Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-3

system development life cycle

assessment objective:

Determine if the organization:

sa-3(a)

sa-3(a)[1]

defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

sa-3(a)[2]

manages the information system using the organization-defined system development life cycle;

sa-3(b)

defines and documents information security roles and responsibilities throughout the system development life cycle;

sa-3(c)

identifies individuals having information security roles and responsibilities; and

sa-3(d)

integrates the organizational information security risk management process into system development life cycle activities.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; information security risk management strategy/program documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with information security and system life cycle development responsibilities; organizational personnel with information security risk management responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for defining and documenting the SDLC; organizational processes for identifying SDLC roles and responsibilities; organizational process for integrating information security risk management into the SDLC; automated mechanisms supporting and/or implementing the SDLC].