December 15, 2022
CISSP Study Guide: System Development Life Cycle (SDLC)
December 15, 2022
The System Development Life Cycle (SDLC) is a structure for system development. Its purpose is to manage the development process and implement security at each stage of the development process. The principal elements of the SDLC are listed in “Generally Accepted Principles and Practices for Securing Information Technology Systems” (SP 800-14, National Institute of Standards and Technology, September 1996) and “Security Considerations in the Information System Development Life Cycle” (SP 800-64, National Institute of Standards and Technology, September, October 2003). The five stages of the SDLC are listed in NIST SP 800-14 as follows:
- Initiation – the beginning process that determines the need for the system and documenting its purpose and includes measuring the sensitivity of the system and data to be processed. This is called a sensitivity assessment.
- Development/Acquisition – involves the design, development, programming and acquisition of the system. In this stage programmers develop the application code while concentrating on security measures to make certain that input and output controls, audit mechanisms, and file-protection schemes are used.
- Implementation – this phase runs testing, security testing, accreditation, and installation of the system. This occurs once application coding has been completed. The testing should be handled by auditors or quality assurance engineers, not the programmers. If the code is written and verified by the same individuals, errors can go unnoticed and security functions can be bypassed. Thus assigning specific duties is important.
- Operation/Maintenance – identifying processes the system is designed to inform which include: security operations, modification/addition of hardware and/or software, administration, operational assurance, monitoring, and audits.
- Disposal – this phase overviews the state of the system or system components and products, such as hardware, software, and information; disk sanitization; archiving files; and moving equipment. This stage is usually reached when the system is no longer required.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals