Professional Documents
Culture Documents
Auditing SDLC (NT20071212)
Auditing SDLC (NT20071212)
Development Lifecycle
Audit Guidelines On How To Review
SDLC Framework
By
Nandasena T(NT) Hettigei
CISA, CISSP, CITP, CPA, CA
• Introduction
• Big Picture
• What is SDLC
• Audit Approach
• Audit Scope & Objectives
• Auditing SDLC Framework
• Validate Effectiveness
• Validate Common Components
• Project Management
• Auditor’s Role
Introduction
to
Systems Development Life Cycle
Audit Process
2.1 – Evaluate adequacy
2.2 – Validate effectiveness
Reminder - We have been following the standard audit process of:
9 Obtaining an understanding of the control environment
9 Evaluating the adequacy of controls
9 Assessing by testing of controls
9 Substantiating risk of controls objectives not being met
Source - Control Objectives for Information and Related Technology (CoBiT),
IT Governance Institute.
Recommended for:
– New product (application) development
– Prototype/Business intelligent systems
– Innovative projects/products
– Increment functionalities within a website
Recommended for:
– Large projects to use as a powerful
method to manage deployments
– Projects that require rapid and significant
change
– Projects where even late changes in
requirements are needed
Analysis Validation
Functional 9 Business Case/requirements priorities
Requirements 9 High level use cases and required activities
9 Dependencies and redundancies (Impacted systems)
/Use cases
9 System inputs and outputs – data, interfaces, etc
9 Re-prioritize requirements as needed
Design Validation
Functional 9 Standard FD template that includes:
9 Complexity (High, Medium and Low)
Designs
9 Transaction Volume, Constrains and Dependencies
/Use cases 9 Risk, Controls, Security and Test scenarios
Build Validation
Development/ 9Development standard documentation that includes:
9 Coding standards
Coding 9 Nomenclatures, Comment lines and segments
9 Programming with multi-threading
9 Code reviews (peer reviews and performance reviews)
9 Application security/Source code analysis
9 Input, process and output controls
9 Error handling standards
9 Defects classifications (Showstoppers, Sev 1, etc.)
9 Unit testing, Coding quality control
9 Code version management
Integration Validation
System 9Integration approach should include:
9 Inventory of FDs and TDs with priorities and dependencies
Integration
9 Integrators, Adaptors and Middleware (MQ series)
9 System architecture, data flow diagrams
9 Integration with vanilla codes or functionalities
9 Iterative vs. Incremental integration
9 Integration Test approach
9 Dependencies (systems and processes)
9 Change and Version Control
9 Error handling
Testing Validation
Functional 9System Test approach should include:
9 Production like testing environment
Performance and
9 Acceptable defects rate (%)
Security Testing 9 Entry and exit criteria for system test
9 Unit test completed and acceptable defects rate
9 Code certified (if developed by a third party)
9 Functional test scenarios approved by stakeholders
9 Performance testing includes:
9 Number of users, Volume, response time, etc.
9 Security testing includes:
9 Application, Access and System security
9 Rework and retest standards
9 Regression testing
QA Validation
System/ 9System Quality Assurance approach should include:
9 Requirements quality (functions, performance and security)
Software 9 Defects tracking and trend analysis
Quality 9 Issue tracking and trend analysis system/tools
9 Stage gate sign-off process
Assurance 9 Security settings and role base access controls
9 Automated process workflows
9 System alerts for transaction exceptions
9 Regression testing
9 Performance and stress testing
9 Application and system security testing
9 UAT (user acceptance test) scenarios and testing
9 High availability, failover/recovery and disaster recovery
9 QA exit criteria – Meeting customer/business requirements
Delivery Validation
Deployment 9 Launch approach & customer impact assessment
9 Deployment timeframe and system down time (impact)
9 Data conversion and validation process
9 Go/No go decision points
9 Failover/recovery during the migration process
Documentation Validation
Adequate 9 Requirements Documentation (catalogue)
Documentation 9 Design and Development Approach
9 Test and defects management Approach
9 Quality Assurance Approach
9 Deployment and Launch Approach
9 Functional Designs /Use Cases
9 Technical Designs and Data Schemas
9 Business Process Designs
9 Test scripts/scenarios, Issues log and defects log
9 Deployment process with contingency rollback
9 Security settings (access, system and roles)
9 System specification, data sheets and user guides
Tools Validation
SDLC 9 Change management tools
Tools 9 Quality management tools (e.g. Quality Center)
9 Issue tracking tools (e.g. PVCS)
9 Code version manager (e.g. Subversion)
9 Source code analysis tools (e.g. DevInspect)
9 Application QA tools (e.g. QAInspect)
9 Code migration tools/scripts
9 Validation checklists and standard templates
9 Enterprise target infrastructure (e.g. Tech Blueprint/BOB)
9 Enterprise information security policies & standards
9 Capacity, performances and scalability testing tools
(e.g. LoadRunner)
Roles Validation
Development 9 Architect (software, system and performance)
9 Business Systems Analyst
9 Developer, Code Reviewer, Tester
9 Security Architect
9 Product Manager/Business/process owner
9 Stakeholder
9 Technical Writer
9 Trainer
Quality 9 QA Manager
Assurance 9 QA Analyst
9 Security Analyst
9 Performance Analyst
9 Business SMEs ( Subject Matter Expert)
Thank You
3. IT Auditing Standards – Information Systems and Controls Association URL
http://www.isaca.org/Template.cfm?Section=Standards&Template=/TaggedPage/TaggedPageDis
play.cfm&TPLID=29&ContentID=8529
4. ITIL – The ITIL and ITSM Directory – URL http://www.itil-itsm-world.com/
5. CMM – Capability Maturity Model – URL http://www.sei.cmu.edu/cmm/cmms/cmms.html
6. Which Development Method Is Right for Your Project? By Adam Kolawa URL:
http://www.stickyminds.com/sitewide.asp?Function=edetail&ObjectType=ART&ObjectId=3152
7. Models for Managing Projects, IT Lecture Notes by Mark Kelly, McKinnon Secondary College
URL: http://www.mckinnonsc.vic.edu.au/vceit/models/index.htm#agile
8. Internet Security System White Paper: Dynamic Threat Protection: URL
http://documents.iss.net/whitepapers/DynamicThreatProtection.pdf
Download the presentation from ISACA website – URL http://www.mnisaca.org/