System Development Lifecycle Policy
Internal Use
System Development Lifecycle Policy
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-2, DCF-3, DCF-4, DCF-5, DCF-6, DCF-7, DCF-10, DCF-11, DCF-12, DCF-13, DCF-14, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-22, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-46, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-68, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-96, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy is to define the overarching requirements for system development lifecycle (SDLC) practices at Dispel, ensuring that systems are developed, operated, and retired in a controlled and secure manner.
1.2 Scope
This policy applies to:
- All systems developed, significantly customized, or operated by Dispel.
- All phases of the SDLC, including planning, design, implementation, testing, deployment, operation, and retirement.
- All Covered Persons involved in system development and lifecycle management.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.3, CC3.2 | SDLC controls supporting effective design, implementation, and operation of controls. |
| 2 | ISO/IEC 27001 | A.8.25, A.8.28 | Secure development life cycle and testing requirements. |
| 3 | NIST SP 800-53 | SA-3, SA-8, SA-10 | System development lifecycle, engineering principles, and developer configuration management. |
| 4 | IEC 62443 | 62443-4-1 | Secure development lifecycle for industrial automation and control systems. |
| 5 | HIPAA | 164.308(a)(1) | Risk management as applied to system development. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL adopt and maintain SDLC practices that integrate security, privacy, and quality considerations throughout the lifecycle of systems.
2.3 Secondary Policy Statement
- Systems SHALL have documented SDLC processes, including secure design, development, and testing.
- Deviations from SDLC practices SHALL be documented and approved as exceptions.
3. REQUIREMENTS
3.1 SDLC Policy Governance
Objective: Govern SDLC practices across the organization.
Mandatory Activities:
- The Policy Owner (CTO or delegate) SHALL own this policy and ensure alignment with related policies and plans.
- SDLC policies and supporting documents (e.g., plans, standards) SHALL be reviewed at least annually and updated as needed.
- This policy SHALL be communicated to all relevant stakeholders.
Required Outputs:
- Current SDLC policy and supporting documents.
Security Controls: NIST SP 800-53 SA-3.
3.2 SDLC Integration with Risk and Governance
Objective: Align SDLC practices with risk management and governance.
Mandatory Activities:
- SDLC activities SHALL incorporate outputs from risk assessments, planning, and configuration/change management.
- Program and project governance structures SHALL account for SDLC requirements and quality gates.
Required Outputs:
- Governance artifacts (e.g., charters, roadmaps) referencing SDLC requirements.
Security Controls: NIST SP 800-53 PL-1, PL-2, PM-11.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner (CTO or Delegate)
Responsibilities:
- Owns this System Development Lifecycle Policy.
- Approves SDLC standards and changes to SDLC practices.
4.2 System Owners
Responsibilities:
- Ensure systems follow SDLC practices defined in this policy and related documents.
4.3 Engineering, DevOps, and Security Leads
Responsibilities:
- Implement SDLC practices within their teams.
- Coordinate on secure design, development, and deployment practices.
5. PROCEDURES
High-level procedures for SDLC implementation are defined in the System Development Lifecycle Plan (P-System_Development_Lifecycle_Plan) and SHALL be followed by relevant teams.
6. MONITORING AND COMPLIANCE
Compliance with this policy SHALL be monitored through audits and reviews of SDLC practices and artifacts, as coordinated by the Policy Owner and Security Officer.
7. EXCEPTIONS AND WAIVERS
Exceptions to this policy SHALL be submitted in writing by the System Owner, include justification and compensating controls, and require approval from the Policy Owner (CTO).
8. DEFINITIONS
System Development Lifecycle (SDLC): A structured process encompassing all stages of system creation, operation, and retirement.
9. REFERENCES
- System Development Lifecycle Plan (P-System_Development_Lifecycle_Plan).
- System Planning Policy and Procedures.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Predates version control | Ethan Schmertzler | Initial System Development Lifecycle Policy aligned to POLICY_TEMPLATE and control mappings. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |