11/12/2023

POLICY OF THE SOFTWARE DEVELOPMENT

LIFE CYCLE (SDLC)

SUBMITTED BY
ATISHAY LIMITED
Jaipur
Policy of the Software Development life cycle

Table of Contents
1. Introduction: ....................................................................................................................... 2
1.1. Purpose............................................................................................................................. 2
1.2. Background ......................................................................................................................... 2
2. Policy ................................................................................................................................... 2

Policy of the Software development life cycle

Document Version 1.0

Document Prepared By Pankaj Jaldeep, ACP(DD) Date: 11-12-2023

Reviewed By/Approved Ranveer Singh, SA(JD) Date: 19-12-2023

BY

pg. 1
Policy of the Software Development life cycle

1. Introduction:
1.1. Purpose
The purpose of this document is to present a detailed policy for the software
development life cycle (SDLC). It will explain all the phases of the software development
life cycle such as Requirement Analysis, Architecture, and design, Development, Testing,
and Deployment.

1.2. Background
a. this policy intends to ensure a well-defined, secure, and consistent process for
managing the entire lifecycle of software and information systems, from initial
requirements analysis until system decommission. The policy defines the procedure,
roles, and responsibilities, for each stage of the software development lifecycle.
b. Within this policy, the software development lifecycle consists of requirements
analysis, architecture and design, development, testing,
deployment/implementation, and operations/maintenance. These processes may be
followed in any form; in an agile development model, the process can be repeated
iteratively.

2. Policy

a. The organization’s Software Development Life Cycle (SDLC) includes the following
phases:
i. Requirements Analysis
ii. Architecture and Design
iii. Testing.
iv. Deployment/Implementation.
v. Operations/Maintenance.
b. During all phases of the SDLC where a system is not in production, the system must
not have live data sets that contain information identifying actual people or corporate
entities, actual financial data such as account numbers, security codes, routing
information, or any other financially identifying data. Information that would be
considered sensitive must never be used outside of production environments.

c. The following activities must be completed and/or considered during the

requirements analysis phase:
i. Analyze business requirements.
ii. Perform a risk assessment

pg. 2
Policy of the Software Development life cycle

iii. Discuss aspects of security (e.g., confidentiality, integrity, availability) and how
they might apply to this requirement.
iv. Review regulatory requirements and the organization’s policies, standards,
procedures and guidelines.
v. Develop and prioritize security solution requirements.

d. The following must be completed/considered during the architecture and design

phase:
i. Educate development teams on how to create a secure system
ii. Develop and/or refine infrastructure security architecture.
iii. List technical and non-technical security controls.
iv. Perform architecture walkthrough.
v. Create a system-level security design.
vi. Create high-level non-technical and integrated technical security designs
vii. Document the detailed technical security design.
viii. Perform a design review, which must include, at a minimum, technical reviews
of application and infrastructure, as well as a review of high-level processes.
ix. Describe detailed security processes and procedures, including segregation of
duties and segregation of development, testing and production environments.

e. The following must be completed and/or considered during the development phase:
i. Set up a secure development environment (e.g., servers, storage).
ii. Train infrastructure teams on installation and configuration of applicable
software, if required.
iii. Develop code for application-level security components.
iv. Install, configure and integrate the test infrastructure.
v. Set up security-related vulnerability tracking processes
vi. Develop a detailed security test plan for current and future versions (i.e.,
regression testing).
vii. Conduct unit testing and integration testing

f. The following must be completed and/or considered during the testing phase:
i. Perform a code and configuration review through both static and dynamic
analysis of code to identify vulnerabilities.
ii. Test configuration procedures.
iii. Perform system tests
pg. 3
Policy of the Software Development life cycle

iv. Conduct performance and load tests with security controls enabled.
v. Perform usability testing of application security controls.
vi. Conduct independent vulnerability assessments of the system, including the
infrastructure and application.

g. The following must be completed and/or considered during the deployment phase:
i. Conduct pilot deployment of the infrastructure, application and other relevant
components.
ii. Conduct transition between pilot and full-scale deployment.
iii. Perform integrity checking on system files to ensure authenticity

h. The following must be completed and/or considered during the

operations/maintenance phase:
i. Administering users and access
ii. Performing backups according to requirements defined in the System Availability
Policy
iii. Performing system maintenance
iv. Conducting periodic system vulnerability assessments.

The End

pg. 4