III.C.5     Software Development and Acquisition

Management should assess and mitigate operational risks associated with the development or acquisition of software. Management should develop applicable policies that specify risk management controls for the development and acquisition of systems. Management should guide the development or acquisition of software by using a system development life cycle (SDLC) or similar methodology appropriate for the specific IT environment. The extent or use of the SDLC depends on the size and complexity of the institution and the type of development activities performed. If the institution primarily acquires software, management should verify the effective use of an SDLC by the third-party provider.

Each phase of the SDLC should have procedures that verify the maintenance and integrity of controls before the start of the next phase. When identifying the controls to be implemented in each phase, the institution should incorporate the fundamental principles of confidentiality, integrity, and availability. Audit should review the SDLC to ensure that appropriate controls are incorporated during development. Management should analyze the operational impact early in the process to identify any additional cost and support issues.

Management should test new technology, systems, and products thoroughly before deployment. Testing, which should include tests of security, validates that equipment and systems function properly and produce the desired results. As part of the testing process, management should verify whether new technology systems operate effectively with other technology components, including vendor-supplied technology. Pilot programs or prototypes can be helpful in developing new technology before management accepts the technology for use on a broad scale. Management should conduct retesting periodically to help manage risk exposure on an ongoing basis.

Institutions that outsource the development of software should have a process to review their third-party provider's control environment, reputation, and capabilities. Institutions often employ structured acquisition methodologies similar to the SDLC when acquiring significant hardware and software products.

Refer to the IT Handbook's "Development and Acquisition" booklet for more information.


Previous Section
III.C.4 Business Continuity
Next Section
III.C.6 IT Operations