0% found this document useful (0 votes)

48 views18 pages

United Arab Emirates Ministry of Interior: Application Development Security Standards

This document contains the Application Development Security Standards for the United Arab Emirates Ministry of Interior. It establishes security requirements for web and application development. The standards aim to protect critical MOI web applications and web services from accidental or intentional damage. The document provides standards related to architecture, asset management, risk assessment, access control, operations management, incident management, and other areas to secure the integrity of MOI websites, applications, and web services. Compliance is required for all web servers, services, and applications connected to the MOI network.

Uploaded by

temptiger

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

48 views18 pages

United Arab Emirates Ministry of Interior: Application Development Security Standards

Uploaded by

temptiger

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 18

United Arab Emirates

Ministry of Interior
General Directorate of E-Services & Telecom

Application Development Security Standards

Version: 1.0

CLASSIFICATION: Restricted

Version1.0
ATTENTION: This documentClassification: Restricted
contains information related to ‘MoI’ that is confidential and privileged.
The information is intended for the private use of ‘MoI’ only. By accepting this document, you agree to
keep the contents in confidence and not copy, disclose, or distribute this without written request to and
written confirmation fromTel.
‘MOI’. If you are
02 – 4446688 not
– Fax 02 the intended
– 4443494 recipient,
– P.O.Box: 398 –delete the document
Abu Dhabi, U.A.E and be aware
that any disclosure, copying, or distribution of the contents
www.moi.gov.ae - E-mail:of this document is strictly prohibited.
[email protected]
Document Control
Item Description
Document Title: Application Development Security Standards
Reference ID: MOI\GDEST\ICT-IS-APP-DEV-SS-04
Version: Draft
Publish Date: 11/03/2020
Revision Date: -----

Name Section/Dept. Signature/Date

Author(s) Application Security Branch Information Security Section --------
Electronic auditing and
Reviewer(s) ------- information security --------
department
Approver
ISB GDEST -------
(s)

Revision Record
Versio
Reviewer Signature/Date Notes Review & Approve
n
1.0 ---------- ---------

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

Table of Contents
Server Security Standards................................................................................................................4
1. Overview..................................................................................................................................4
2. Purpose.....................................................................................................................................4
3. Scope........................................................................................................................................4
4. Standard...................................................................................................................................5
4.1 Architecture........................................................................................................................5
4.2 Asset Management.............................................................................................................5
4.3 Risk Assessment (RA)........................................................................................................6
4.4 Physical and Environment Security...................................................................................7
4.5 Access Control (Access to Database Usernames and Passwords).....................................7
4.6 Operations Management.....................................................................................................8
4.7 Third Party Security Management...................................................................................11
4.8 Incident Management.......................................................................................................11
4.9 Communication Security..................................................................................................13
4.10 Business Continuity Plan................................................................................................13
4.11 Security Standards for Virtualization.............................................................................14
5. Compliance and Enforcement................................................................................................14
5.1 Compliance Measurement................................................................................................14
5.2 Exceptions........................................................................................................................15
5.3 Non-Compliance..............................................................................................................15
6. Related Standards, Policies, and Processes............................................................................15
7. Revision History....................................................................................................................15

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

Application Development Security Standards
1. Overview
The Application Development Security Standard establishes security requirements for web and
applications development, web services that are critical to the MOI. The standard is intended to
help protect the MOI’s central and distributed web application and web services from accidental
or intentional damage.

This standard applies to the applications, web services or web applications and that have been
deemed 'critical'. Whether owned by the MOI, and 3rd party organization - that connect to the
MOI network either directly or indirectly.

2. Purpose
The purpose of these standards is to secure integrity of the web services, websites, and
applications which are developed, acquired, manipulated, maintained or transmitted by MOI.
This policy establishes security standards for all the application software developed, purchased
or currently in use by MOI.

Industry and vendor best practice guidelines are referenced in the build, deployment and
operation of Web Servers, Websites and Applications

3. Scope
 This standard applies to all web servers, services and applications (MOI and Other 3rd
parties connecting to MOI) using web-oriented protocols.
 The standard excludes embedded web/application servers that are not within the scope of
the server standard, e.g., printers, switches, appliances and other hardware devices.
 All the websites, Services and Applications owned by MOI providing services and
accessible over Intranet or Internet are subject to this standard.
 This standard applies to all Application, Services and Websites hosted in test,
development and production environment over MOI network.
 All Internet-facing web servers owned by MOI and hosted by external providers are
subjected to this standard

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 The standards must be shared with the customer, customized (if required), and approved
before putting it to use. This must happen before the application design starts.
 Project teams are accountable for ensuring that Web applications within their scope are
compliance with this standard
 Project architects are accountable for ensuring that this standard is appropriately
complied with on projects where they are the named architect
 Project managers should ensure that compliance with this standard is included in system
requirements
 Web security testers must ensure that the application is not vulnerable to vulnerabilities
described in this document
 The security controls described in this Guideline are limited to application development
security controls. Users of this Guideline should refer to other established guidelines for
information regarding networking, system, application, database, backup, storage and
other security controls.

4. Application Development Standards

4.1 Architecture

 Every Application MUST have a properly documented architecture diagram with a high-
level explanation of the security layers mentioned in this document.
 The development team MUST make use of a secure software development lifecycle that
addresses security in all stages of development.
 Developers MUST provide the documentation and justification of all the application's
trust boundaries, components, and significant data flows.
 Developers MUST provide definition and security analysis of the application's high-level
architecture and all connected remote services
 Developer MUST follow centralized, simple, vetted, secure, and reusable security
controls to avoid duplicate, missing, ineffective, or insecure controls.
 Before an application is developed, acquired, or enhanced, security requirements must be
formally documented to address all relevant security rules as defined.
 Secure coding checklist, security requirements, guideline, or policy MUST be available
to all developers and testers.

4.2 Asset Management.

 This guideline is in addition to MOI’s “Asset Management Policy” Application

developers must review and apply this policy wherever it is possible.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 All the Applications hosted in MOI DC (Site A and Site B), remote site locations to 3rd
party vendors which are owned by MOI-GDEST MUST be registered in
“System/Application Asset Register”.
 The inventory of all the Applications, Websites and Web services hosted in MOI
datacenters and remote locations must be maintained and updated on monthly basis to
track the Systems/Applications to be protected.
 The inventory shall include the detailed information about the Systems/Applications as
required for risk assessment and must be reflected in the “System/Application Asset
Register”
 All the Systems/Applications with critical data, such as person data, bio metric data, HR
data, etc. must be identified and tagged as critical, Application classification based on
data classification and vulnerability is mandatory according to their importance.

4.3 Risk Assessment (RA)

To empower Risk Analysis team to perform periodic information security risk assessments
(RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate
remediation, risk assessments can be conducted on any Asset of MOI GDEST such as
applications, databases, servers, storages, backup, and networks, and any process or procedure by
which these systems are administered and/or maintained.

The execution, development and implementation of remediation programs is the joint

responsibility of Auditing/Security/Operations/development and the department responsible for
the Servers / system area being assessed. Employees are expected to cooperate fully with any RA
being conducted on systems/servers for which they are held accountable. Employees are further
expected to work with Audit/Security team in the development of a remediation plan.

 Identify threats and perform risk assessment on the systems identified in “Applicaiton
Asset Register”
 A threat is defined as any event that may compromise the confidentiality, integrity,
and/or availability of information assets.
 Threat is the combination of four elements, 1) The Administrators/users, 2) The system /
server assets that must be protected from threats, 3) The method of unauthorized access,
and 4) Result of unauthorized action.
 Identifying the list of users having access to the system / servers grouped by privileges.
 Defining the assets related to systems, such as network switches, SAN Switches related
file servers and storage.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 Identifying system asset value such as Personal Information, CID information,
Confidential files, finance information, HR information, etc. and defining value as
Critical, High, Medium and Low.
 Defining means: The way unauthorized activity can be perpetrated by the users upon
system / server assets. Knowing the means will lead to an understanding of effective
controls to mitigate the threats. Below is the list of potential means.
1. Password dictionary attack
2. Stealing ID/password via social engineering
3. Unauthorized access of System information by exploiting errors in settings
4. Exploiting the vulnerabilities of the Application.
 Threats compromise the confidentiality, integrity, and availability of information assets
 The Open Web Application Security Project (OWASP) is a worldwide volunteer
community aimed at making web application security "visible", so that people and
organizations can make informed decisions about application security risks.
 OWASP lists the most critical web application security flaws in a document entitled “The
Ten Most Critical Web Application Security Vulnerabilities 2007 Update”
 When performing a security evaluation process, involve all parties from technology,
operational, and business areas with vested interest. Perform security process assessment
by examining each component in detail:
1. Cross Site Scripting (XSS)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (CSRF)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access
11. Buffer Overflow
12. Authorization Bypass
 Implement necessary System security controls based upon the importance of System and
the results of risk assessment.

4.4 Authentication Requirements.

 All the System Administrators MUST read adhere to MOI’s “Physical and
environmental security policy”
 The Physical location of all the Servers owned by MOI / Departments must be identified
and secured.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 All the RACKs where servers are mounted in DCs must be locked, only authorized
personnel must have access.
 Only IT / System Administrators Staff should have physical access to the Servers.
 All the Servers must be monitored by CCTV.
 Access to the offices and workstations from where the Servers are being accessed with
Admin privileges must be protected, only authorized personnel must be allowed to enter
such premises. Administration of servers MUST be carried out from dedicated
management infrastructure.
 All the Servers must display a trespassing banner at login as mentioned in “Access
Control Policy”

4.5 Access Control

 MOI “Access control Policy” must be followed for system/server user access
management.
 All the Administrative privileges related to servers, business owner accounts and OS
accounts must be with Head of Information security.
 All server user accounts MUST be provisioned in accordance with the principle of least
privilege. Administrators must be provided privileges based on MOI Access control
policy.
 All server user accounts MUST enable individual users to be identified (e.g. unique
accounts per user, or logged access to shared accounts).
 All the manufacturer and defaults account/passwords must be changed, disabled or
deleted. Guest accounts MUST be removed.
 User accounts on servers MUST be removed when they are no longer required.
 User accounts on servers MUST be reviewed at least every 6 months and be removed if
they are no longer required.
 User accounts on servers MUST be evaluated at least every six months to ensure the
permissions assigned to them are still appropriate.
 Passwords on all the physical or virtual servers must follow MOI “Password Policy”
which can be reviewed from e-club accessible to all employees.
 All local accounts on UNIX machines and domain accounts in Windows environment
should have a minimum 12-character passphrase, 2 special character, 2 digits, mixed of
upper case and lower-case letters and must be changed every 60 days.
 UNIX environment: block the system account (nobody), verify that there are no
accounts with empty password fields in /etc/shadow, verify that no UID 0 accounts other
than root exist, disable remote logins for root account.
 Access to all the servers must be logged to obtain forensic evidence in the event of
unauthorized access, or to submit as evidence to relevant authorities.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 Access to the servers must be restricted only from the authorized workstations and
programs.
 Session time-out must be implemented on all the Servers for the “Administrative
accounts” as required by “Access Control Policy”
 The defined accounts and allocated access rights must be reviewed periodically to check
they are still appropriate.
 The defined accounts and allocated access rights must be reviewed after changes to the
System or operations.
 The defined accounts and allocated access rights must be reviewed whenever
inappropriately allocated access rights and /or accounts are found.
 Review the access rights periodically on each System registered in “System Asset
register”

