Initiate the System Development Life Cycle planning phase.
CONTROL ID 06266
CONTROL TYPE Systems Design, Build, and Implementation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Systems design, build, and implementation, CC ID: 00989
This Control has the following implementation support Control(s):
Establish, implement, and maintain research and development plans., CC ID: 13649
Establish, implement, and maintain system design principles and system design guidelines., CC ID: 01057
Establish and maintain System Development Life Cycle documentation., CC ID: 12079
Establish, implement, and maintain system design requirements., CC ID: 06618
Establish, implement, and maintain a system design project management framework., CC ID: 00990
Separate the design and development environment from the production environment., CC ID: 06088
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
It is necessary to formulate plans for the planning, development, and operation of the system (hereinafter referred to as the "medium- to long-term system plan") with a medium- to long-term perspective, considering the fact that system development requires considerable management resources and time. (C2.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The business owner must review the minimum level of security controls listed in the CMS information systems acceptable risk safeguards and evaluate the controls to determine the appropriate level. The business owner must document the expected minimum controls relative to the system's sensitivity lev… (§ 2.3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
The system security officer (SSO) must ensure that internal controls are incorporated into new information systems. (CSR 1.5.7(1), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
During the planning phase, the business owner reviews the acceptable risk safeguards, evaluates all IS areas and determines appropriateness, identify the expected minimum security controls, and review the system security level determination. (§ 2.3, System Security Plan (SSP) Procedure, Version 1.1 Final)
Initiate Security Planning: Security planning should begin in the initiation phase by:
⢠Identifying key security roles for the system development;
⢠Identifying sources of security requirements, such as relevant laws, regulations, and standards;
⢠Ensuring all key stakeholders have a common u… (§ 3.1.3.1, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)