ISO/IEC 27001 Control 8.26: Application security requirements

Control

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint provides numerous features for addressing common application security requirements.

Implementation Details

First and foremost, application security requirements should be processed with regard to identity governance and administration (IGA) practices. While level of trust in identity of entities, classification levels, access rights, privacy protection and other cybersecurity aspects are conceptually specified in security policies, practical implementation of such concepts heavily depends on details implemented in IGA platform. New applications have to adapt to existing IGA framework, or they need to be integrated into it. Applications have to expose identity-related information using an open interface, which can be accessed by appropriate identity connector. Identity attributes have to be mapped to a common identity data model of the organization, as well as entire identity lifecycle. Application entitlements need to be integrated into an overall access control model of the organization.

Rationale

The control asks that all information security requirements are both identified and addressed. While midPoint cannot help with identification of information security requirements, it is an essential component for addressing many of the requirements. Small organizations can create identity governance framework with just a directory and manual processes. However, identity governance and administration (IGA) platform is necessary to satisfy application security requirements in most medium and large organizations.

Was this page helpful?
YES NO
Thanks for your feedback