Welcome » IT Booklets » Management » III IT Risk Management » III.C Risk Mitigation » III.C.5 Software Development and Acquisition
Management should assess and mitigate operational risks
associated with the development or acquisition of software.
Management should develop applicable policies that specify risk
management controls for the development and acquisition of systems.
Management should guide the development or acquisition of software
by using a system development life cycle (SDLC) or similar
methodology appropriate for the specific IT environment. The extent
or use of the SDLC depends on the size and complexity of the
institution and the type of development activities performed. If
the institution primarily acquires software, management should
verify the effective use of an SDLC by the third-party
Each phase of the SDLC should have procedures that verify the
maintenance and integrity of controls before the start of the next
phase. When identifying the controls to be implemented in each
phase, the institution should incorporate the fundamental
principles of confidentiality, integrity, and availability. Audit
should review the SDLC to ensure that appropriate controls are
incorporated during development. Management should analyze the
operational impact early in the process to identify any additional
cost and support issues.
Management should test new technology, systems, and products
thoroughly before deployment. Testing, which should include tests
of security, validates that equipment and systems function properly
and produce the desired results. As part of the testing process,
management should verify whether new technology systems operate
effectively with other technology components, including
vendor-supplied technology. Pilot programs or prototypes can be
helpful in developing new technology before management accepts the
technology for use on a broad scale. Management should conduct
retesting periodically to help manage risk exposure on an ongoing
Institutions that outsource the development of software should
have a process to review their third-party provider's control
environment, reputation, and capabilities. Institutions often
employ structured acquisition methodologies similar to the SDLC
when acquiring significant hardware and software products.
Refer to the IT Handbook's "Development and
Acquisition" booklet for more information.