Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Software Development and Acquisition
Senior management should assess and mitigate the
operational/transactional risks associated with the development or
acquisition of software. Management should develop applicable
policies and standards, which specify risk management controls for
the development and acquisition of systems. Uncontrolled software
development or acquisition may introduce unacceptable levels of
Management should guide the development or acquisition of
software by using a system development life cycle (SDLC) or similar
methodology that is appropriate for the specific IT environment. A
SDLC methodology will also help to identify the risks when
acquiring software, however financial institutions should consider
the vendor's control environment, reputation, and capabilities.
Each phase of the SDLC should have procedures that verify the
maintenance and integrity of controls before the start of the next
phase. An institution should review information security aspects in
each phase to identify those requirements. Audit should be involved
to ensure proper security is incorporated during development.
Depending upon the size and complexity of the institution,
management should analyze the operational impact early in the
process to identify any additional cost and support issues.
Management should test new technology, systems, and products
thoroughly before deployment. Testing validates that equipment and
systems function properly and produce the desired results. As part
of the testing process, management should verify whether new
technology systems operate effectively with other technology
components including vendor-supplied technology. Pilot programs or
prototypes can be helpful in developing new technology applications
before management accepts them for use on a broad scale. Management
should conduct retesting periodically to help manage risk exposure
on an ongoing basis.
Refer to the IT Handbook's "Development and Acquisition Booklet"
for additional detailed information on this topic.