System Lifecycle Management (SS-08-025)
Topics:
SS-08-025 System Lifecycle Management
Issue Date: 3/31/2008
Revision Effective Date: 3/31/2008
Review Date: 02/20/2024
PURPOSE
System life-cycle management is a necessity for establishing procedures, practices and guidelines governing and managing the life of an information system from conception/initiation through disposition. Its purpose is to assist system owners, developers and management in documenting the design and decisions made regarding a system.
Many security-relevant events and analyses occur during the life of a system. Like other aspects of information processing systems, security is most effective and efficient if it is planned for and managed throughout a computer system's life cycle, from initial planning through design, implementation, and operation to disposal. Including security at the beginning and throughout the information system development life cycle (SDLC) will usually result in less expensive and more effective security implementation and operation.
SCOPE and AUTHORITY
O.C.G.A 50-25-4(a)(8) – State Government, Georgia Technology, General Powers
O.C.G.A 50-25-4(a)(20) - State Government, Georgia Technology, General Powers
PM-04-001 – Information Technology Policies, Standards and Guidelines
PS-08-005 – Enterprise Information Security Charter
TERMS and DEFINITIONS
System Development Lifecycle - the overall process of developing, implementing, and retiring information systems and applications through a multi-step process from initiation, design, implementation, and maintenance to disposal.
STANDARD
System lifecycle management shall have processes for initiation, requirements, development, implementation, operations and disposal. Processes shall include work flow, traceability, accountability, management authority and separation of duties.
System and application security shall be planned for and incorporated throughout the lifecycle.
Development and test activities shall be physically or logically separate from production systems.
Developers shall not have access to production systems. If access is required, it shall be limited and audited.
All phases within the systems lifecycle shall include processes that result in the generation of the appropriate level of documentation, including, but not limited to, requirements and design specs, security plans, configuration guides, transition plans, training plans, user and administration manuals.
REFERENCES
NIST SP 800-12 Introduction to Computer Security NIST Handbook (Ch 8)
NIST SP 800-100 Information Security Handbook for Managers (Ch 3)
NIST SP 800-64 Security Consideration for SDLC
NIST SP 800-65 Integrating IT Security into the Capital Planning and Investments Controls Process
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
System and Development Lifecycle (PS-08-018)
System Security Plans (SS-08-028)
System Implementation and Acceptance (SS-08-032)
System Operations Documentation (SS-08-027)
Operational Change Control (SS-08-026)