Secure System Development Life Cycle Standard

What is it?

The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed within every system, project or application that is created or updated to address a business need. The SSDLC is used to ensure that security is adequately considered and built into each phase of every system development lifecycle (SDLC).

The SSDLC toolkit was developed to assist project, systems and application teams in collecting the appropriate artifacts and documentation to fulfill the security tasks in the SSDLC standard (NYS-S13-001). The security tasks within the SSDLC are easily mapped back to the phases in most SDLC and should be used as a guideline to initiation of the security tasks. 

Why is it important?

Systems and applications change over time to adjust to ever changing business, regulatory and statutory requirement. Security is a requirement that must be included within every phase of a systems development life cycle.  Per NYS Information Security Policy, (NYS-P03-002), a secure SDLC must be utilized in the development of all State Entities (SE) applications and systems. This includes applications and systems developed for SEs. Agency program staff are ultimately responsible for maintaining system documentation as defined by the SSDLC standard.    

What resources are available to me?

Resources to support your information classification efforts are available for download below:

SSDLC Toolkit

The Security tasks, as defined by the NYS SSDLC standard, should be compiled into one cohesive security plan. EISO has developed templates and provided samples for each task as well as a template for the overall information security plan. These templates along with samples can be found in the SSDLC Toolkit.

SSDLC Toolkit Zip File Contains:

1. Define Security Roles and Responsibilities

2. Orient Staff to the SDLC Security Tasks

3. Establish a System Criticality Level

4. Classify Information See also NYS-S14-002

5. Establish System Identity Assurance Level Requirements See also NYS-S13-004

6. Establish System Security Profile Objectives

7. Create a System Profile

8. Decompose the System

9. Assess Vulnerabilities and Threats

10. Assess Risks

11. Select and Document Security Controls

12. Create Test Data

13. Test Security Controls

14. Perform Certification and Accreditation

15. Manage and Control Change

16. Measure Security Compliance

17. Perform System Disposal