Financial institutions should establish appropriate systems and application development methodologies. The methodologies should match a project's characteristics and risks and require appropriate:
- Project plans;
- Definitions of project expectations;
- Project standards and procedures;
- Definitions of project phase deliverables, including assurance that deliverables will meet any applicable legal and regulatory requirements;
- Development of security, audit, and automated-control features;
- Quality assurance, risk management, and testing standards and procedures;
- Involvement by all affected parties; and
- Project communication techniques.
Development projects involve the creation of software applications or integrated application systems. Software development projects are completed in-house, through outsourcing, or by a combined approach. Organizations typically manage development projects using systematic methodologies that divide large, complex tasks into smaller, more easily managed segments or phases.
Traditionally, many organizations used the systems development life cycle method to assist in developing software for use in mainframe operating environments. The SDLC provided a satisfactory method to manage the projects because the functional and security requirements of the software were limited. Functional requirements were primarily limited to transaction processing and output reporting. Security requirements were limited because of the closed environment in which mainframes operated. Typically, few individuals had access to the mainframes. Therefore, physical restrictions over mainframe terminals and logical controls over program and data libraries provided most of a system's security.
Client/server systems provide significantly more users increased access to systems and data. Therefore, the need to develop software with greater functionality and stronger internal controls contributed to the development of alternative, risk-focused software development techniques.
Alternative development techniques (such as spiral, iterative, and modified SDLC methodologies) involve the completion of project activities in repetitive (iterative) cycles. The techniques reduce project risks by ensuring the requirements of each participant (end users, auditors, security administrators, designers, developers, system technicians, etc.) are thoroughly considered during each project phase. Involving all parties during each project phase reduces the risk that organizations will not identify problems until late in a project's life cycle. The newer methodologies often employ prototyping or modeling techniques during initial project phases. Prototyping enhances user's ability to visualize how systems will look and work after the systems are installed.
International Organization for Standardization