US English (US)
FR French
DE German

Externis Knowledge

English (US)

IT - Software security

Super Administrator

Written By Admin FAQ (Super Administrator)

Updated at September 9th, 2024

Software Security Policy

Software is widely used by Externis to process, manipulate and store data owned by Externis. It is essential that all software meet minimum-security standards to ensure the integrity and security of Externis data.

This policy applies to all Externis employees or third parties who purchase or develop software that is used on the Externis network or installed on any device connected to the Externis network or used to collect, store or process Externis data. This policy applies to all software purchased with private resources as well as Externis funds.

Particular care should be taken when purchasing or developing a major system that is to be used to process or store Externis data.

The responsibility for ensuring that software meets security requirements falls to the individual or group purchasing installing and configuring the product.

Where an individual does not have the required expertise to ensure that the product meets requirements advice should be sought from IT Services.

Approval by the IT Services

All Externis users should note that proposals for new or replacement information systems are subject to approval by the IT Services.

Software Security Standards

All software must comply with the following standards:

  • All software must protect Externis and personal information from unauthorized disclosure (confidentiality and privacy).
  • All software must protect Externis and personal information from unauthorized modification (integrity).
  • All software must protect Externis and personal information and processing services from disruption and destruction (availability).
  •  All software must contain controls that can ensure that individuals can be held responsible for their actions (accountability and non-repudiation).

Purchasing Software

Any employee or Third party purchasing software to be used on the Externis network or to process data owned by Externis must ensure that:

  • The software meets minimum standards as detailed in this policy.
  • The software is tested to ensure that the security criteria as defined in this policy are met.
  • The software is configured correctly and securely and that all relevant security features are enabled.
  • The software meets licensing criteria as detailed in this policy document.
  • That provision is made for providing ongoing maintenance for the software either by the manufacturer or a dedicated system administrator.
  • Physical or logical access should only be given to vendors for support purposes when necessary.  Only approved secure methods of access should be used. (The IT Service can advise on suitable methods) The vendor must sign a third-party access form and the vendors activities should be monitored/logged.

Purchasing/Using Cloud software systems

  • Cloud computing is a method of delivering Information and Communication Technology (ICT) services where the customer pays to use, rather than necessarily own, the resources. These services are typically provided by third parties using Internet technologies.
  • The processes involved in procuring and evaluating cloud services can be complex and subject to legal, ethical and policy compliance requirements.  These requirements must be evaluated and met prior to signing up to and using cloud services. This is essential to ensure that personal, sensitive and confidential business data and information owned, controlled or processed by Externis is adequately protected at all times.  The service must be selected to ensure that the data and information is secure and that an adequate backup and recovery plan is in place to ensure that data and information can be retrieved to meet business needs.  For more critical systems, the service should be built with high availability, again to meet business needs. 
  • All procurement of Cloud services is subject to the Externis Cloud Policy copies of which can be obtained from the IT Services.
     

Software Development

Any employee or Third party developing software to be used on the Externis network or to process data owned by Externis must ensure that:

  • The software meets minimum standards as detailed in this policy document.
  • The software is tested a professional manner to ensure that all security controls are effective. Documentation supporting this must be made available to IT Services on request.
  • Software development and testing is carried out in a separate environment from the live environment.
  • Adequate controls are in place over any test data, which is used in the testing process.
  • That provision is made for ongoing maintenance of the software

Externis Data

Any employee or Third party purchasing or developing software for gathering, processing or storing sensitive Externis information such as financial data, sensitive business data or research data or personal data relating to individuals must ensure:

  • That the software meets the criteria as defined in this document.
  • That they are able to provide documentation of security controls in place.
  • That they are able to provide evidence of the effectiveness of those controls gained through proper testing exercises on request from IT Services.
  • Where sensitive data is to be stored in electronic format that Externis has insurance to cover any incident such as theft of the data, which may occur while the data is stored electronically.

Username and Password Authentication

Packages, which use username and password authentication, must conform to the Externis Password Policy.

Change Control

To minimize the corruption of information systems there should be strict control over the implementation of changes to software installations. 
Where appropriate formal change control procedures should be enforced to ensure that security procedures are not compromised and that formal agreement and approval for any change is obtained.  This should include:

  • Authorization of request for change.
  • Risk assessment of change.
  • User Acceptance Testing.
  • Relevant management sign-off.
  • Information Security sign-off.
  • Rollback procedures in the event that the promotion failed.
  • Documentation of the above.

Encryption

  • If sensitive data is to be transmitted over any external communication network, it must be sent in secured/encrypted form.
  • It may also be appropriate to use encryption where sensitive data is transmitted internally across the Externis network. In this case a risk assessment should be carried out to determine whether a cryptographic control is appropriate.
  • If sensitive data is to be transported in portable media (USB devices etc…) it must be in encrypted form.
  • If encryption is used, the information protected with encryption must be transmitted over a different communication channel than the keys used to govern the encryption process.  
  • The owner(s) of data protected via encryption must explicitly assign responsibility for the encryption key management to be used to protect this data.

Software Installation, Configuration and Updates

End users must ensure that they install and configure all software to a secure baseline standard. End users should ensure that they also install any updates or security patches that are available for the operating software application software or databases installed on devices connected to the Externis network or which are used to process or store Externis data.

IT Services must ensure that they install and configure all software in a secure manner and that they install all updates or security patches on operating systems, applications, databases and any other software, which they purchase, develop or administer. 

Licensing

IT Services and individuals are responsible for maintaining records of software licenses for all software that they acquire. 
Software that is acquired on a trial basis must be used in accordance with the vendor’s copyright instructions.

Copyright stipulations governing vendor-supplied software must be observed at all times.
All software developed within Externis is the property of Externis and should not be copied or distributed without prior written authorization.

Breach of Policy

Where software is found to be in breach of this policy and there is reason to believe that Externis information is at risk as a result, the Director of IT Services may have the software system/application withdrawn from live operation.

Related Articles

IT - Security policy

INTRODUCTION Externis Group has an obligation to abide by all French legislation ...

IT - Disaster recovery

Disaster Recovery Policy The disaster recovery procedures in this policy apply to...

IT - GDPR

GDPR : Current situation of eCOS® platforms and action plan Types of recorded per...

Network security

Network Security Policy The Externis IT network consists of an interconnection of...

Externis, Externis, publisher of eCOS® Blue Eagle, the first SaaS suite dedicated to retail execution for players in the retail ecosystem (brands, distributors, wholesalers, etc.), across all distribution channels.

© 2015-2022 EXTERNIS GROUP, All rights reserved | Legal notice