Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 6.2.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
CIS Critical Security Controls v8 (The 18 CIS CSC):
16.9
16.9 Train Developers in Application Security Concepts and Secure Coding
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design
Russian Unified Cyber Security Framework (на основе The 18 CIS CSC):
16.9
16.9 Проводится обучение разработчиков практикам безопасной разработки программного обеспечения
Разработчики проходят обучение по информационной безопасности раз в год или чаще.
В командах поддерживается культура безопасной разработки.
Разработчики проходят обучение по информационной безопасности раз в год или чаще.
В командах поддерживается культура безопасной разработки.
Стандарт № ИСО/МЭК 27001:2022(E) от 25.10.2022 "Информационная безопасность, кибербезопасность и защита частной жизни — Системы управления информационной безопасностью — Требования. Тело стандарта":
7.2 Компетенция
7.2 Компетенция
Организация должна:
Организация должна:
- a) определить необходимую компетенцию лиц (-а), выполняющих работы под ее (организации) контролем, влияющим на их (лиц) исполнение информационной безопасности;
- b) обеспечить компетентность этих лиц на основе соответствующих образования, обучения или опыта;
- c) где это применимо, предпринимать действия по овладению необходимой компетенцией и оценивать эффективность предпринятых действий; а также
- d) сохранять соответствующую документированную информацию в качестве подтверждения компетенции.
ПРИМЕЧАНИЕ Применимыми действиями могут быть, например, предоставление обучения, наставничество или переназначения действующих сотрудников, или найм или привлечение по контракту компетентных лиц.
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 6.2.2
6.2.2
Defined Approach Requirements:
Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
Defined Approach Requirements:
Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
- On software security relevant to their job function and development languages.
- Including secure software design and secure coding techniques
- Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.
Customized Approach Objective:
Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.
Defined Approach Testing Procedures:
Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.
Defined Approach Testing Procedures:
- 6.2.2.a Examine software development procedures to verify that processes are defined for training of software development personnel developing bespoke and custom software that includes all elements specified in this requirement.
- 6.2.2.b Examine training records and interview personnel to verify that software development personnel working on bespoke and custom software received software security training that is relevant to their job function and development languages in accordance with all elements specified in this requirement.
Purpose:
Having staff knowledgeable in secure coding methods, including techniques defined in Requirement 6.2.4, will help minimize the number of security vulnerabilities introduced through poor coding practices.
Good Practice:
Training for developers may be provided in-house or by third parties.
Training should include, but is not limited to, development languages in use, secure software design, secure coding techniques, use of techniques/methods for finding vulnerabilities in code, processes to prevent reintroducing previously resolved vulnerabilities, and how to use any automated security testing tools for detecting vulnerabilities in software.
As industry-accepted secure coding practices change, organizational coding practices and developer training may need to be updated to address new threats.
Having staff knowledgeable in secure coding methods, including techniques defined in Requirement 6.2.4, will help minimize the number of security vulnerabilities introduced through poor coding practices.
Good Practice:
Training for developers may be provided in-house or by third parties.
Training should include, but is not limited to, development languages in use, secure software design, secure coding techniques, use of techniques/methods for finding vulnerabilities in code, processes to prevent reintroducing previously resolved vulnerabilities, and how to use any automated security testing tools for detecting vulnerabilities in software.
As industry-accepted secure coding practices change, organizational coding practices and developer training may need to be updated to address new threats.
Стандарт № ISO/IEC 27001:2022(E) от 25.10.2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Body":
7.2 Competence
7.2 Competence
The organization shall:
The organization shall:
- a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
- b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
- c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
- d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons.
CIS Critical Security Controls v7.1 (SANS Top 20):
CSC 18.6
CSC 18.6 Ensure Software Development Personnel are Trained in Secure Coding
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.