4.6 Session Management

 Server operating systems must be of a version that is still under active vendor support.
This must include security patches for identified vulnerabilities with a CVE score of 7 or
greater.
 Server operating systems must utilize a version that complies with MOI information
security policy.
 Server operating systems must only be installed from a trusted source and MUST be
installed only by System Administrators.
 Operating systems or applications that are no longer supported by the vendor or an open
source community have an exception request granted by the Head of Information
Security.
 Server operating system installations MUST include all current approved service packs /
major releases for that operating system version.
 Server operating system installations MUST apply all approved and verified updates and
patches not already included on installation media immediately subsequent to installation.
 All server operating systems must be hardened using CIS benchmarking to meet MOI
security Policies.
 VMware environment MUST be hardened following “VMware Security Hardening
Guides” (https://www.vmware.com/security/hardening-guides.html)
 Server operating systems MUST be configured to receive accurate time from MOI
standard NTP Server, in compliance with Security policy.
 Server operating systems MUST be configured so they do not auto-run inserted media.
 Server operating systems MUST be patched in line with patching policy/procedure.
 All unnecessary applications and features on servers MUST be disabled and removed
where possible.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 There MUST be measures in place to prevent installation of unauthorized applications or
features onto servers
 Servers MUST be limited to performing one function only (such as web server, email
server, file server, etc.).
 All operating system services not essential to the role and function of the server MUST
be disabled.
 Remote administration MUST be conducted through approved secure channels (such as
SSH, IPsec VPN, etc.).
 Changes to the Servers MUST be controlled through a formalized change management
process; all the changes must be done as per MOI’s change management policy.
 Change request MUST be raised for any change related to database, all the fields of CR
form must be filled with appropriate information and approvals.
 System Administrators MUST plan, document and implement a change by following
change management process to control changes by:

a) Identifying and recording significant changes.

b) Assessing the potential impact, including the security impact, of the change by
conducting a Security Threat and Risk Assessment.
c) Obtaining approval of changes from the manager(s) responsible for the Servers.
d) Planning and testing changes including documenting fallback procedures.
e) Communicating change details to relevant employees.
f) Notifying affected parties, including business partners and third parties.
g) Documenting and reviewing the documentation throughout the testing and
implementation phases.
h) Recording all pertinent details regarding the changes; and checking after the
change has been performed that only the intended changes took place.

 New Server MUST be created following the “Server Creation Guidelines” and the Server
creation form must be filled.
 All the Servers must have secured, hardened OS configurations as per operations
management policy.
 Capacity management should be implemented; monitoring, tuning, and evaluating the use
of resources to project and respond to future capacity requirements and ensure required
performance levels.
 System Administrators must use trend information from the capacity management
process to identify and remediate potential bottlenecks that present a threat to system
security or services. System Administrators MUST plan and budget for server capacity
management by.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

a) Monitoring and optimizing servers to detect impending capacity limits; and
projecting future capacity requirements based on:
b) New business and systems requirements,
c) Statistical or historical capacity requirement information, and,
d) Current and expected trends in information processing capabilities (e.g., introduction
of more efficient hardware or software).

 Production, test, and development environments should be separated to reduce the risk of
unauthorized access or changes to the production environment.
 Architecture diagrams MUST illustrate clear separation between development, test,
production environments and operational systems.
 All Windows servers MUST have an anti-malware solution installed and operating, in
line with the Security Standard - Malware Protection.
 McAfee on all the servers MUST be updated consistently for detecting and providing
protection from network and host-based threats
 Pro-Active patch management. All the existing Servers must be upgraded/patched to the
latest version consistently as recommended by vendors to avoid vulnerabilities
 All the security related Server patches must be deployed consistently as recommended by
vendors.
 All logs produced on servers MUST be forwarded to the appropriate centralized log
collection point (Ex: SIEM), in compliance with the Security Standard
 All attempts to change server configurations MUST be logged.
 Any events which involve privilege escalation MUST be logged.
 Actions that modify or create users or groups, or modify the privileges of users or groups
on servers, MUST be logged
 Shutdown and system suspension events on servers MUST be logged
 All the servers MUST be monitored centrally from Foglight Monitoring tool

