compliance controls are associated with this Policy definition 'Integrate risk management process into SDLC' (00f12b6f-10d7-8117-9577-0f2b76488385)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-3 |
FedRAMP_High_R4_SA-3 |
FedRAMP High SA-3 |
System And Services Acquisition |
System Development Life Cycle |
Shared |
n/a |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8.
Control Enhancements: None.
References: NIST Special Publications 800-37, 800-64. |
link |
3 |
| FedRAMP_Moderate_R4 |
SA-3 |
FedRAMP_Moderate_R4_SA-3 |
FedRAMP Moderate SA-3 |
System And Services Acquisition |
System Development Life Cycle |
Shared |
n/a |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8.
Control Enhancements: None.
References: NIST Special Publications 800-37, 800-64. |
link |
3 |
| hipaa |
0705.07a3Organizational.3-07.a |
hipaa-0705.07a3Organizational.3-07.a |
0705.07a3Organizational.3-07.a |
07 Vulnerability Management |
0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
The IT Asset Lifecycle Program is regularly reviewed and updated. |
|
3 |
| hipaa |
0706.10b1System.12-10.b |
hipaa-0706.10b1System.12-10.b |
0706.10b1System.12-10.b |
07 Vulnerability Management |
0706.10b1System.12-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. |
|
4 |
| hipaa |
1734.03d2Organizational.1-03.d |
hipaa-1734.03d2Organizational.1-03.d |
1734.03d2Organizational.1-03.d |
17 Risk Management |
1734.03d2Organizational.1-03.d 03.01 Risk Management Program |
Shared |
n/a |
The risk management process is integrated with the change management process within the organization. |
|
8 |
| hipaa |
1735.03d2Organizational.23-03.d |
hipaa-1735.03d2Organizational.23-03.d |
1735.03d2Organizational.23-03.d |
17 Risk Management |
1735.03d2Organizational.23-03.d 03.01 Risk Management Program |
Shared |
n/a |
Risk assessments are conducted whenever there is a significant change in the environment, or a change that could have a significant impact, and the results of the assessments are included in the change management process, so they may guide the decisions within the change management process (e.g., approvals for changes). |
|
8 |
| hipaa |
1781.10a1Organizational.23-10.a |
hipaa-1781.10a1Organizational.23-10.a |
1781.10a1Organizational.23-10.a |
17 Risk Management |
1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Information system specifications for security control requirements state that security controls are to be incorporated in the information system, supplemented by manual controls as needed, and these considerations are also applied when evaluating software packages, developed or purchased. |
|
4 |
| hipaa |
1789.10a2Organizational.3-10.a |
hipaa-1789.10a2Organizational.3-10.a |
1789.10a2Organizational.3-10.a |
17 Risk Management |
1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. |
|
4 |
| hipaa |
1790.10a2Organizational.45-10.a |
hipaa-1790.10a2Organizational.45-10.a |
1790.10a2Organizational.45-10.a |
17 Risk Management |
1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization includes business requirements for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies. |
|
6 |
| hipaa |
1791.10a2Organizational.6-10.a |
hipaa-1791.10a2Organizational.6-10.a |
1791.10a2Organizational.6-10.a |
17 Risk Management |
1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. |
|
5 |
| hipaa |
1792.10a2Organizational.7814-10.a |
hipaa-1792.10a2Organizational.7814-10.a |
1792.10a2Organizational.7814-10.a |
17 Risk Management |
1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. |
|
4 |
| ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
| ISO27001-2013 |
A.14.2.1 |
ISO27001-2013_A.14.2.1 |
ISO 27001:2013 A.14.2.1 |
System Acquisition, Development And Maintenance |
Secure development policy |
Shared |
n/a |
Rules for the development of software and systems shall be established and applied to developments within the organization. |
link |
7 |
| ISO27001-2013 |
A.14.2.6 |
ISO27001-2013_A.14.2.6 |
ISO 27001:2013 A.14.2.6 |
System Acquisition, Development And Maintenance |
Secure development environment |
Shared |
n/a |
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. |
link |
10 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-53_R4 |
SA-3 |
NIST_SP_800-53_R4_SA-3 |
NIST SP 800-53 Rev. 4 SA-3 |
System And Services Acquisition |
System Development Life Cycle |
Shared |
n/a |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8.
Control Enhancements: None.
References: NIST Special Publications 800-37, 800-64. |
link |
3 |
| NIST_SP_800-53_R5 |
SA-3 |
NIST_SP_800-53_R5_SA-3 |
NIST SP 800-53 Rev. 5 SA-3 |
System and Services Acquisition |
System Development Life Cycle |
Shared |
n/a |
a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
c. Identify individuals having information security and privacy roles and responsibilities; and
d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. |
link |
3 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |