Software Development Lifecycle Policy

This Software Development Lifecycle policy sets baseline protection standards for Netspective Communications LLC software, network devices, servers, and desktops, applying to all users, including employees, contractors, and external parties involved in software development, system administration, and management. It must be easily accessible and extends to enterprise-wide systems and applications created by or for the Netspective Communications LLC. [FII-SCF-019-PRM-07]

1. The Netspective Communications LLC follows the Software Development Life Cycle (SDLC) which comprises the following phases:

   • Analyzing Requirements
   • Designing Architecture
   • Testing
   • Deploying/Implementing
   • Maintaining Operations
   • Decommissioning

2. The Netspective Communications LLC must ensure that live data sets containing information identifying actual people or corporate entities, actual financial data such as account numbers, security codes, routing information, or any other financially identifying data are not present in the system during all phases of the SDLC where it is not in production. It is important to note that information considered sensitive must never be used outside of production environments.

3. The team responsible for the requirements analysis phase must complete or consider the following activities:

   • Analyze business requirements.
   • Perform a risk assessment as per the Risk Assessment Policy.
   • Discuss security aspects such as confidentiality, integrity, and availability and how they apply to the requirement.
   • Review regulatory requirements and the Netspective Communications LLC’s policies, standards, procedures, and guidelines.
   • Review future business goals.
   • Review current business and information technology operations.
   • Incorporate program management items such as analyzing current system users/customers, understanding customer-partner interface requirements, and discussing project timeframe.
   • Develop and prioritize security solution requirements.
   • Assess the cost and budget constraints for security solutions, including development and operations.
   • Approve security requirements and budget.
   • Decide whether to buy or build security services based on the above information.

4. The architecture and design phase must complete/consider the following:

   • Educate development teams on creating a secure system.
   • Refine infrastructure security architecture.
   • List technical and non-technical security controls.
   • Walkthrough the architecture.
   • Create a system-level security design.
   • Create high-level non-technical and integrated technical security designs.
   • Perform a cost/benefit analysis for design components.
   • Document the detailed technical security design.
   • Perform a design review that includes at least technical reviews of application and infrastructure, and review of high-level processes.
   • Describe detailed security processes and procedures, including segregation of duties and segregation of development, testing, and production environments.
   • Design initial end-user training and awareness programs.
   • Design a general security test plan.
   • Update the Netspective Communications LLC’s policies, standards, and procedures, if appropriate.
   • Assess and document how to mitigate residual application and infrastructure vulnerabilities.
   • Design and establish separate development and test environments.

5. The development phase must complete and/or consider the following:

   • Set up a secure development environment (e.g., servers, storage).

   • Train infrastructure teams on installing and configuring applicable software, if required.

   • Develop code for application-level security components.

   • Install, configure, and integrate the test infrastructure.

   • Set up security-related vulnerability tracking processes.

   • Develop a detailed security test plan for current and future versions (i.e., regression testing).

   • Conduct unit testing and integration testing.

6. During the testing phase, the development team must complete and/or consider the following tasks:

   • Conduct both static and dynamic analysis of the code to identify vulnerabilities and review the configuration through a code and configuration review process.

   • Test the configuration procedures.

   • Perform system tests to ensure that the system operates correctly.

   • Conduct performance and load tests with security controls enabled to verify that the system can handle the expected load.

   • Test the usability of application security controls.

   • Conduct independent vulnerability assessments of the system, including the infrastructure and application to identify any remaining security vulnerabilities.

7. During the deployment phase, you must complete and/or consider the following:

   • Conduct a pilot deployment of the infrastructure, application, and other relevant components.

   • Transition between pilot and full-scale deployment.

   • Perform integrity checks on system files to ensure authenticity.

   • Deploy training and awareness programs to train administrative personnel and users in the system’s security functions.

   • Require at least two developers to participate in full-scale deployment to the production environment.

8. In the operations/maintenance phase, you must complete and/or consider the following:

   • Routinely perform several security tasks and activities to operate and administer the system, including but not limited to:

     a. Administer users and access.

     b. Tune performance.

     c. Perform backups according to requirements defined in the System Availability Policy.

     d. Test and apply security updates and patches to perform system maintenance.

     e. Conduct training and awareness.

f. Periodically conduct system vulnerability assessments.

g. Conduct annual risk assessments.

• Review operational systems to ensure that the security controls, both automated and manual, are functioning correctly and effectively.

• Periodically review logs to evaluate the security of the system and validate audit controls.

Network Log

Application logs

• Implement ongoing monitoring of systems and users to ensure detection of security violations and unauthorized changes.

• Validate the effectiveness of the implemented security controls through security training as required by the Procedure For Executing Incident Response.

• Perform regular software application and/or hardware patching process to eliminate software bugs and security problems being introduced into the Netspective Communications LLC’s technology environment. Apply patches and updates within ninety (90) days of release to provide for adequate testing and propagation of software updates. Apply emergency, critical, break-fix, and zero-day vulnerability patch releases as quickly as possible.

9. During the decommission phase, we must complete and/or consider the following:

   • We must conduct unit testing and integration testing on the system after removing components.
   • We must conduct operational transition for removing or replacing components.
   • We must determine data retention requirements for application software and system data.
   • We must document the detailed technical security design.
   • We must update the Netspective Communications LLC’s policies, standards, and procedures, if appropriate.
   • We must assess and document how to mitigate residual application and infrastructure vulnerabilities.