Topics: 

SS-08-025 System Lifecycle Management

Issue Date:  3/31/2008

Revision Effective Date:  3/31/2008

Review Date: 02/20/2024

PURPOSE

System life-cycle management is a necessity for establishing procedures, practices and guidelines governing and managing the life of an information system from conception/initiation through disposition.   Its purpose is to assist system owners, developers and management in documenting the design and decisions made regarding a system.

Many security-relevant events and analyses occur during the life of a system.  Like other aspects of information processing systems, security is most effective and efficient if it is planned for and managed throughout a computer system's life cycle, from initial planning through design, implementation, and operation to disposal. Including security at the beginning and throughout the information system development life cycle (SDLC) will usually result in less expensive and more effective security implementation and operation.

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(8) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(20) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

 

TERMS and DEFINITIONS

System Development Lifecycle - the overall process of developing, implementing, and retiring information systems and applications through a multi-step process from initiation, design, implementation, and maintenance to disposal.

STANDARD

System lifecycle management shall have processes for initiation, requirements, development, implementation, operations and disposal.  Processes shall include work flow, traceability, accountability, management authority and separation of duties.

System and application security shall be planned for and incorporated throughout the lifecycle.

Development and test activities shall be physically or logically separate from production systems.

Developers shall not have access to production systems.  If access is required, it shall be limited and audited.

All phases within the systems lifecycle shall include processes that result in the generation of the appropriate level of documentation, including, but not limited to, requirements and design specs, security plans, configuration guides, transition plans, training plans, user and administration manuals.

REFERENCES

NIST SP 800-12 Introduction to Computer Security NIST Handbook (Ch 8)

NIST SP 800-100 Information Security Handbook for Managers (Ch 3)

NIST SP 800-64 Security Consideration for SDLC

NIST SP 800-65 Integrating IT Security into the Capital Planning and Investments Controls Process

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

System and Development Lifecycle (PS-08-018)

System Security Plans (SS-08-028)

System Implementation and Acceptance (SS-08-032)

System Operations Documentation (SS-08-027)

Operational Change Control (SS-08-026)

Media Controls (PS-08-026)

 

 

Related Files