Welcome » IT Booklets » Development and Acquisition » Development Procedures » Systems Development Life Cycle » Design Phase
The design phase involves converting the informational, functional, and network requirements identified during the initiation and planning phases into unified design specifications that developers use to script programs during the development phase. Program designs are constructed in various ways. Using a top-down approach, designers first identify and link major program components and interfaces, then expand design layouts as they identify and link smaller subsystems and connections. Using a bottom-up approach, designers first identify and link minor program components and interfaces, then expand design layouts as they identify and link larger systems and connections.
Contemporary design techniques often use prototyping tools that build mock-up designs of items such as application screens, database layouts, and system architectures. End users, designers, developers, database managers, and network administrators should review and refine the prototyped designs in an iterative process until they agree on an acceptable design. Audit, security, and quality assurance personnel should be involved in the review and approval process.
Management should be particularly diligent when using prototyping tools to develop automated controls. Prototyping can enhance an organization's ability to design, test, and establish controls. However, employees may be inclined to resist adding additional controls, even though they are needed, after the initial designs are established. Designers should carefully document completed designs. Detailed documentation enhances a programmer's ability to develop programs and modify them after they are placed in production. The documentation also helps management ensure final programs are consistent with original goals and specifications.
Organizations should create initial testing, conversion, implementation, and training plans during the design phase. Additionally, they should draft user, operator, and maintenance manuals.
Application Control Standards Application controls include policies and procedures associated with user activities and the automated controls designed into applications. Controls should be in place to address both batch and on-line environments. Standards should address procedures to ensure management appropriately approves and control overrides. Refer to the IT Handbook's "Operations Booklet" for details relating to operational controls.
Designing appropriate security, audit, and automated controls into applications is a challenging task. Often, because of the complexity of data flows, program logic, client/server connections, and network interfaces, organizations cannot identify the exact type and placement of the features until interrelated functions are identified in the design and development phases. However, the security, integrity, and reliability of an application is enhanced if management considers security, audit, and automated control features at the onset of a project and includes them as soon as possible in application and system designs. Adding controls late in the development process or when applications are in production is more expensive, time consuming, and usually results in less effective controls.
Standards should be in place to ensure end users, network administrators, auditors, and security personnel are appropriately involved during initial project phases. Their involvement enhances a project manager's ability to define and incorporate security, audit, and control requirements. The same groups should be involved throughout a project's life cycle to assist in refining and testing the features as projects progress.
Application control standards enhance the security, integrity, and reliability of automated systems by ensuring input, processed, and output information is authorized, accurate, complete, and secure. Controls are usually categorized as preventative, detective, or corrective. Preventative controls are designed to prevent unauthorized or invalid data entries. Detective controls help identify unauthorized or invalid entries. Corrective controls assist in recovering from unwanted occurrences.
Input Controls Automated input controls help ensure employees accurately input information, systems properly record input, and systems either reject, or accept and record, input errors for later review and correction. Examples of automated input controls include:
Processing Controls Automated processing controls help ensure systems accurately process and record information and either reject, or process and record, errors for later review and correction. Processing includes merging files, modifying data, updating master files, and performing file maintenance. Examples of automated processing controls include:
Output Controls Automated output controls help ensure systems securely maintain and properly distribute processed information. Examples of automated output controls include: