Scribd
Upload
21 views5 pages

Apsys Security Controls Review Process

This document outlines Tapsys's Security Controls Review Process. It defines the objective as clearly stating mandatory steps for security reviews. The process applies to all Tapsys software and addresses PCI Secure SLC controls. It details 6 steps: 1) scheduling biannual reviews, 2) requesting asset details, 3) sharing information, 4) performing compliance checks, 5) writing a report, and 6) reviewing the report. The Application Security Team leads the process with oversight from the Application Security Governance Group.

Uploaded by

sohaib siddique
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views5 pages

Apsys Security Controls Review Process

This document outlines Tapsys's Security Controls Review Process. It defines the objective as clearly stating mandatory steps for security reviews. The process applies to all Tapsys software and addresses PCI Secure SLC controls. It details 6 steps: 1) scheduling biannual reviews, 2) requesting asset details, 3) sharing information, 4) performing compliance checks, 5) writing a report, and 6) reviewing the report. The Application Security Team leads the process with oversight from the Application Security Governance Group.

Uploaded by

sohaib siddique
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Security Controls Review Process

Document Name: Security Controls Review


Process
Version: 1.0
Creation Date: 10th August 2021
Last Modification Date: 10th August 2021

This document and the information


contained herein are confidential.
Without Tapsys’s prior written
permission, this document, either in
whole or in part, may not be
reproduced in any form or by any
means or disclosed to others.

1
PROPRIETARY & CONFIDENTIAL
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR TAPSYS’S INTERNAL DISTRIBUTION ONLY.
NOT TO BE COPIED OR DISTRIBUTED
REVISION HISTORY

Date Version Prepared By Reviewed By Version Summary Approved By

10th August 1.0 Moosa Aslam Initial Draft


2021

2
PROPRIETARY & CONFIDENTIAL
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR TAPSYS’S INTERNAL DISTRIBUTION ONLY.
NOT TO BE COPIED OR DISTRIBUTED
SECURITY CONTROLS REVIEW PROCESS

1. INTRODUCTION
The software created, distributed, and used by Tapsys is one of the most valuable assets. A compromise of
these assets could severely impact the reputation and revenues of the organization. In addition, effectively
securing software applications and related artifacts is essential to ensure privacy of the underlying data in
accordance with the regulations.

This document is created in accordance with the Software Security Policy of Tapsys to provide details on
Security Controls Review Process.

1.1. OBJECTIVE
The objective of this process is to clearly state a set of mandatory steps for Security Controls Review that should
be executed by Tapsys’s Application Security Team.

1.2. SCOPE
This process shall apply uniformly to all software products which are developed by the Tapsys.

1.3. AREA OF THE STANDARD ADDRESSES


This document addresses the following sections of the PCI Secure SLC standard (2019):

• Control Objective 3

1.4. OWNERSHIP
Software Security team owns the process, any queries/ issues arising from the interpretation of this document
will be addressed by the members of the team.

1.5. PERIODIC REVIEW


The process will be reviewed every calendar year for its continued suitability and adequacy keeping in view the
change in the technical, operational, and legal environment. Any change(s) shall be formally implemented into
the process following approval from the Application Security Lead.

1.6. PROCESS MAINTENANCE


The Application Security team is responsible for managing the Application Security Controls Review Process.
This task includes review of the process (as discussed in the ‘Periodic Review’ section), updating the process to
reflect amendments, and communication to the stakeholders.

3
PROPRIETARY & CONFIDENTIAL
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR TAPSYS’S INTERNAL DISTRIBUTION ONLY.
NOT TO BE COPIED OR DISTRIBUTED
In case of any changes, the Application Security team will initiate the change and the revision history will be
maintained. The Application Security Governance Group (ASGG) will review the process and formal approval
shall be granted. New approved process will be distributed to authorized stakeholders.

1.7. RESPONSIBILITY
The following responsibilities apply for the application of this process.

• Application Security Team Lead is the point of contact, providing support, advice for implementation.
• The ASGG will review, approve, and improve (if required) this process.

1.8. EXCEPTIONS
Exceptions to the requirements of this process are the responsibility of the ASGG. Where exceptions are made,
changes will be managed by the ASGG and will be reported accordingly.

1.9. ENFORCEMENT
Enforcement of this process is the responsibility of the Application Security Governance Group (ASGG).

2. DETAILED STEPS OF THE PROCESS


The following steps shall be followed to ensure that security control reviews are appropriately carried out and
recorded every six months:

Responsible Group/
Steps Description
Personnel

Step-1: Schedule Security The Tapsys’s Application Security Lead will Application Security Lead
Controls Review schedule security controls review during the year
(once every six months)

Step-2: Request for One week before the review, the Tapsys’s Application Security Lead
Information Application Security Lead will request the Asset
Owners to share the details of security controls
implemented.

Step-3: Information Following the request from the Application Security Asset Owners
Sharing Lead, the Asset Owners will share the required
details.

Step-4: Perform Review The Tapsys’s Application Security Lead will Application Security Lead
perform a review by checking the following:

• Compliance with Security Hardening


• Compliance with Security Policies
• Compliance with Security Procedure

4
PROPRIETARY & CONFIDENTIAL
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR TAPSYS’S INTERNAL DISTRIBUTION ONLY.
NOT TO BE COPIED OR DISTRIBUTED
• Firewall Rules
• Access Management
• Compliance with Physical Hardening
Standard
• Software installed

Note: The review will be performed on a sample of


selected controls.

Step-5: Write a Review The Tapsys’s Application Security Lead must Application Security Lead
Report document the results of the review in a report. The
report must have a sub-section per asset and include
the findings (if any) and recommended actions (if
any) per asset. The final report must be shared with
the leadership and other stakeholders.

Step-6: Review and The Tapsys’s Application Security Governance ASGG


Approve Report for Action. Group (ASGG) must review the report and approve
the recommended actions. If any of the proposed
recommendations are not appropriate, then further
clarification shall be sought by the Application
Security lead to reach an agreement.

Step-7: Remediation Asset Owner will review the report and perform the Asset Owner
recommended actions. The Asset Owner will submit
the compliance status after implementation of
recommended controls.

Note: The output / results of security controls review can be an input for Risk Assessment Exercise.

3. AUTHORITY
This process has been authorized by Tapsys’s Application Security Governance Group and is
effective within the approval dates detailed on the front page of this document.

5
PROPRIETARY & CONFIDENTIAL
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR TAPSYS’S INTERNAL DISTRIBUTION ONLY.
NOT TO BE COPIED OR DISTRIBUTED

You might also like