Development standards should be in place to address the responsibilities of application and system programmers. Application programmers are responsible for developing and maintaining end-user applications.
Development Standards
Development standards should be in place to
address the responsibilities of application and system programmers. Application
programmers are responsible for developing and maintaining end-user
applications. System programmers are responsible for developing and maintaining
internal and open-source operating system programs that link application programs
to system software and subsequently to hardware. Managers should thoroughly
understand development and production environments to ensure they appropriately
assign programmer responsibilities.
Development standards should prohibit a
programmer’s access to data, programs, utilities, and systems outside their
individual responsibilities. Library controls can be used to manage access to,
and the movement of programs between, development, testing, and production
environments. Management should also establish standards requiring programmers
to document completed programs and test results thoroughly. Appropriate
documentation enhances a programmer’s ability to correct programming errors and
modify production programs.
Coding standards, which address issues such as
the selection of programming languages and tools, the layout or format of
scripted code, and the naming conventions of code routines and program
libraries, are outside the scope of this document.
However, standardized, yet flexible, coding
standards enhance an organization’s ability to decrease coding defects and
increase the security, reliability, and maintainability of application
programs. Examiners should evaluate an organization’s coding standards and
related code review procedures.
Library Controls
Libraries are collections of stored
documentation, programs, and data. Program libraries include reusable program
routines or modules stored in source or object code formats. Program libraries
allow programmers to access frequently used routines and add them to programs
without having to rewrite the code. Dynamic link libraries include executable
code programs that can automatically run as part of larger applications.
Library controls should include Automated
Password Controls – Management should establish logical access controls for all
libraries or objects within libraries. Establishing controls on individual
objects within libraries can create security administration burdens. However,
if similar objects (executable and non-executable routines, test and production
data, etc.) are grouped into separate libraries, access can be granted at
library levels.
Automated Library Applications – When feasible,
management should implement automated library programs, which are available
from equipment manufacturers and software vendors. The programs can restrict
access at library or object levels and produce reports that identify who
accessed a library and what, if any, changes were made.