|
Booklet:
Development
and Acquisition Section: Development Procedures Subsection: |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action Summary
Development
projects involve the creation of software applications or integrated application
systems. Software development projects are completed in-house, through
outsourcing, or by a combined approach. Organizations typically manage
development projects using systematic methodologies that divide large,
complex tasks into smaller, more easily managed segments or phases.
Traditionally, many organizations used the systems development life cycle
method to assist in developing software for use in mainframe operating
environments. The SDLC provided a satisfactory method to manage the projects
because the functional and security requirements of the software were
limited. Functional requirements were primarily limited to transaction
processing and output reporting. Security requirements were limited because
of the closed environment in which mainframes operated. Typically, few
individuals had access to the mainframes. Therefore, physical restrictions
over mainframe terminals and logical controls over program and data libraries
provided most of a system’s security.
Client/server systems provide significantly more users increased access
to systems and data. Therefore, the need to develop software with greater
functionality and stronger internal controls contributed to the development
of alternative, risk-focused software development techniques.
Alternative development techniques (such as spiral, iterative, and modified
SDLC methodologies) involve the completion of project activities in repetitive
(iterative) cycles. The techniques reduce project risks by ensuring the
requirements of each participant (end users, auditors, security administrators,
designers, developers, system technicians, etc.) are thoroughly considered
during each project phase. Involving all parties during each project phase
reduces the risk that organizations will not identify problems until late
in a project’s life cycle. The newer methodologies often employ
prototyping or modeling techniques during initial project phases. Prototyping
enhances user’s ability to visualize how systems will look and work
after the systems are installed.
DEVELOPMENT STANDARDS
Organizations should establish development standards that, at a minimum,
address project management, system control, and quality assurance issues.
Project management standards should address issues such as project management
methodologies, risk management procedures, and project approval authorities.
System control standards should address items such as an application’s
functional, security, and automated control features. Quality assurance
standards should address issues such as the validation of project assumptions,
adherence to project standards, and testing of a product’s performance.
Development standards should include procedures for managing changes during
the development process. "Scope creep" is a common problem associated
with software development projects. It occurs when developers receive
requests to add or modify a program’s features while the program
is being developed. Although the addition or modification of functional,
security, or control features may be appropriate, uncontrolled changes
disrupt the development process. Establishing change approval procedures
and cut-off dates (after which requested changes are deferred to subsequent
versions) assist organizations manage change during the development process.
Development standards should also include procedures for managing internally
developed spreadsheets and database reports. Financial institutions often
rely on the spreadsheets and reports to make important budgeting and asset/liability
decisions, but fail to implement adequate testing, documentation, and
change-control procedures. Management’s reliance on the spreadsheets
and reports should dictate the formality of their development procedures,
change controls, and backup techniques.