SA-3 System Development Life Cycle
Statement
A system development life cycle (SDLC) provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the SDLC requires an understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. Therefore, WTAMU shall include the ISO, or CIO s in SDLC activities to ensure that security requirements are incorporated into organizational information systems.
Applicability
This Control applies to all internally developed software applications. The intended audience for this Control includes the IT Directors and staff responsible for application development.
Implementation
Each development project for any new information systems or services being developed that process and/or store sensitive or mission critical information shall:
- Manage the system development using a SDLC plan that incorporates information security, security testing and audit controls in all phases of development.
- Define and document information security roles and responsibilities throughout the system development life cycle
- Identify individuals having information security roles and responsibilities
- Integrates the University information security risk management process into SDLC activities