Please enable JavaScript.

Coggle requires JavaScript to display documents.

3.3 (2) (SDLC (business application development has occurred largely…

- - - - DEVELOPMENT OF BUSINESS CASE that states the strategic benefits of implementing the system either
        
        productivity gains
        
        or in future cost avoidance
      - IDENTIFIES AND QUANTIFIES THE COST SAVING of the new system
      - ESTIMATES A PAYBACK SCHEDULE for the cost incurred in implementing the system
      - shows the PROJECTED ROI
      - READINESS OF BUSINESS USERS
      - MATURITY OF THE BUSINESS PROCESSES
    - - • Defines a time frame :timer_clock:for the implementation of the required solution
      - • Determines an optimum alternative risk-based solution for meeting business needs and general information resource requirements (e.g., whether to develop or acquire a system). :ok_hand::skin-tone-5:
        
        Such processes can easily be mapped to SDLC and rapid application development (RAD).
      - • Determines whether an existing system can correct the situation with slight or no modification (e.g., workaround) :desktop_computer:
      - • Determines whether a vendor product offers a solution to the problem :convenience_store: #
      - • Determines the approximate cost to develop the system to correct the situation :moneybag:
      - • Determines whether the solution fits the business strategy :world_map:
    - - • The date the system needs to be functional :runner:
      - • The cost to develop the system as opposed to buying it :moneybag:
      - • The resources, staff (availability and skill sets) and hardware required to develop the system or implement a vendor solution :male-office-worker::skin-tone-4: :female-office-worker::skin-tone-4:
      - • In a vendor system, the license characteristics (e.g., yearly renewal, perpetual) and maintenance costs :passport_control:
      - • The other systems needing to supply information to or use information from the vendor system that will need the ability to interface with the system :desktop_computer: :arrow_right: :control_knobs:
      - • Compatibility with strategic business plans :classical_building: :world_map:
      - • Compatibility with risk appetite and regulatory compliance needs :male-judge:
      - • Compatibility with the organization’s IT infrastructure :building_construction:
      - • Likely future requirements for changes to functionality offered by the system :crystal_ball:
  - - - • What a system should do :!!:
      - • How users will interact with a system :sweat_smile: :slightly_smiling_face: :open_mouth: :arrow_right: :desktop_computer:
      - • Conditions under which the system will operate :performing_arts: :bicyclist: :mountain_bicyclist::skin-tone-3: :partly_sunny_rain:
      - • Information criteria the system should meet :information_source:
    - - Many IT security weaknesses can be corrected with a more critical focus on security within the context of the SDLC and, in particular, during the requirements definition
    - - • Identify and consult stakeholders :man_in_business_suit_levitating: to determine their requirements.
      - • Analyze requirements to detect and correct conflicts :crossed_swords:(mainly, differences between requirements and expectations) and determine priorities.
      - • Identify system bounds and how the system should interact with its environment. :speech_balloon: :arrow_left: :computer:
      - • Identify any relevant security requirements. :closed_lock_with_key:
      - • Convert user requirements into system requirements (e.g., an interactive user interface prototype that demonstrates the screen look and feel). :page_facing_up: :arrow_right: :desktop_computer:
      - • Record requirements in a structured format. :ballot_box_with_check:
      - • Verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable. :bulb:
        
        Because of the high cost of rectifying requirements’ problems in downstream development phases, effective requirements reviews have a large payoff.
      - • Resolve conflicts between stakeholders. :handshake:
      - • Resolve conflicts between the requirements set and the resources that are available.
    - - IS auditor should pay close attention to the degree the organization’s system security engineering team is involved
        
        in the development of SECURITY CONTROLS throughout the data life cycle within the business application
      - whether adequate AUDIT TRAILS are defined as part of the system because these affect the auditor’s ability to identify issues for proper follow-up.
      - IDENTIFY LEGAL, STATUTORY AND REGULATORY REQUIREMENTS for the solution being developed.
    - - Without management sponsorship, clearly defined requirements and user involvement, the benefits may never be realized