4.7 Errors, Logging and Auditing

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

4.8 Input and Output Requirements

4.9 Malicious Software

4.10 Data Protection and Privacy

4.11 Business Logic

4.12 API Requirements

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

4.13 Configuration Management

4.14 Third Party Security Management

 The SA team and security team MUST adhere to “Third-party/Supplier security policy” to
facilitate the implementation of the associated controls.
 The SA team and security team MUST monitor third-party Server/System Operations /
Maintenance.
 SA team and Third-Party Service Providers MUST apply servers patches on a regular and
timely basis commensurate with the criticality of the Servers.
 Third-Party responsible for periodic maintenance, MUST make sure that all the servers are
updated to the latest operating system, applied security related patches routinely, firmware
must be upgraded, SSH version on all the servers MUST be upgraded as recommended,
closing any security gap found by VA team.
 The SA team MUST monitor and review the System activities, reports, and records
provided by the third party related to the maintenance services.
 The SA team MUST manage changes to the provision of third-party server activities,
including maintaining and improving existing server security policies, procedures, and
controls.
 The SA team MUST control the installation of software on operational systems make sure
freeware, cracked and malicious software are not installed by third-party.

4.15 Incident Management

 The SA team MUST read and adhere to MOI’s “Incident Management Policy”.
 The SA team MUST response to all the incidents as per Incident Management Policy and
Procedure
 An information security incident is defined as an attempted or successful unauthorized
access, use, disclosure, modification or destruction of information; interference with
information technology operation; or violation of acceptable use policies.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 Server security incidents should be reported through appropriate channels as quickly as
possible. Established procedures should ensure a quick and effective response to all reported
Server security incidents.
 The SA team MUST identify, collect, and preserve the information related to incidence,
which can serve as evidence
 Situations to be considered for Server security event reporting include:
a) Ineffective security controls
b) Breach of information integrity, confidentiality or availability expectations
c) Breach of personal privacy
d) Human errors
e) Non-compliance with policies or guidelines
f) Breaches of physical security arrangements
g) Uncontrolled system changes
h) Malfunctions of software or hardware
i) Access violations
j) An intentional disruption or attack impacting MOI Servers
k) A loss or theft of MOI Server / system / backup asset
l) EPP tools missing on Windows Servers.

 All the fields on Incident forms must be filled with appropriate information, the fields with
not applicable info must be filled as “Not Applicable (N/A)”
 All the incidents related to server security / availability must be filled and reported to “Head
of Information Security”
 Incident response and forensics should be in place to assess how, as who, what was stolen,
what was changed, the extent of access, what could they do with more skills?
 The response should include the following:
a) Collecting evidence as soon as possible after the occurrence
b) Conducting information security forensics analysis, as required
c) Escalation, as required
d) Ensuring that all involved response activities are properly logged for later analysis
e) Communicating the existence of the information security incident or any relevant
details thereof to other internal and external people or organizations with a need-to-
know
f) Dealing with information security weaknesses found to cause or contribute to the
incident; and once the incident has been successfully dealt with, formally closing and
recording it.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 On resolution of Server security incident or weakness, the investigating employee must
prepare a report that includes a detailed problem analysis, actions taken, and
recommendations for corrective action or improvements; and,
 Server security incident reports must be submitted to Branch Manager, and Head of
Information Security Section.
 Knowledge gained from analyzing and resolving information security incidents MUST be
used to reduce the likelihood or impact of future incidents, The SA team MUST
institutionalize the learning from information incidents. Knowledge database must be
maintained based on the incidents with corrective actions taken to resolve the incidents.
 Monitor real-time to take prompt action to lock down accounts when violations occur, or
threats are identified.

4.16 Communication Security

 Make sure all administrative user interfaces related to server administrations are configured
and accessible over secured protocols such as ssh, https etc.
 Encrypt transmissions between servers and clients from eavesdropping using functions or
tools.
 Use secured, updated tools to login servers such as latest SSH clients, etc.
 Physical media “HDD / Flash DISK / USB Disk / Tapes” containing information / data must
be protected during transportation.

4.17 Business Continuity Plan

Business continuity and disaster recovery plans should contain processes and procedures to
ensure the continuity of information security. Recommendations include:

 All the critical Servers must be protected against the Disasters.

