PPPR-05

Do you have a documented systems development life cycle (SDLC)?

Explanation

This question is asking whether your organization has a formal, documented Systems Development Life Cycle (SDLC) process. An SDLC is a framework that defines the process used to build an information system, including the required steps and tasks from initial conception through to deployment, maintenance, and eventual retirement of the system. Why it's asked in a security assessment: 1. A documented SDLC demonstrates that your organization follows a structured approach to software development rather than ad-hoc processes 2. Security assessors want to verify that security considerations are integrated throughout the development process, not added as an afterthought 3. A formal SDLC typically includes security checkpoints, reviews, and testing at various stages 4. It shows organizational maturity and commitment to quality and security 5. It helps ensure consistency across development projects A good SDLC typically includes phases like: - Planning and requirements gathering - Design - Implementation/coding - Testing (including security testing) - Deployment - Maintenance - Decommissioning When answering this question, you should: - Clearly state whether you have a documented SDLC - Briefly describe your SDLC methodology (Agile, Waterfall, DevOps, etc.) - Mention how security is integrated into your SDLC - Note whether the SDLC is regularly reviewed and updated - Indicate if the SDLC is formally documented (in policies, procedures, etc.)

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive SDLC based on an Agile methodology that is fully documented in our internal development policies Our SDLC consists of six phases: Planning, Design, Development, Testing, Deployment, and Maintenance Security activities are integrated throughout each phase, including threat modeling during design, secure coding practices during development, security testing (SAST, DAST, and penetration testing) during the testing phase, and security monitoring post-deployment Our SDLC documentation is reviewed annually and updated as needed to incorporate industry best practices and lessons learned All development teams are trained on the SDLC during onboarding and receive refresher training annually.

Example Response 2

Yes, we have implemented a documented DevSecOps-based SDLC that emphasizes security at every stage of development Our SDLC is documented in our company wiki and includes detailed procedures for each phase: Requirements Analysis, Architecture & Design, Implementation, Testing, Deployment, and Operations Security checkpoints are embedded throughout, including security requirements gathering, threat modeling, secure code reviews, automated security scanning (using tools like SonarQube, Snyk, and OWASP ZAP), pre-deployment security validation, and continuous security monitoring in production The SDLC documentation is maintained by our Security and Engineering teams collaboratively, with quarterly reviews to ensure it remains current with evolving security practices and technology changes.

Example Response 3

No, we currently do not have a formally documented SDLC Our development process follows general best practices but has evolved organically as our team has grown While we do incorporate security practices such as code reviews and vulnerability scanning before releases, these are not part of a comprehensive, documented framework We recognize this as a gap in our security posture and have initiated a project to formalize our SDLC with integrated security controls We expect to have a documented SDLC implemented within the next quarter, which will standardize our development practices and strengthen our security controls throughout the development process.

Context

Tab: Organization
Category: Policies, Processes, and Procedures