Application design and implementation

UCF ID: 00989

Control Type: IT Impact Zone

Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Establish and maintain a project management framework. [UCF Control ID 00990]

Establish and maintain systems design principles, guidelines, and lifecycle documentation. [UCF Control ID 01057]

Establish and maintain application and systems software in accordance with design specifications and standards. [UCF Control ID 01094]

Perform quality assurance testing on all newly developed or modified systems and software. [UCF Control ID 01100]

Establish and maintain a systems implementation plan. [UCF Control ID 01111]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; Protection of Assets Manual, ASIS International, Pg 12-IV-17; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SA-3; The Standard of Good Practice for Information Security, SM2.2.3(b), SM2.2.3(c), SM4.1.4, SM4.1.6, NW1.2.1

NIST Guidance

Organizational records and documents should be examined to ensure that the system development life cycle process the organization uses includes information security, the life cycle meets the requirements of NIST Special Publication 800-64, and specific responsibilities and actions are defined for the implementation of the life cycle support control. Any problems discovered during the implementation of the life cycle support control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in the lifecycle of the system to ensure proper procedures are being followed and that information security requirements are included in the lifecycle process. [SA-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

Organizational personnel should review the design process to ensure it is consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

During the development and acquisition phase, specific security requirements for a new system should be identified. These requirements should comply with the existing policies and standards and/or new policies and standards should be developed based on the new system. [Pg 12-IV-17, Protection of Assets Manual, ASIS International]

The information security function should be involved in and support all major IT projects and security-related projects. The security architecture should be taken into account when developing applications and IT projects and when managing the IT infrastructure. Procedures should be in place to ensure there are consistent application programming interfaces and user interfaces used throughout the organization. The design of a network should take into account user requirements and network compatibility with other networks, and it should be configured to be able to expand for future requirements. [SM2.2.3(b), SM2.2.3(c), SM4.1.4, SM4.1.6, NW1.2.1, The Standard of Good Practice for Information Security]