 DR Activity Tasks must be documented and accessible to System Administrators to perform
switch-over and fail-over activities.
 Periodic tests must be done on DR Activities to make sure that the “Activity Tasks” are
efficient and reliable during real-time switch-over and fail-over scenarios.
 Documenting and obtaining approval for a plan, response and recovery procedures that
detail how the Operation section will manage a disruptive event and will maintain its Server
availability.
 Developing mitigation steps for Server Availability and security controls that cannot be
maintained during an adverse situation.
 Establishing incident response personnel with necessary responsibility, authority and
competence to manage an incident and maintain information security.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

 Having an adequate management structure in place to prepare for, mitigate and respond to a
disruptive event using personnel with necessary authority, experience and competence.
 BC Plan of server activities must be in sync with the BC Plan for Network Security, DB
Security, Application Security and storage Security.
 All the Servers must be backed up in line with MOI backup policy according to their
criticality.
 Periodic restore of the backups must be performed in test environment to make sure that
backups are reliable.

4.18 Protection of Source code

 An asset register of all virtual assets MUST be maintained and updated as appropriate.
This includes recording:
1. VM creation
2. VM destruction
3. VM modification
 Activities on Virtualization MUST be controlled to prevent unauthorized creation,
destruction, or copying of virtual machines
 All the critical Virtual Machines MUST have disaster recovery and business continuity
plan
 Virtual machines, and virtual machine images/template, including which are not currently
active, MUST be patched as per MOI patch management policy/procedure.
 New virtual Servers MUST be created from pre-configured, system images/template
(VM Images), VM Images/template MUST be hardened in accordance with Server
Security Standard.
 All the live VMs and images MUST be protected from:
1. Unauthorized access
2. Unauthorized modification
3. Unauthorized deletion
4. Unauthorized copying
 VM images/templates MUST be patched or kept up to date same as live systems.
 Access to DS/storage of Virtual Machine Images must be logged
 Changes to virtual deployments MUST be logged and MUST generate alerts.
 Creation, migration, suspension or deletion of Virtual Machines MUST be logged and
MUST generate an alert.

Version1.0 Classification: Restricted

Tel. 02 – 4446688 – Fax 02 – 4443494 – P.O.Box: 398 – Abu Dhabi, U.A.E

www.moi.gov.ae - E-mail: [email protected]

5. Compliance and Enforcement
5.1 Compliance Measurement

Audit Staff will verify compliance to this standard through various methods, including but not
limited to, periodic walk-thru, video monitoring, business tool reports, internal and external
audits, and feedback to the standard owner.

 Periodically conduct a vulnerability scan, considering the latest threats as per “IS
Compliance Policy”
 Selection of Web Applications for scanning, testing, and assessing should occur
according to the schedule
 Before the production launch of a new High or Very High Criticality Web Application
 Before a significant change to a High or Very High criticality production Web
Application.
 If a Web Application is hosted by a third-party provider and/or not hosted on MOI’s
network, an automated or manual test should be performed.
 As directed by an information security review or upon request from the Chief
Information Officer, Information Security Services, or developers of a Web Application
 Logs of privileged account holder (system administrators and system operators) activity
should be securely maintained and appropriately reviewed
 Periodic Checklist related to the System security standards must be filled by System
Administrators prepared by Audit/Compliance Team “System Security Checklist”

5.2 Exceptions

 Any exception to the standard must be approved by Head of Information Security Section
in advance.
 These standards are an absolute requirement. Failure to meet these requirements will
require a formal exemption as detailed below.
 Any exceptions to the application of this standard or where controls cannot be adhered to
must be presented to an assigned Security Engineer and considered for submission to
Head of Information Security Section.
 Such exception requests may invoke the Risk Management process in order to clarify the
potential impact of any deviation to the configuration detailed in this standard.
 Exceptions to this standard MUST be maintained on a risk register for accountability,
traceability and security governance reporting to senior management.

5.3 Non-Compliance