations of operative
systems, browsers and mobile
systems,
19
10

20. Let´s connect
20
/in/hernanwyler
hewyler