Operations and Maintenance

During this stage, the software is in production and operating. Continuous enhancements or modifications to the system are developed, tested and implemented to keep the software operating optimally. Security activities that should be carried out continuously in this stage include:

• Security controls reviews [Mandatory] - Regular general and technical security controls reviews should be conducted to determine if the security controls in place continue to be effective over time
• Change management  [Mandatory] - Introduction of changes to software should follow a proper change management process that includes approval and testing of changes to prevent unintended consequences to the security baseline and to reduce the security risks posed by changes to the systems
• Configuration management [Mandatory] - Changes to configuration should be managed to  ensure that security baseline of the system remains effective
• Ongoing penetration and vulnerability testing  [Mandatory] - Penetration testing and vulnerability assessments to determine the current state of the system security
• Security updates [Mandatory] - Security patches and updates should be regularly applied to address known vulnerabilities.
• Incident response plan  [Mandatory] - An incident response plan to handle security breaches effectively should be defined and communicated.
• Ongoing security awareness and training  [Mandatory] -  Staff should be provided with regular security awareness training and communication

Outputs

• Updated threat and risk assessment
• Security audit reports
• Penetration testing and vulnerability assessment reports