Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
- Requirements & Analysis Phase of the SDLC
- Design Phase of the SDLC
- Development Phase of the SDLC
- Testing and Quality Assurance Phase of the SDLC
- Deployment Phase of the SDLC
- On-going Maintenance Phase of the SDLC
Objective
Include information security in all phases and processes of software development, which includes new and enhancements to software. Software consists of instructions and code that use programming languages in the application (e.g., end-user application, script or program to automate a production task).
A software development life cycle (SDLC) is a step-by-step methodology for designing and developing software to meet a set of requirements. Requirements are developed during the conception and design phases, implemented during the development phase, tested during the testing phase, and approved before deployment. Adherence to an SDLC can ensure software performs all necessary business operations in a secure and efficient manner and in accordance with laws and regulations.
Security Controls
Requirements & Analysis Phase of the SDLC
The following table describes information security requirements in the requirements & analysis phase.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.A.01 | Document the SDLC process used by the unit | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SD.A.02 | Develop software in adherence with the unit’s SDLC process | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SD.A.03 | Document security related requirements with the functional and business requirements | Required Effective July 2019 | Recommended | Recommended |
| SD.A.04 | Identify and document the types of data to be stored or processed by the software | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
Design Phase of the SDLC
The following table describes information security requirements in the design phase.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.B.01 | Document the architecture and directional data flows of the software under development, including security controls on data at rest, in transit, and being processed | Required Effective July 2019 | Recommended | Optional |
| SD.B.02 | Define a dedicated (isolated) production and non-production environment | Recommended1 | Recommended | Optional |
| SD.B.03 | Define roles and permissions within the software | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| SD.B.04 | Document a procedure for maintaining access control to program source code | Required Effective July 2019 | Recommended | Recommended |
| SD.B.05 | Document a decommission plan for all environments, including software obsolescence | Required Effective July 2019 | Recommended | Recommended |
| SD.B.06 | Document the peer review of the design and the approval to move to the next phase | Required Effective July 2019 | Recommended | Optional |
1 Required for PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Development Phase of the SDLC
The following table describes information security requirements in the development phase.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.C.01 | Maintain a separate non-production environment for development | Required | Recommended | Recommended |
| SD.C.02 | Prevent private-highly restricted and/or private-restricted data from appearing in non-production environments unless the environment meets the same requirements as the production environment | Required | Required Effective July 2019 |
Recommended |
| SD.C.03 | Only use software from third party libraries or code repositories where the vendor or open source community continue to identify and remediate security vulnerabilities | Required Effective July 2019 | Recommended | Recommended |
| SD.C.04 | Conduct iterative manual and/or automated testing of security and functional requirements | Required Effective July 2019 | Recommended | Recommended |
| SD.C.05 | Follow the documented procedure for maintaining access control to program source code | Required Effective July 2019 | Recommended | Recommended |
| SD.C.06 | Use a version control system | Required Effective July 2019 | Recommended | Recommended |
| SD.C.07 | Use industry standard secure coding practices | Required Effective July 2019 | Recommended | Recommended |
| SD.C.08 | Follow the decommission plan for the environment after completion of the development phase | Required Effective July 2019 | Recommended | Recommended |
Testing and Quality Assurance Phase of the SDLC
The following table describes information security requirements in the testing and quality assurance phase.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.D.01 | Maintain a separate non-production environment for testing and quality assurance | Required Effective July 2019 |
Recommended | Recommended |
| SD.D.02 | Prevent private-highly restricted and/or private-restricted data in non-production environments unless the environment meets the same requirements as the production environment | Required | Required Effective July 2019 |
Recommended |
| SD.D.03 | Test software against security and functional requirements | Required Effective July 2019 |
Recommended | Recommended |
| SD.D.04 | Conduct an independent code review to help identify potential coding vulnerabilities | Recommended 1 | Recommended | Optional |
| SD.D.05 | Follow the decommission plan for the environment after completion of the testing phase | Required Effective July 2019 |
Recommended | Recommended |
1 Required for PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Deployment Phase of the SDLC
The following table describes information security requirements in the deployment to production phase.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.E.01 | Maintain a separate production environment from non-production | Required | Required Effective July 2019 |
Recommended |
| SD.E.02 | Remove specialized privilege and access methods prior to deployment in the production environment | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| SD.E.03 | Prohibit deployment when software does not pass security requirements in the testing phase | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SD.E.04 | Follow the documented procedure for maintaining access control to program source code | Required Effective July 2019 | Recommended | Recommended |
On-going Maintenance Phase of the SDLC
The following table describes information security requirements in the on-going maintenance phase of developed software.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SD.F.01 | Monitor software and dependencies for vulnerabilities and bugs | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| SD.F.02 | Document ownership for ongoing software maintenance and security controls | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| SD.F.03 | Follow the documented procedure for maintaining access control to program source code | Required Effective July 2019 |
Recommended | Recommended |
| SD.F.04 | Periodically review and update the decommission plan for the non-production and production environments (suggest: annual) | Required Effective July 2019 |
Recommended | Recommended |
Resources Covered
This applies to IT resources owned or contracted by the University.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Software Development
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to software development.
Published Date
July 2019