SA-3 System Development Life Cycle

Description

A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions.

The security engineering principles in SA-8 [Texas DIR, page 148] cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems.

It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities.

The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes.

This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

Applicability

The unit head or information resource owner is responsible for ensuring that all requirements of this Control are substantiated and maintained throughout the life cycle of an information system.

Implementation

Chief Information Security and Privacy Officer (CISPO) reviews the data security requirements and specifications of any new information systems or services that process and/or store sensitive or mission critical information to:

  1. Manage the information system using the TAMU-CC system development life cycle that incorporates information security considerations. Additionally, Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process;
  2. Define and document information security roles and responsibilities throughout the system development life cycle;
  3. Identify individuals having information security roles and responsibilities; and
  4. Integrates the organizational information security risk management process into system development life cycle activities.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019