To provide guidelines necessary to implement Systems Office and College IT systems development life cycle security standards and procedures.

SCOPE

In accordance with the COV ITRM 501-01, IT Systems Development Life Cycle Security document the security related activities that must be adhered to in each phase of the development life cycle for System Office and College IT systems.

APPLICABILITY

The IT Systems Development Life Cycle Security Standard is applicable to the System Office and all Colleges.

STANDARD

Best practices for system development life cycle security are listed below to assist in guiding the System Office and Colleges from project definition through disposal of IT application systems. This document provides an overview of the requirements during each phase. Additional detailed information for IT Project Management may be accessed at these web sites:

VCCS Procedures for Technology Projects and Technology Procurements

http://www.vccs.edu/its/procedures/index.htm

The Commonwealth of Virginia Guideline for Project Management

http://www.vita.virginia.gov/projects/cpm/templates.cfm

Project Initiation Requirement:

A risk analysis should be conducted based on the initial requirements and mission goals to give an overall view of the security requirements for the IT system. The IT System and Data Sensitivity Classification process should be completed for the proposed system. There must also be an assessment of the need for collection and maintenance of sensitive data before incorporating such collection and maintenance in IT system requirements.

Project Definition Requirement:

Security requirements should be developed at the same time system planners define the requirements of the system. The security requirements should be incorporated into design specifications along with verification that the security features developed work properly and are effective.

Project Implementation Requirement:

The IT system security features should be enabled, configured, tested, and validated. Perform a Risk Assessment for Technology Systems to assess the risk level of the IT application system.

Project Operation/Maintenance Requirement:

The Operation and Maintenance Phase involves completing the numerous security activities involved with an IT system on a day-to-day basis. Backups, training, security awareness, and password management are some examples.

Project Operation/Maintenance Requirement:

The System Office and Colleges should retain data handled by an IT system in accordance with the proper retention procedures. The System Office and Colleges should adhere to the procedures currently in place to address the purging of all data, using software utilities or electromagnetic means, from magnetic storage media such as hard drives, removable disk drives, diskettes, CD-ROMs, zip drives, and other magnetic storage media before they are discarded, in accordance with the ITRM Standard SEC2003-02.1.

RELATED LINKS