Maintain a Vulnerability Management Program

Topics:

The following are recommendations and information for the Maintain a Vulnerability Management Program requirements.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirements are not applicable to the Omni-Gen product line.

Requirement 6: Develop and maintain secure systems and applications

Recommendations and Information for Requirement 6.1
  • Ensure that the latest Omni-Gen service packs and patches are applied. For the latest service packs and patches, see http://techsupport.ibi.com.
  • Third-party software provided by Omni-Gen, such as Tomcat, should be updated as recommended by those vendors.
  • Third-party software which is not provided, but is required by Omni-Gen, such as Java, should be updated as recommended by those vendors.

Recommendations and Information for Requirement 6.3

  • Adhere to the Internal Software Development Life Cycle (SDLC) recommendations for application development to ensure that any customizations do not introduce new vulnerabilities.
  • Remove any test accounts created during development prior to a production rollout.
  • Remove any test jars or scripts used during the development life cycle.
  • If any custom code is used, the client is responsible for reviewing the code for vulnerabilities.

Recommendations and Information for Requirement 6.4

  • Create separate Omni-Gen environments for Development, Performance, Production, and any other use, to ensure separation and accessibility. Ensure to use different repositories and authentication/authorization domains.
  • Do not develop any components directly on the Performance or Production systems. The Production system should be a code-frozen environment with the only exception where a debug component may need to be installed for issues which are encountered in production, but are not able to be reproduced in any other non-production environment. Such debugging components would be provided by Information Builders as part of the support for the Production Issues.
  • The production data may need to be used in the Test and Performance environments, in addition to the Production environment. In such cases, the client is advised to limit the access to the data and such environments. The developers should not have access to the production data and should work only with non-production/simulated data.
  • Remove all test accounts and test data from the Production environment.
  • Establish a process of installing service packs and patches across environments, as well as the roll-back procedures, based on the instructions provided in the Omni-Gen Installation manual and Omni-Gen Release Notes for the corresponding patch or service pack.

Recommendations and Information for Requirement 6.5 and 6.6

  • Follow the best practices and guidelines provided by Information Builders for the development and maintenance of the applications.
  • Any public-facing application, which exposes parts of the Omni-Gen data, should not be connecting to the live master data repository, but rather should be presenting the data off the generated consumption view layer, thus minimizing the data access and cross contamination.
  • Any customized applications, which are written utilizing the available RESTful APIs, are the responsibility of the client. The client must perform regular web application vulnerability assessments and/or install external firewalls.
  • The client is responsible for ensuring that any data access to the repository is under their full control and no external application can access this data without proper authentication/authorization.