Define Development Standards and Library Controls

Development Standards

Development standards should be in place to address the responsibilities of application and system programmers. Application programmers are responsible for developing and maintaining end-user applications. System programmers are responsible for developing and maintaining internal and open-source operating system programs that link application programs to system software and subsequently to hardware. Managers should thoroughly understand development and production environments to ensure they appropriately assign programmer responsibilities.

Development standards should prohibit a programmer’s access to data, programs, utilities, and systems outside their individual responsibilities. Library controls can be used to manage access to, and the movement of programs between, development, testing, and production environments. Management should also establish standards requiring programmers to document completed programs and test results thoroughly. Appropriate documentation enhances a programmer’s ability to correct programming errors and modify production programs.

Coding standards, which address issues such as the selection of programming languages and tools, the layout or format of scripted code, and the naming conventions of code routines and program libraries, are outside the scope of this document.

However, standardized, yet flexible, coding standards enhance an organization’s ability to decrease coding defects and increase the security, reliability, and maintainability of application programs. Examiners should evaluate an organization’s coding standards and related code review procedures.

Library Controls

Libraries are collections of stored documentation, programs, and data. Program libraries include reusable program routines or modules stored in source or object code formats. Program libraries allow programmers to access frequently used routines and add them to programs without having to rewrite the code. Dynamic link libraries include executable code programs that can automatically run as part of larger applications.

Library controls should include Automated Password Controls – Management should establish logical access controls for all libraries or objects within libraries. Establishing controls on individual objects within libraries can create security administration burdens. However, if similar objects (executable and non-executable routines, test and production data, etc.) are grouped into separate libraries, access can be granted at library levels.

Automated Library Applications – When feasible, management should implement automated library programs, which are available from equipment manufacturers and software vendors. The programs can restrict access at library or object levels and produce reports that identify who accessed a library and what, if any, changes were made.