Chapter 7. Software Deployment, Operations, and Maintenance
All secure software life cycle activities are driven by the risk management process according to the criticality and sensitivity of information assets.
This chapter stresses the importance of maintaining information assurance during installation, deployment, operation, maintenance, and disposal of secure software systems.
After an organization conducts the activities recommended in this chapter, it should document the specific procedures, practices, and lessons learned in a knowledge base called the Standard Operating Procedures (SOP). This is used by operations and maintenance staff and tiered help desks to ensure a common approach and service level commensurate with the criticality of the system and sensitivity of the data.
Installation and Deployment
All software, including software that is retrieved by download, should first be installed in a staging (test) environment, separate from development, which duplicates the production (target) environment.
The installation should follow documented procedures that describe how to secure the software against threats, such as attacks and exploits, that could be encountered in the production environment. For example, the installation instructions should describe the purpose and identify the location of all software configuration files and provide instructions to modify configuration parameters so they are as restrictive as possible.
Ideally, the software should be preconfigured by the ...