Secure System Development Life Cycle Standard

What is it?

The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed within every system, project or application that is created or updated to address a business need. The SSDLC is used to ensure that security is adequately considered and built into each phase of every system development lifecycle (SDLC).

The SSDLC toolkit was developed to assist project, systems and application teams in collecting the appropriate artifacts and documentation to fulfill the security tasks in the SSDLC standard (NYS-S13-001). The security tasks within the SSDLC are easily mapped back to the phases in most SDLC and should be used as a guideline to initiation of the security tasks. 

Why is it important?

Systems and applications change over time to adjust to ever changing business, regulatory and statutory requirement. Security is a requirement that must be included within every phase of a systems development life cycle.  Per NYS Information Security Policy, (NYS-P03-002), a secure SDLC must be utilized in the development of all State Entities (SE) applications and systems. This includes applications and systems developed for SEs. Agency program staff are ultimately responsible for maintaining system documentation as defined by the SSDLC standard.    

What resources are available to me?

Resources to support your information classification efforts are available for download below:

SSDLC Toolkit

The Security tasks, as defined by the NYS SSDLC standard, should be compiled into one cohesive security plan. CISO has developed templates and provided samples for each task as well as a template for the overall information security plan. These templates along with samples can be found in the SSDLC Toolkit.

SSDLC Toolkit Zip File Contains:

  1. Define Security Roles and Responsibilities
  2. Orient Staff to the SDLC Security Tasks
  3. Establish a System Criticality Level
  4. Classify Information See also NYS-S14-002
  5. Establish System Identity Assurance Level Requirements See also NYS-S13-004
  6. Establish System Security Profile Objectives
  7. Create a System Profile
  8. Decompose the System
  9. Assess Risks
  10. Select and Document Security Controls
  11. Create Test Data
  12. Test Security Controls
  13. Perform Certification and Accreditation
  14. Manage and Control Change
  15. Measure Security Compliance
  16. Perform System Disposal