Sample System Development Life Cycle Standard:
Document History
Version | Date | Revised By | Description |
1.0 | 1 January 2010 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
Description | Date Parameters |
Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
Next document recertification date: | 1 January 2011 <Date> |
Sample System Development Life Cycle Standard
The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.
This System Development Life Cycle Standard builds on the objectives established in the Sample Asset Management Policy, and provides specific instructions and requirements for the development of secure enterprise-wide Company systems.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
System Development Life Cycle refers to the process of securely developing systems through several sequential phases, including requirement analysis, architecture and design, development, testing, deployment, operations/maintenance, and retirement.
Information assets are defined in the Sample Asset Identification and Classification Policy.
II. Requirements
A. General
- 1. The requirements of this standard apply, in their entirety, to enterprise-wide systems and applications developed by the Company or on behalf of the Company for production implementation.
- 1. The requirements of this standard apply, in their entirety, to enterprise-wide systems and applications developed by the Company or on behalf of the Company for production implementation.
- 2. The Company System Development Life Cycle (SDLC) process shall include the following phases:
- 2. The Company System Development Life Cycle (SDLC) process shall include the following phases:
- Requirements Analysis
- Architecture and Design
- Development
- Testing
- Deployment/Implementation
- Operations/Maintenance
- Retirement
- Requirements Analysis
B. Requirements Analysis Phase
- 1. The following tasks shall be performed during the Requirement Analysis Phase:
- 1. The following tasks shall be performed during the Requirement Analysis Phase:
- A. Analyze business requirements.
- A. Analyze business requirements.
- B. Perform risk assessment:
- B. Perform risk assessment:
- Evaluate security risks and consequences.
- Perform information asset value analysis.
- Discuss potential threats.
- Analyze potentially malicious or harmful activities.
- Analyze high-level vulnerabilities.
- Evaluate security risks and consequences.
- C. Discuss security goals (e.g., confidentiality, integrity, availability.).
- C. Discuss security goals (e.g., confidentiality, integrity, availability.).
- D. Review regulatory requirements and Company policies, standards, procedures, and guidelines.
- D. Review regulatory requirements and Company policies, standards, procedures, and guidelines.
- E. Review future business goals.
- E. Review future business goals.
- F. Discuss business and Information Technology operations.
- F. Discuss business and Information Technology operations.
- G. Incorporate program management items, including:
- G. Incorporate program management items, including:
- Profile system users.
- Understand customer partner interface requirements (e.g., business-level, network.)
- Discuss project timeframe.
- Profile system users.
- H. Develop prioritized security solution requirements.
- H. Develop prioritized security solution requirements.
- I. Decide cost and budget constraints for security solution (e.g., development and operations).
- I. Decide cost and budget constraints for security solution (e.g., development and operations).
- J. Approve security requirements and budget.
- J. Approve security requirements and budget.
- K. Make buy vs. build decisions for security services.
- K. Make buy vs. build decisions for security services.
C. Architecture and Design Phase
- 1. The following tasks shall be performed during the Architecture and Design Phase:
- 1. The following tasks shall be performed during the Architecture and Design Phase:
- A. Educate development teams on how to create a secure system.
- A. Educate development teams on how to create a secure system.
- B. Develop and/or refine infrastructure security architecture.
- B. Develop and/or refine infrastructure security architecture.
- C. Develop high-level application security architecture.
- C. Develop high-level application security architecture.
- D. List technical and non-technical security controls.
- D. List technical and non-technical security controls.
- E. Perform architecture walkthrough.
- E. Perform architecture walkthrough.
- F. Create system-level security design.
- F. Create system-level security design.
- G. Create high-level non-technical and integrated technical security design.
- G. Create high-level non-technical and integrated technical security design.
- H. Perform cost/benefit analysis for various design components.
- H. Perform cost/benefit analysis for various design components.
- I. Document the detailed technical security design.
- I. Document the detailed technical security design.
- J. Perform design review including:
- J. Perform design review including:
- Technical review at the application level
- Technical review at the infrastructure level
- Review of high-level processes
- Technical review at the application level
- K. Describe detailed security processes and procedures.
- K. Describe detailed security processes and procedures.
- L. Design initial end-user training and awareness programs.
- L. Design initial end-user training and awareness programs.
- M. Design general security test plan.
- M. Design general security test plan.
- N. Update Company policies, standards, and procedures, if appropriate.
- N. Update Company policies, standards, and procedures, if appropriate.
- O. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
- O. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
- P. Design and establish separate Development and Test environments.
- P. Design and establish separate Development and Test environments.
D. Development Phase
- 1. The following tasks shall be performed during the Development Phase:
- 1. The following tasks shall be performed during the Development Phase:
- A. Set up secure development environment (e.g., servers, media storage.).
