Secure SDLC Framework - Final
Secure SDLC Framework - Final
Secure SDLC Framework - Final
Version 1.0
Last Updated 06 December 2017
Documented Information Classification level Internal Use Only
Documented Information Owner ISD – IS Assurance
Next Review Date December 2019
Status Final
Document created by
Shakeel Shaikh, AVP – Head of Information Security Assurance
Document reviewed by
Aiedh Al-Zahrani, EVP – Head of Business Technology Division
Hosain Al-Malky, SVP – Mgr., Solutions Development & Delivery Dept.
Husam Al-Suliman, SVP – Head of Information Security Department
Hasan Abdullah Al-Amri, SVP – Acting Manager of BT Infrastructure Dept.
Rashed Al-Sheban, VP – Head of BT Change Mgmt. Section
Mohammed A Aziz, AVP - Head of Security Governance and Risk
Rabea J Al-Muzin, AVP – Acting Manager of PMO
Nouf F Bin Tamran, Acting Head of UAT Section
Contents
1. Introduction 3
2. Purpose of the Framework 3
3. Scope 3
4. References 3
5. Assumptions & Constraints 4
6. Roles and responsibilities 5
7. Secure SDLC Process 7
8. Concept 8
9. Acquisition 10
10. Planning 13
11. Design 14
12. Development 16
13. Build 17
14. Testing 20
15. Implementation and Post Implementation 22
16. Operations and Maintenance 23
17. Disposal 24
18. Executive Owner 24
19. Document Custodian 24
1. INTRODUCTION
Riyad Bank is continuously expanding the use of Information Systems to enhance and
expand the services offered to customers, and to optimize the internal business processes.
Introduction of every new system expose the Bank to various security risks. Information
Security risks have to be assessed and mitigated before any system can be used to support
the Bank’s business.
Riyad Bank has established a Solutions Delivery Life Cycle (‘SDLC’) framework for the
acquisition of new systems. Information Security should be addressed in all the stages of
the Bank’s SDLC to effectively address Information Security risks of new systems.
Information Security processes portrayed in this document should be catered in all project
management methodologies and change management processes.
Information Security should be involved at the earliest stage and subsequently in all stages
of the SDLC. The benefits of early and continuous involvement of Information Security
includes:
3. SCOPE
The scope of this framework includes all technology-oriented projects in the Bank that are
registered with the Project Management Office. Technology-oriented projects following any
project management methodology will be within the scope of this framework.
4. REFERENCES
• ISP Policy
• Access Management Policy and Framework
• Encryption Policy
• Information Security Classification Policy
• ISRA Methodology
• Penetration Testing Methodology
• NIST 800-64
All implementations of technology projects in the Bank follow the above stated SDLC
methodology.
Secure SDLC Framework will operate independent of the Bank’s SDLC; while there will be
close interaction and integration with it.
BTD and BTG will modify their applicable processes to adhere to SDLC and Secure SDLC.
Bank’s SDLC and appropriate processes will incorporate the requirements of this
framework.
ISD will follow risk based approach in performing, not-performing, or expanding the scope
of tasks within the ISD responsibilities.
A new phase called ‘Planning’ has been added in the Secure SDLC, although it does not
exist in the Bank SDLC. Project Manager may execute this phase in the initial stages of
the project, as suitable. In this document, it is assumed that the planning phase will be
executed after the acquisition phase.
A new phase called ‘Development’ has been added in the Secure SDLC, although it does
not exist in the Bank SDLC. This phase is exclusively meant for software development.
This phase is not applicable to the projects wherein off-the-shelf systems are purchased
from the vendors (wherein source code is not created or is not held with the Bank).
While all actions shown in this document are shown as manual activities, some of them are
either automated or could be automated. Even though the activities are automated, the
responsible team will be accountable for the respective activity, in case automated
functions could not be performed by the respective system.
All relevant stakeholders will produce documents that are required to fulfill the
requirements in the SDLC and the Secure SDLC.
Building of Operations,
Implementation &
Infrastructure and Testing (SIT & UAT) Maintenance &
Concept Acquisition Planning Design Development Post Implementation
Disposal
Application
IS Risk Assessment
System
Building of Operations,
Integration and Implementation &
Infrastructure and Maintenance &
Concept Acquisition Planning Design Development User Acceptance Post Implementation
Disposal
Application Testing
PMO: Request ISD BA: Notify ISD for PMO: Invite ISD to BTD: Adherence to
PMO: Create BTD: Scan source BTD: Install OS\ CMD: Notify ISD of
for Steering security provide the plans SIT: Notify ISD of the Information
security design code for security Database \ release to
Committee requirements of security SIT initiation Security Policies
document vulnerabilities Application and production
representative activities and Standards
BA: Incorporate configure as per
PMO: Request ISD security BTD: Fix all the baseline
PMO: Incorporate UAT: Notify ISD of
for Project Review requirements in vulnerabilities and UAT initiation BTD: Fix security BTD: Notification of
plans of security
Team BRS\BRD ensure clean issues Change Requests
activities in Master
representative source code scan BTD: Apply security
Project Plan
PMO: Notify ISD for report patches
BTD: Apply security BTD: Notification
RFP review BTD: Notify ISD
configuration (as from relevant team
BTD: Retain clean applicable) upon production
BTD: Perform VM about the disposal
PMO: Incorporate scan report deployment
scan and baseline of production data
security
scans and retain used in UAT
requirements in RFP BTD: Maintain
BTD: Inform ISD clean reports
System Security
PMO: Invite ISD to about clean source
Design BTD: Notification of
evaluate proposals code scan
BTD: Install and disposal of systems
configure security
PMO: Notify ISD tools (ArcSight,
upon Business Case Guardium,
approval Tripwire, etc.)
Although Secure SDLC process applies to all Agile and Non-Agile projects, the Secure SDLC
process will be revised upon availability of Agile Project Management methodology of Riyad
Bank.
Secure SDLC processes applicable to Non-Agile projects have been divided into following
phases:
Implement
User ation & Operations,
Integration Maintenanc
Concept Acquisition Planning Design Development Build Testing Acceptan Post
e, &
ce Testing implement Disposal
ation
Participation and roles of all relevant stakeholders in various phases of Secure SDLC has
been described in the subsequent sections. Each stakeholder should incorporate associated
Secure SDLC requirements into all relevant processes.
Process flowcharts in this document have been illustrated from Secure SDLC perspective.
8. CONCEPT
During the concept phase, a steering committee and a technical review committee are
formed. Formation of the committees depends upon the type and complexity of the
project.
If a steering committee is being formed for a project, then Information Security shall be
invited to participate in the steering committee. If a technical review committee is being
formed for a project, then Information Security shall be invited to participate in the
technical review committee.
Create PCD
Technology
Committee
Approval of PCD NO
YES
Concept Phase
Assign ISD
Assign ISD
representative in
representative in
Technical Review
Steering Committee
Committee
ISD Representative
IS Risk Assessment
Notify all ISD
(Applicable if SAMA
stakeholders about
approval is
the project
required)
Key definitions:
Project Sponsor Dept.: The department who benefits the most from the initiative and
who is responsible to get the PCD approved by technical committee.
Inputs to ISD:
- Notification from PMO about the new project, formation of Steering Committee, and
formation of Project Review Team.
- Project Concept Document
Artifacts necessary:
9. ACQUISITION
Discovery phase, Approval phase, and Acquisition phase from the Bank SDLC have been
combined into a single Acquisition phase in Secure SDLC.
Acquisition phase in Secure SDLC has been divided in three major activities:
Security requirements
Security participation in solution selection
Security review of Scope of Work
Security Requirements, which will be provided during the Requirements Gathering stage,
shall be only high level requirements to be addressed at an overall solution level.
Following flow charts illustrate the process of Acquisition phase. Each activity in the
Acquisition phase has been shown in a separate flow chart.
Security requirements:
Project Sponsor
Dept.
Business Analyst
PMO
ISD representative
Security requirements
for the system
Security Analyst
Information
Assess security
related regulatory
requirements
applicable to the
system
Security Control
Requirements
Standard
Key definitions:
Business Analyst: The person responsible for documenting all the requirements.
Inputs to ISD:
- Security requirements to be added into BRD (ISD will define some security
requirements as functional requirements.)
- Approval of Business Requirements Document.
Artifacts necessary:
Evaluate proposals
for technical
requirements
ISD representative
Inputs to ISD:
Artifacts necessary:
Incorporate security
PMO
Send security
Inform ISD teams requirements\
comments for SoW
ISD teams
Review SoW to
Provide security
ensure security
requirements\
requirements are
comments for SoW
addressed
Security requirements
incorporated in RFP
Inputs to ISD:
Artifacts necessary:
10. PLANNING
Following flow chart illustrates the process of Planning phase:
Project Sponsor
Dept.
ISD representative
Consolidate security
Notify ISD teams to
plans & send them
provide their plans
to PMO
ISD teams
Provide post
Provide security Provide security Provide security
implementation
architecture and integration testing acceptance testing
security activities
design review plan plan plan
plan
Inputs to ISD:
Artifacts necessary:
11. DESIGN
Following flow chart illustrates the process of Design phase:
Application Design team
Review technical
design and share
with ISD
Design
ISD representative
Share technical
design and security
design with the ISD
stake holders
Maintain Security
ISD teams
OK
Key definitions:
Application Design team: The team responsible for documenting the technical design
document and security design document. This is a logical role which can be fulfilled by any
physical team.
Architecture team: The team responsible for the review and approvals of the technical
design document.
Inputs to ISD:
- Notification from Application Support team or BTD Design team about the starting
of system design.
- Technical Design Document
- Security Design Document
Artifacts necessary:
12. DEVELOPMENT
This phase is applicable to only those projects, where software code is either developed
inside the Bank or owned by the Bank. Following flow chart illustrates the process of
Development phase:
Project Sponsor
Dept.
report
Development
Source Code
Repository
ISD representative
ISD teams
Key definitions:
Inputs to ISD:
Artifacts necessary:
13. BUILD
Build phase in Secure SDLC has been divided in three major activities:
Build phase is applicable for each environment being built for the application, e.g.
development environment, testing environment, production environment, etc.
Following flow charts illustrate the process of Build phase. Each activity in the Build phase
has been shown in a separate flow chart.
Baseline Security
Standards
Inputs to ISD:
Artifacts necessary:
Database installation
BT SDD team
BT Infrastructure team
Baseline Security
Standards
Inputs to ISD:
Artifacts necessary:
Application installation
Application deployment
team
ISD representative
ISD teams
Key definitions:
Inputs to ISD:
Artifacts necessary:
14. TESTING
Testing phase in Secure SDLC has been divided in two major activities:
Integration Testing
User Acceptance Testing
Integration testing
Following flow chart illustrates the process of Integration Testing phase:
SIT Section
Security integration
testing clearance
Inputs to ISD:
Artifacts necessary:
ISD Representative
Security acceptance
testing clearance
Maintain Security
Penetration testing Architecture
Cyber Security
(Internal\External as Diagrams and PCI
Controls testing
applicable) Data-flows
Inputs to ISD:
Artifacts necessary:
Clearance for
Notify ISD of release
production use of
to production
the system
deployment team
Application
Implementation and Post Implementation
Consolidated
ISD Representative
Not OK
ISD teams
Inputs to ISD:
- Notification from Release Management team about the production release of the
system.
- Notification from Application Support team about production deployment of the
application.
Artifacts necessary:
Inputs to ISD:
Artifacts necessary:
- Adherence to the Information Security Policies and Standards such as (but not
limited to):
o Vulnerability Patching
o Baseline compliance
17. DISPOSAL
All applicable teams to define and follow procedures to be in compliant with the Information
Security disposal policies and standards, as relevant to their operational functions.
Inputs to ISD:
- Notification from relevant team about the disposal of production data used in UAT
- Notification of disposal of systems
- Disposal policy
Artifacts necessary:
- Disposal policy