Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Software Development and Acquisition
Senior management should assess and mitigate the operational/transactional risks associated with the development or acquisition of software. Management should develop applicable policies and standards, which specify risk management controls for the development and acquisition of systems. Uncontrolled software development or acquisition may introduce unacceptable levels of risk.
Management should guide the development or acquisition of software by using a system development life cycle (SDLC) or similar methodology that is appropriate for the specific IT environment. A SDLC methodology will also help to identify the risks when acquiring software, however financial institutions should consider the vendor's control environment, reputation, and capabilities.
Each phase of the SDLC should have procedures that verify the maintenance and integrity of controls before the start of the next phase. An institution should review information security aspects in each phase to identify those requirements. Audit should be involved to ensure proper security is incorporated during development. Depending upon the size and complexity of the institution, management should analyze the operational impact early in the process to identify any additional cost and support issues.
Management should test new technology, systems, and products thoroughly before deployment. Testing validates that equipment and systems function properly and produce the desired results. As part of the testing process, management should verify whether new technology systems operate effectively with other technology components including vendor-supplied technology. Pilot programs or prototypes can be helpful in developing new technology applications before management accepts them for use on a broad scale. Management should conduct retesting periodically to help manage risk exposure on an ongoing basis.
Refer to the IT Handbook's "Development and Acquisition Booklet" for additional detailed information on this topic.