L&I, Office of Information Technology Policy APP-000
||System Development Life Cycle
This policy establishes a well-defined Systems Development Life Cycle (SDLC) framework; related software application development methodologies; and tools that are essential components in the management, development, and delivery of software applications and systems to support the Department of Labor & Industry (L&I) business needs. This policy provides direction for systems and software developed in-house and the use of commercial off-the-shelf (COTS) applications. This policy also fulfills the requirements of Internal Revenue Service (IRS) Publication 1075 safeguards and requirements defined by the Social Security Administration (SSA). This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: CM-9 & SA-3
This policy is published under the general authority of the Governor’s Office of Administration/Office of Information Technology (OA/OIT).
The SDLC complements the NIST risk management framework by providing a sample roadmap for integrating security functionality and assurance into the SDLC. These security considerations are relevant to both new and legacy systems, and should be applied and documented to ensure security controls are in place and functioning effectively to provide adequate protections for the information and the information system.
This policy applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I (hereinafter referred to collectively as “L&I Users”).
L&I program area management shall meet with OIT project management to initiate any project related to the development of new or significant changes to existing systems and software applications and create a project team.
L&I shall establish project teams consisting of OIT project management, architecture, security, operations, business relationship management, contracted resources, program area staff, and other resources, as necessary. Each project team shall establish controls including cost, accountability, schedule, and success criteria for their project.
L&I OIT shall identify SDLC methodology to be used for all new development and maintenance phases.
All systems development efforts shall be developed in accordance with the L&I SDLC plan.
All systems utilizing COTS products shall be developed in accordance with the applicable phases of the L&I SDLC plan.
All software developed in-house shall be developed in accordance with the L&I SDLC plan.
All project and system development efforts will adhere to L&I Policy ADM-002 ITIL Compliance.
L&I OIT shall comply with data classification requirements of ITP-SEC019 Policy and Procedures for Protecting Commonwealth Electronic Data.
All project and system development efforts shall adhere to NIST Security Controls, based on data classification.
L&I OIT shall maintain documentation requirements throughout all phases of the SDLC plan.
L&I OIT Security shall provide documentation of compliance with and gaps in NIST security controls. L&I OIT shall maintain these documents with the service design package (SDP).
All systems shall be architected with a minimum of separate development, test, and production environments. Additional environments must be identified as part of the SDP.
L&I OIT shall ensure that all access, roles, and permissions are in compliance with SEC-010 Access Control for Non-commonwealth Users Policy.
L&I OIT shall ensure that all systems are architected to ensure separation of duties. No staff having elevated roles and permissions to the development or testing environments shall have access to the production environment. All application and program access paths utilized in development or testing, other than the formal user access paths, must be deleted or disabled before software is moved into production.
L&I OIT shall document system records in accordance with PLT-004 Inventory of Authorized & Unauthorized Hardware & Software.
L&I OIT shall document baseline management in accordance with SYM-002 Configuration Management Policy.
L&I OIT shall review the SDLC plan annually and update the plan every three years.
- L&I User responsibilities:
- Read and comply with all L&I policies, management directives, and laws; and
- Report any violations of policies promptly to the L&I Chief Information Security Officer (CISO)at LI, OIT-DLICISO.
- L&I management responsibilities:
- Comply with all L&I policies and ensure L&I users comply with the policies; and
- Adhere to this policy and any published procedures regarding configuration management.
7. Version Control
||Format and content revision