Secure System Services, Acquisition and Development
LOW, MOD, HIGH
P1
Yes
May 20, 2016
Information resource owners shall include information security, security testing, and audit controls in all phases of the system development lifecycle or acquisition process. Where systems are designed for multi-tenancy, test environments may reside in a separate tenant from production environments or in a physically or logically separate environment. In systems that are not designed for multi-tenancy, test environments must reside physically or logicailly separate from production environments. Copies of production data are not used for testing unless the data has been authorized for public release or unless all custodians involved in testing are otherwise authorized access to the data.
Developed and implemented systems do not consider the Design phase of the systems development lifecycle.
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
a. The existing system development lifecycle includes consideration for information security.
b. Test environments are kept either physically or logically separate from production environments.
c. Copies of production data are not used for testing unless the data has been authorized for public release or unless all custodians involved in testing are otherwise authorized access to the data.
Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process.
Obtain system and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; NIST Special Publication 800-64; information system development life cycle documentation; other relevant documents or records and ascertain if :
(I)the organization manages the information system using a system development life cycle methodology that includes information security considerations.
(ii)the organization uses a system development life cycle that is consistent with NIST Special Publication 800-64.