Back

Establish, implement, and maintain a System Development Life Cycle program.


CONTROL ID
11823
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Systems design, build, and implementation, CC ID: 00989

This Control has the following implementation support Control(s):
  • Include management commitment to secure development in the System Development Life Cycle program., CC ID: 16386
  • Perform a feasibility study for product requests., CC ID: 06895
  • Update the system design, build, and implementation methodology to incorporate emerging standards., CC ID: 07045
  • Include information security throughout the system development life cycle., CC ID: 12042
  • Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties., CC ID: 15469


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should adopt and implement a full project life cycle methodology governing the process of developing, implementing and maintaining major computer systems. In general, this should involve phases of project initiation, feasibility study, requirement definition, system design, program development, … (4.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • It is necessary to establish efficient development methods, implement project management and designate responsible personnel for project in order to conduct proper management of the system development process. (P75.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should establish a framework to manage its system development life cycle (SDLC). The framework should clearly define the processes, procedures and controls in each phase of the life cycle, such as initiation/planning, requirements analysis, design, implementation, testing and acceptance. Stan… (§ 5.4.1, Technology Risk Management Guidelines, January 2021)
  • Financial institutions should develop and implement a process governing the acquisition, development and maintenance of ICT systems. This process should be designed using a risk-based approach. (3.6.2 67, Final Report EBA Guidelines on ICT and security risk management)
  • Competent authorities should assess whether the institution has an effective framework in place for identifying, understanding, measuring and mitigating ICT change risk commensurate with the nature, scale and complexity of the institution's activities and the ICT risk profile of the institution. The… (Title 3 3.3.4(c) 56, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • a process to monitor and manage the life cycle of the used ICT systems, to ensure that they continue to meet and support the actual business and risk management requirements and to make sure that the used ICT solutions and systems are still supported by their vendors; and that this is accompanied by… (Title 3 3.3.4(c) 56.e, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall: (Art. 9.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • hardware and software development, (§ 8.1 Subsection 5 ¶ 2 Bullet 9, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Policies and instructions with technical and organisational safeguards for the proper development and/or procurement of information systems for the development or operation of the cloud service, including middleware, databases, operating systems and network components are documented, communicated an… (Section 5.11 BEI-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Track the status of individual requirements (including all rejected requirements) during the design, development and implementation, and approve changes to requirements through an established change management process. (AI2.9 Applications Requirements Management, CobiT, Version 4.1)
  • Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications: - Documented - In use - Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications: - Documented - In use - Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications: - Documented - In use - Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications: - Documented - In use - Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications: - Documented - In use - Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are: - Documented, - In use, and - Known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Documented. (6.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (6.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (6.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 6 are managed in accordance with all elements specified in this requirement. (6.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Documented. (6.1.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (6.1.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (6.1.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (6.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (6.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (6.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (6.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (6.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (6.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization. (AIS-04, Cloud Controls Matrix, v4.0)
  • A life cycle perspective should be considered as early as possible, i.e. in the design and development process. This will provide a better opportunity to make improvements to the overall environmental performance of activities, processes, products or services, and help the organization reduce the po… (8.1.2 ¶ 4, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system. (TASK P-13, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The organization implements a process for Secure System Development Lifecycle for in-house software design and development. (PR.IP-2.1, CRI Profile, v1.2)
  • A System Development Life Cycle to manage systems is implemented. (PR.IP-2, CRI Profile, v1.2)
  • The organization implements a process for Secure System Development Lifecycle for in-house software design and development. (PR.IP-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • A service organization adopts a mission and vision, sets strategies, and establishes objectives to help it achieve its mission and vision based on its strategies. Management designs and implements various systems to achieve specific objectives and designs and implements controls within the systems t… (¶ 1.30, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, service organization management is responsible for designing, implementing, and operating the system to achieve its service commitments to user entities and the system requirements that are necessary to enable the system to achieve those commitments and comply with laws an… (¶ 3.26, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The entity’s commitments and system requirements, as they relate to [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination thereof], are addressed during the system development lifecycle, including the aut… (CC7.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • A program to review and keep current systems development and testing methodology for such systems; (§242.1001(a)(2)(iii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Oversight of IT architecture product development, use, and refinement. (App A Objective 2:9a Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Design and build, including formal processes to preserve integrity throughout the development life cycle and ensure adequate controls. (App A Objective 6:4d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Development and acquisition, including secure development. (App A Objective 12:4 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • System development life cycle or similar methodology based on the complexity and type of development performed. (App A Objective 12:10 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization protects against supply chain threats to the information system, system component, or information system service by employing [FedRAMP Assignment: organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedure… (SA-12 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. (T0304, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. (T0012, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop software system testing and validation procedures, programming, and documentation. (T0455, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created. (RV.3.4, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. (T0012, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. (T0304, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop software system testing and validation procedures, programming, and documentation. (T0455, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Reviews and updates the current organization or mission provenance policy and procedures every [Assignment: organization-defined frequency]. (PV-1b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • DRIVE THE DEVELOPMENT OF SECURE IOT DEVICES (STRATEGIC OBJECTIVE 3.2, National Cybersecurity Strategy)
  • DRIVE THE DEVELOPMENT OF SECURE IOT DEVICES (STRATEGIC OBJECTIVE 3.2, National Cybersecurity Strategy (Condensed))