|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
Information security must be integrated into new application and systems development from their inception and throughout the development lifecycle. The development lifecycle is defined as a period that begins with conception of a new development project and ends with retirement or removal of the developed software from all active use.
A development lifecycle typically includes five phases, irrespective of development methodology:
-
Initiation
-
Development/acquisition
-
Implementation
-
Operation/maintenance
-
Disposal
Roles and Responsibilities
Information Systems Director
-
Publishes and maintains policy guidelines for security in the applications life cycle.
Information Security Officer (ISO)
-
Prepares policy guidelines for building security into development lifecycles
-
Ensures the plan for any particular development project includes security in all lifecycle phases
-
Assists application developers/owners in addressing security requirement for each development lifecycle phase
Application Developers/Owners
-
Understands and defines the security requirements for each development lifecycle phase
-
Implements security requirements when developing or modifying any software
-
Documents security controls required by security plan
Development Lifecycle Security Procedures
There are specific security requirements for each phase of the software development lifecycle:
Initiation
-
The ISO and development manager conduct a sensitivity assessment that evaluates the sensitivity and criticality of the information to be processed by the planned software, as well as the system itself
-
The assessment shall consider the following information and system needs, as prescribed by laws, regulations, and internal policies:
-
Information security
-
Information privacy
-
Information availability
-
Information integrity
-
Information confidentiality
-
System continuity, based on environment and public threats to the system or information should also be considered
Development/Acquisition
-
The development team should work with the ISO to develop software security requirements at the same time they are defining the software requirements
-
The development manager and ISO must ensure security requirements are incorporated into software design specifications
-
If the software under development has been acquired in whole or part from another source—whether a
vendor, other third party, or previous internal development effort—the development manager and ISO should include procedures that ensure security features in the acquired software meet security requirements and, as much as possible, adhere to internal security development standards.
Implementation Phase
-
The development team must ensure that software security features are properly configured and enabled
-
The development team must test security functionality prior to software release
-
Security testing should be performed under conditions as close to production conditions as possible
Operation/Maintenance Phase
-
The development team must complete all security activities required by IT, the software development plan, and the organiation's Information Security program. These activities might include software and data backups, user training, access management workflows, and system reviews.
Disposal Phase
-
The development or IT team moves to another system, archives, discards, or destroys application code
-
Hardware and software can be sold, given away, or discarded. It staff should ensure that all media has been sanitized to prevent the unintended leakage of confidential information, prior to transferring or discarding
Information Resources.
-
Disposition of licensed software must meet requirements of the software license or other relevant agreements.
Enforcement
Violation of this policy can result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization]
Information Resources access privileges, civil, and criminal prosecution.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
Resources
|
Open IT Policy Project 