- A. Set up secure development environment (e.g., servers, media storage.).
- B. Train infrastructure teams on installation and configuration of the software.
- B. Train infrastructure teams on installation and configuration of the software.
- C. Code application-level security components.
- C. Code application-level security components.
- D. Install, configure, and integrate the test infrastructure.
- D. Install, configure, and integrate the test infrastructure.
- E. Set up security-related vulnerability tracking process.
- E. Set up security-related vulnerability tracking process.
- F. Develop detailed security test plan for current and future versions (e.g. regression testing).
- F. Develop detailed security test plan for current and future versions (e.g. regression testing).
- G. Conduct unit testing and integration testing.
- G. Conduct unit testing and integration testing.
E. Testing
- 1. The following tasks shall be performed during the Testing Phase:
- 1. The following tasks shall be performed during the Testing Phase:
- A. Perform code review.
- A. Perform code review.
- B. Test the configuration procedures.
- B. Test the configuration procedures.
- C. Perform system tests.
- C. Perform system tests.
- D. Conduct performance and load tests with security controls enabled.
- D. Conduct performance and load tests with security controls enabled.
- E. Perform usability testing of applications with security controls.
- E. Perform usability testing of applications with security controls.
- F. Conduct independent vulnerability assessment of the system, including the infrastructure and application.
- F. Conduct independent vulnerability assessment of the system, including the infrastructure and application.
F. Deployment Phase
- 1. The following tasks shall be performed during the Deployment Phase:
- 1. The following tasks shall be performed during the Deployment Phase:
- A. Conduct pilot deployment of infrastructure, application, etc.
- A. Conduct pilot deployment of infrastructure, application, etc.
- B. Conduct transition between pilot and full-scale deployment.
- B. Conduct transition between pilot and full-scale deployment.
- C. Perform integrity checking on system files to ensure authenticity.
- C. Perform integrity checking on system files to ensure authenticity.
- D. Deploy training and awareness program to train administrative personnel and users in the system's security functions.
- D. Deploy training and awareness program to train administrative personnel and users in the system's security functions.
- E. Conduct full-scale deployment in production environment.
- E. Conduct full-scale deployment in production environment.
G. Operations/Maintenance Phase
- 1. Routine security operation, administration, and maintenance of systems in the Company production environment must comply with the Sample Life Cycle Management Standard.
- 1. Routine security operation, administration, and maintenance of systems in the Company production environment must comply with the Sample Life Cycle Management Standard.
H. Retirement Phase
- 1. The following tasks shall be performed to retire enterprise-wide systems and applications developed by the Company or on behalf of the Company from the production environment:
- 1. The following tasks shall be performed to retire enterprise-wide systems and applications developed by the Company or on behalf of the Company from the production environment:
- A. Conduct unit testing and integration testing on the system after component removal.
- A. Conduct unit testing and integration testing on the system after component removal.
- B. Conduct operational transition for component removal/replacement.
- B. Conduct operational transition for component removal/replacement.
- C. Determine data retention requirements for application software and systems data.
- C. Determine data retention requirements for application software and systems data.
- D. Document the detailed technical security design.
- D. Document the detailed technical security design.
- E. Update Company policies, standards, and procedures, if appropriate.
- E. Update Company policies, standards, and procedures, if appropriate.
- F. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
- F. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
- 2. Disposal of system components must comply with the Sample Life Cycle Management Standard.
- 2. Disposal of system components must comply with the Sample Life Cycle Management Standard.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the System Development Life Cycle Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the System Development Life Cycle Standard.
Company management, including senior management and department managers, is accountable for ensuring that the System Development Life Cycle Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the System Development Life Cycle Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for: defining processes and procedures that are consistent with the System Development Life Cycle Standard; ensuring cost-effective requirements and controls are defined and implemented; securing the required approval for hardware and software, including procurement, implementation, operation, and maintenance costs; and ensuring compliance with applicable laws, regulations, and Company policies, standards, and guidelines.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for: providing a secure processing environment that protects the confidentiality, integrity, and availability of information; proving routine system operation and administration; ensuring hardware and software are configured to meet system requirements and are in accordance with established Company protection standards; ensuring changes to hardware and software in the production environment are made in accordance with the Sample Change Control Standard; supporting accreditation efforts for sensitive systems; and cooperating with the Information Security Department and/or the Audit Department in operational assurance efforts.
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the System Development Life Cycle Standard and associated guidelines; following Company-approved processes and procedures for the life cycle management of hardware and software, including acquisition and disposal; and maintaining the confidentiality, integrity and availability of information accessed consistent with the Owner's approved safeguards while under the User's control.
IV. Enforcement and Exception Handling
Failure to comply with the System Development Life Cycle Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the System Development Life Cycle Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the System Development Life Cycle Standard.
V. Review and Revision
The System Development Life Cycle Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer