3.4.4 System Development
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
System development methodology should be documented, approved and implemented to ensure that the development of Member Organization's system is performed in a strictly controlled manner.
Control Requirements
| 1. | The system development methodology should be defined, approved, implemented and communicated. | |
| 2. | The effectiveness of the system development methodology should be monitored and periodically evaluated. | |
| 3. | The system development methodology should address the following, but not limited to: | |
| a. | system development approach such as agile, waterfall, etc.; | |
| b. | secure coding standards; | |
| c. | testing types and approaches such as unit testing, regression testing, stress testing, etc.; | |
| d. | version controlling; | |
| e. | quality control; | |
| f. | data migration; | |
| g. | documentation; and | |
| h. | end user training. | |
| 4. | The system design document should be defined, documented and approved. | |
| 5. | The system design document should address the low level design requirements for the intended system, which includes but not limited to following: | |
| a. | configurations requirements; | |
| b. | integration requirements; | |
| c. | performance requirements; | |
| d. | cyber security requirements; and | |
| e. | data definition requirements. | |
| 6. | Member organizations relevant IT function or development team should conduct secure code review for: | |
| a. | applications developed internally; and | |
| b. | externally developed applications if the source code is available. | |
| 7. | Member Organizations should ensure that the secure code review report (or equivalent, such as an independent assurance statement) is formulated in case the source code is not available with the member organization. | |
| 8. | Cyber security controls should be embedded in the system development process in line with SAMA Cyber Security Framework. | |
| 9. | Version control system should be utilized to keep track of source code or build versions between various system environments (i.e. development, test, production, etc.). | |