Back

Initiate the System Development Life Cycle planning phase.


CONTROL ID
06266
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Systems design, build, and implementation, CC ID: 00989

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain research and development plans., CC ID: 13649
  • Establish, implement, and maintain system design principles and system design guidelines., CC ID: 01057
  • Establish and maintain System Development Life Cycle documentation., CC ID: 12079
  • Establish, implement, and maintain system design requirements., CC ID: 06618
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990
  • Separate the design and development environment from the production environment., CC ID: 06088


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to formulate plans for the planning, development, and operation of the system (hereinafter referred to as the "medium- to long-term system plan") with a medium- to long-term perspective, considering the fact that system development requires considerable management resources and time. (C2.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The business owner must review the minimum level of security controls listed in the CMS information systems acceptable risk safeguards and evaluate the controls to determine the appropriate level. The business owner must document the expected minimum controls relative to the system's sensitivity lev… (§ 2.3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • The system security officer (SSO) must ensure that internal controls are incorporated into new information systems. (CSR 1.5.7(1), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • During the planning phase, the business owner reviews the acceptable risk safeguards, evaluates all IS areas and determines appropriateness, identify the expected minimum security controls, and review the system security level determination. (§ 2.3, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Initiate Security Planning: Security planning should begin in the initiation phase by: • Identifying key security roles for the system development; • Identifying sources of security requirements, such as relevant laws, regulations, and standards; • Ensuring all key stakeholders have a common u… (§ 3.1.3.1, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)