Application design and implementation

Status: Live

The organization will develop, disseminate, and review: 1) a formal design and implementation policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00989]

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Project management framework and initial planning for systems design and implementation [UCF Control ID 00990]

Establish systems design principles, guidelines, and lifecycle documentation [UCF Control ID 01057]

Development of application and systems software [UCF Control ID 01094]

Systems design testing for quality assurance [UCF Control ID 01100]

Systems implementation [UCF Control ID 01111]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; Protection of Assets Manual, ASIS International, Pg 12-IV-17; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SA-3; The Standard of Good Practice for Information Security, SM2.2.3(b), SM2.2.3(c), SM4.1.4, SM4.1.6, NW1.2.1; Archer Control Table, ATCS-636

Sarbanes Oxley Guidance

Organizational personnel should review the design process to ensure it is consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

US Federal Security Guidance

During the development and acquisition phase, specific security requirements for a new system should be identified. These requirements should comply with the existing policies and standards and/or new policies and standards should be developed based on the new system. [Pg 12-IV-17, Protection of Assets Manual, ASIS International]

NIST Guidance

Organizational records and documents should be examined to ensure that the system development life cycle process the organization uses includes information security, the life cycle meets the requirements of NIST Special Publication 800-64, and specific responsibilities and actions are defined for the implementation of the life cycle support control. Any problems discovered during the implementation of the life cycle support control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in the lifecycle of the system to ensure proper procedures are being followed and that information security requirements are included in the lifecycle process. [SA-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

The information security function should be involved in and support all major IT projects and security-related projects. The security architecture should be taken into account when developing applications and IT projects and when managing the IT infrastructure. Procedures should be in place to ensure there are consistent application programming interfaces and user interfaces used throughout the organization. The design of a network should take into account user requirements and network compatibility with other networks, and it should be configured to be able to expand for future requirements. [SM2.2.3(b), SM2.2.3(c), SM4.1.4, SM4.1.6, NW1.2.1, The Standard of Good Practice for Information Security]