Back

Establish and maintain System Development Life Cycle documentation.


CONTROL ID
12079
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle planning phase., CC ID: 06266

This Control has the following implementation support Control(s):
  • Include a technology refresh schedule in the system development life cycle documentation., CC ID: 14759
  • Define and document organizational structures for the System Development Life Cycle program., CC ID: 12549
  • Establish, implement, and maintain a full set of system procedures., CC ID: 01074


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number III.1(2): The development procedures must be based on the selected system development methodology and be standardized throughout the organization. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number I… (App 2-1 Item Number III.1(2), App 2-1 Item Number III.1(3), App 2-1 Item Number III.2(6), App 2-1 Item Number III.2(8), App 2-1 Item Number III.2(10), App 2-1 Item Number III.2(11), App 2-1 Item Number III.3(1), App 2-1 Item Number III.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The FI should establish a framework to manage its system development life cycle (SDLC). The framework should clearly define the processes, procedures and controls in each phase of the life cycle, such as initiation/planning, requirements analysis, design, implementation, testing and acceptance. Stan… (§ 5.4.1, Technology Risk Management Guidelines, January 2021)
  • System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation. (Control: ISM-1211; Revision: 5, Australian Government Information Security Manual, June 2023)
  • System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation. (Control: ISM-1211; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Gateway providers must prepare all system documentation prior to an IRAP Assessment. The gateway providers may engage an IRAP Assessor to assist in the development of the documentation suite, however, the same Assessor cannot provide final IRAP Assessment services. To avoid conflicts of interests, a… (58., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • Financial institutions should implement measures to protect the integrity of the source codes of ICT systems that are developed in-house. They should also document the development, implementation, operation and/or configuration of the ICT systems comprehensively to reduce any unnecessary dependency … (3.6.2 73, Final Report EBA Guidelines on ICT and security risk management)
  • The application and its development shall be documented in a clearly structured way and in a manner that is readily comprehensible for competent third parties. (II.6.40, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Are security policies and operational procedures for developing and maintaining secure systems and applications documented, in use, and known to all affected parties? (PCI DSS Question 6.7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Internal auditors should determine if the development life cycle is being followed. This will be used to determine when to conduct project audits and what controls to test. Auditors should ensure business requirements and existing and future business processes are considered. (§ 3.3 ¶ 4, § 3.3 (Solution Design), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • There should be a documented system development methodology (often referred to as the systems development lifecycle), which is based upon sound systems development and Project Management practices (e.g., structured systems analysis and design method and jackson structured program). (CF.17.01.01, The Standard of Good Practice for Information Security)
  • There should be a documented system development methodology (often referred to as the systems development lifecycle), which is based upon sound systems development and Project Management practices (e.g., structured systems analysis and design method and jackson structured program). (CF.17.01.01, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should be kept up-to-date to include new and emerging application architectures (e.g., web 2.0, Service Oriented Architecture, and web services). (CF.17.01.05c, The Standard of Good Practice for Information Security, 2013)
  • The systems development lifecycle should cover specifying requirements, designing, building and testing applications, promoting applications into the live environment, and training users of business applications. (CF.17.01.02, The Standard of Good Practice for Information Security, 2013)
  • The system lifecycle documentation should include the following: a description of the chosen lifecycle model (standardized or measurable); why the model was chosen; how the model is used; and the measurement results for the chosen model. (§ 17.3, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The lifecycle documentation should be examined to ensure it includes the development and maintenance process and information on the procedures, tools, and techniques the developer uses. An analysis should be conducted on the functional specification and the summary specification to ensure they are a… (§ 10.6.3, § 11.6.4, § 12.6.4, § 13.6.6, § 13.8.2, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall establish a software development plan that is appropriate to the scope, software safety classifications, and magnitude of the software system that is being developed. The pla… (§ 5.1.1, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The organization should implement a systems development process for all systems that collect, use, keep, disclose, and destroy personal information. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The quality and thoroughness of system documentation; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization should use a system development lifecycle methodology for the development or acquisition of software. (Pg 31, FFIEC IT Examination Handbook - Management)
  • The system development lifecycle used by the organization for managing the system must include information security considerations. (§ 5.6.14, Exhibit 4 SA-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Organizational policies and practices are in place to foster a critical thinking and safety-first mindset in the design, development, deployment, and uses of AI systems to minimize potential negative impacts. (GOVERN 4.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. (SR-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. (SR-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A System Development Life Cycle to manage systems is implemented (PR.IP-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • A System Development Life Cycle to manage systems is implemented (PR.IP-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • A System Development Life Cycle to manage systems is implemented. (PR.IP-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Direct software programming and development of documentation. (T0324, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Write detailed functional specifications that document the architecture development process. (T0338, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that design and development activities are properly documented (providing a functional description of implementation) and updated as necessary. (T0406, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop software system testing and validation procedures, programming, and documentation. (T0455, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze and provide information to stakeholders that will support the development of security application or modification of an existing security application. (T0424, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop detailed design documentation for component and interface specifications to support system design and development. (T0464, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop system testing and validation procedures, programming, and documentation. (T0457, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Direct software programming and development of documentation. (T0324, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Write detailed functional specifications that document the architecture development process. (T0338, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that design and development activities are properly documented (providing a functional description of implementation) and updated as necessary. (T0406, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop system testing and validation procedures, programming, and documentation. (T0457, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop detailed design documentation for component and interface specifications to support system design and development. (T0464, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Analyze and provide information to stakeholders that will support the development of security application or modification of an existing security application. (T0424, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop software system testing and validation procedures, programming, and documentation. (T0455, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. (SR-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. (SR-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develops, documents, and disseminates the provenance policy and procedures for [Assignment: organization-defined information systems, or components or the ICT supply chain infrastructure]; and (PV-1a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)