Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
sa-3 |
system development life cycle |
||
|
assessment objective: Determine if the organization: |
||
sa-3(a) |
sa-3(a)[1] |
defines a system development life cycle that incorporates information security considerations to be used to manage the information system; |
|
sa-3(a)[2] |
manages the information system using the organization-defined system development life cycle; |
||
sa-3(b) |
defines and documents information security roles and responsibilities throughout the system development life cycle; |
||
sa-3(c) |
identifies individuals having information security roles and responsibilities; and |
||
sa-3(d) |
integrates the organizational information security risk management process into system development life cycle activities. |
||
potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; information security risk management strategy/program documentation; other relevant documents or records]. Interview: [select from: Organizational personnel with information security and system life cycle development responsibilities; organizational personnel with information security risk management responsibilities; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for defining and documenting the SDLC; organizational processes for identifying SDLC roles and responsibilities; organizational process for integrating information security risk management into the SDLC; automated mechanisms supporting and/or implementing the SDLC]. |