Sample System Development Life Cycle Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample System Development Life Cycle Standard


The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.

This System Development Life Cycle Standard builds on the objectives established in the Sample Asset Management Policy, and provides specific instructions and requirements for the development of secure enterprise-wide Company systems.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

System Development Life Cycle refers to the process of securely developing systems through several sequential phases, including requirement analysis, architecture and design, development, testing, deployment, operations/maintenance, and retirement.

Information assets are defined in the Sample Asset Identification and Classification Policy.

II. Requirements


A. General

1. The requirements of this standard apply, in their entirety, to enterprise-wide systems and applications developed by the Company or on behalf of the Company for production implementation.


2. The Company System Development Life Cycle (SDLC) process shall include the following phases:


  • Requirements Analysis
  • Architecture and Design
  • Development
  • Testing
  • Deployment/Implementation
  • Operations/Maintenance
  • Retirement


B. Requirements Analysis Phase

1. The following tasks shall be performed during the Requirement Analysis Phase:


A. Analyze business requirements.


B. Perform risk assessment:


  • Evaluate security risks and consequences.
  • Perform information asset value analysis.
  • Discuss potential threats.
  • Analyze potentially malicious or harmful activities.
  • Analyze high-level vulnerabilities.


C. Discuss security goals (e.g., confidentiality, integrity, availability.).


D. Review regulatory requirements and Company policies, standards, procedures, and guidelines.


E. Review future business goals.


F. Discuss business and Information Technology operations.


G. Incorporate program management items, including:


  • Profile system users.
  • Understand customer partner interface requirements (e.g., business-level, network.)
  • Discuss project timeframe.


H. Develop prioritized security solution requirements.


I. Decide cost and budget constraints for security solution (e.g., development and operations).


J. Approve security requirements and budget.


K. Make buy vs. build decisions for security services.


C. Architecture and Design Phase

1. The following tasks shall be performed during the Architecture and Design Phase:


A. Educate development teams on how to create a secure system.


B. Develop and/or refine infrastructure security architecture.


C. Develop high-level application security architecture.


D. List technical and non-technical security controls.


E. Perform architecture walkthrough.


F. Create system-level security design.


G. Create high-level non-technical and integrated technical security design.


H. Perform cost/benefit analysis for various design components.


I. Document the detailed technical security design.


J. Perform design review including:


  • Technical review at the application level
  • Technical review at the infrastructure level
  • Review of high-level processes


K. Describe detailed security processes and procedures.


L. Design initial end-user training and awareness programs.


M. Design general security test plan.


N. Update Company policies, standards, and procedures, if appropriate.


O. Assess and document how to mitigate residual application and infrastructure vulnerabilities.


P. Design and establish separate Development and Test environments.


D. Development Phase

1. The following tasks shall be performed during the Development Phase:


A. Set up secure development environment (e.g., servers, media storage.).


B. Train infrastructure teams on installation and configuration of the software.


C. Code application-level security components.


D. Install, configure, and integrate the test infrastructure.


E. Set up security-related vulnerability tracking process.


F. Develop detailed security test plan for current and future versions (e.g. regression testing).


G. Conduct unit testing and integration testing.


E. Testing

1. The following tasks shall be performed during the Testing Phase:


A. Perform code review.


B. Test the configuration procedures.


C. Perform system tests.


D. Conduct performance and load tests with security controls enabled.


E. Perform usability testing of applications with security controls.


F. Conduct independent vulnerability assessment of the system, including the infrastructure and application.


F. Deployment Phase

1. The following tasks shall be performed during the Deployment Phase:


A. Conduct pilot deployment of infrastructure, application, etc.


B. Conduct transition between pilot and full-scale deployment.


C. Perform integrity checking on system files to ensure authenticity.


D. Deploy training and awareness program to train administrative personnel and users in the system's security functions.


E. Conduct full-scale deployment in production environment.


G. Operations/Maintenance Phase

1. Routine security operation, administration, and maintenance of systems in the Company production environment must comply with the Sample Life Cycle Management Standard.


H. Retirement Phase

1. The following tasks shall be performed to retire enterprise-wide systems and applications developed by the Company or on behalf of the Company from the production environment:


A. Conduct unit testing and integration testing on the system after component removal.


B. Conduct operational transition for component removal/replacement.


C. Determine data retention requirements for application software and systems data.


D. Document the detailed technical security design.


E. Update Company policies, standards, and procedures, if appropriate.


F. Assess and document how to mitigate residual application and infrastructure vulnerabilities.


2. Disposal of system components must comply with the Sample Life Cycle Management Standard.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the System Development Life Cycle Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the System Development Life Cycle Standard.

Company management, including senior management and department managers, is accountable for ensuring that the System Development Life Cycle Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the System Development Life Cycle Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for: defining processes and procedures that are consistent with the System Development Life Cycle Standard; ensuring cost-effective requirements and controls are defined and implemented; securing the required approval for hardware and software, including procurement, implementation, operation, and maintenance costs; and ensuring compliance with applicable laws, regulations, and Company policies, standards, and guidelines.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity, and availability of information; proving routine system operation and administration; ensuring hardware and software are configured to meet system requirements and are in accordance with established Company protection standards; ensuring changes to hardware and software in the production environment are made in accordance with the Sample Change Control Standard; supporting accreditation efforts for sensitive systems; and cooperating with the Information Security Department and/or the Audit Department in operational assurance efforts.

Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the System Development Life Cycle Standard and associated guidelines; following Company-approved processes and procedures for the life cycle management of hardware and software, including acquisition and disposal; and maintaining the confidentiality, integrity and availability of information accessed consistent with the Owner's approved safeguards while under the User's control.

IV. Enforcement and Exception Handling


Failure to comply with the System Development Life Cycle Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the System Development Life Cycle Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the System Development Life Cycle Standard.

V. Review and Revision


The System Development Life Cycle Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer