The intranet-posted version of this guidance is the document of record.

Title IT Systems Development Lifecycle (SDLC) – MS Group

Document Type Policies Doc. No. 12.311-000.000
Department Information Technology Effective Dt. 6/24/2019
Group Management Services Revision No. 02
Audience All Management Services Employees
Language English
Authorization VP Information Technology/Chief Information Officer, MS Group
Responsibility Director Information Technology, MS Group

1.0 Purpose
AECOM is heavily dependent upon information and information systems to successfully conduct mission-
essential functions. These functions require reliability in a constantly changing risk environment and
must be conducted in a manner that reduces the risks, to the information, AECOM’s overall mission, and
its ability to do business and to serve the customer.
1.1 The purpose of this Policy is to define the Information Security processes that will be performed to
integrate Security early in the established Systems Development Lifecycle (SDLC) to ensure the
proper and effective management of risks to information confidentiality, integrity, and availability.
The outcomes to be achieved include the following:
1.1.1 Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in
lower cost of security control implementation and vulnerability mitigation.
1.1.2 Awareness of potential engineering challenges caused by mandatory security controls.
1.1.3 Identification of shared security services and reuse of security strategies and tools to reduce
development cost and schedule while improving security posture through proven methods
and techniques.
1.1.4 Facilitation of informed executive decision making through comprehensive risk management
in a timely manner.
1.1.5 Documentation of important security decisions made during development, ensuring
management that security was fully considered during all phases.
1.1.6 Improved organization and customer confidence to facilitate adoption and usage as well as
governmental confidence to promote continued investment.
1.1.7 Improved systems interoperability and integration that would otherwise be hampered by
securing systems at various system levels.
2.0 Applicability
2.1 This Policy applies to all AECOM Technical & Management Services Management Services (MS
Group) employees, consultants, contractors, company affiliates, or temporary employees who
participate in system development projects.
2.2 This Policy applies to all AECOM Information Technology (IT) Systems that meet the following
criteria:
2.2.1 Are subject to SOX audit.
2.2.2 Are subject to DCAA audit.
2.2.3 Are subject to other governmental regulations, such as the Defense Federal Acquisition
Regulation Supplement (DFARS)
2.2.4 Impact mission critical systems.
2.3 This Policy does not apply to joint ventures that AECOM does not control or where a client has
specific system development life cycle requirements.
3.0 Authority
Principal Policy 12.000-000.000 IT/Knowledge Management, Paragraph 4.3.1

Company Proprietary Page 1 of 5 Policies 12.311-000.000Rev02

IT Systems Development Lifecycle (SDLC) – MS Group
 The intranet-posted version of this guidance is the document of record.

4.0 Policy
4.1 AECOM MS Group will establish and maintain a structured Systems Development Life Cycle
(SDLC) process for systems and application development and packaged system modification that
includes the practices and the Security Controls necessary to achieve the following outcomes:
4.1.1 Business requirements for the application or modification are defined.
4.1.2 Data integrity.
4.1.3 Resource safeguarding and security.
4.1.4 Compliance with laws and regulations.
4.1.5 The SDLC process includes technical requirements, design, development, quality assurance
and acceptance testing, implementation, change management, and post-implementation
maintenance.
4.2 Phases of the SDLC include:
4.2.1 Initiation: During the initiation phase, the need for a system is expressed and the purpose of
the system is documented. Information categorization and identification requirements are
determined. Sources of security requirements, such as relevant laws, regulations, and
standards are identified.
4.2.2 Development/Acquisition: During this phase, the system is designed, purchased,
programmed, developed, or otherwise constructed. A risk assessment is performed by
Security to validate the system will support the necessary security requirements, including,
but not limited to: authentication, disaster recovery, intrusion detection, and incident
reporting.
4.2.3 Implementation/Assessment: After system acceptance testing, the system is installed or
fielded.
4.2.4 Operation/Maintenance: During this phase, the system performs its work. The system is
almost always modified by the addition of hardware and software and by numerous other
events. Configuration management is utilized for the system and changes. Reauthorization
is required if there is an impact to data security controls.
4.2.5 Disposal: activities conducted during this phase ensure the orderly termination of the system,
safeguarding vital system information, and migrating data processed by the system to a new
system, or preserving it in accordance with applicable records management regulations and
policies.
4.3 To maintain reliable and stable systems, all entities developing software applications are required to
establish best practice SDLC procedures and require compliance from individuals who modify or
develop new systems.
4.3.1 All systems developed in-house or modified, which meet the applicability listed in Section
2.0, must be documented through the MS Group SDLC process. Each entity should
develop/formalize procedures considering the following:
4.3.1.1 Initiation: Describe the project in mind, whether it is a new system or a change to an
existing system and why this project should happen.
4.3.1.2 Requirements, Planning and Design: Establish a plan to follow which will take you
from your current state to desired state.
4.3.1.3 Development: Have a strategy in place to implement the new system or system
changes and provide support.
4.3.1.4 Testing and Quality Assurance: Conduct thorough testing of the system and
acquire management approval prior to deployment.
4.3.1.5 Deployment: Have steps in place to seamlessly transition support from the project
team to the system team.

Company Proprietary Page 2 of 5 Policies 12.311-000.000Rev02

IT Systems Development Lifecycle (SDLC) – MS Group
 The intranet-posted version of this guidance is the document of record.

4.3.2 General Project Guidelines: Conduct risk identification and mitigation during each stage of
the system development lifecycle. AECOM’s Enterprise Project Management Office (PMO)
team publishes a Project Management Methodology (PMM) that should be considered by all
involved entities.
4.4 All systems development and modifications require prior written or electronic approval by the
appropriate entity management and must follow the entity’s change management process. Written
or electronic approvals must be obtained from the appropriate entity’s management prior to each of
the SDLC stages below:
4.4.1 Starting work on the system development and/or modifications.
4.4.2 Accepting the testing of the system development and/or modifications.
4.4.3 Moving the system development and/or modifications into production.
4.5 Required entity management approvals include the entity IT Director (or designee) and one or more
of the following approvals, depending on the entity’s change management process:
4.5.1 Executive management
4.5.2 Operations management
4.5.3 Financial management
4.5.4 Subject matter expert
5.0 Responsibilities
5.1 The Vice President IT/Chief Information Officer shall direct actions based on the results of
assessments of the effectiveness of this Policy.
5.2 The Director of IT (owner) shall:
5.2.1 Implement this Policy.
5.2.2 Develop, approve, deploy, implement, enforce, assess, and improve all guidance authorized
by this Policy.
5.2.3 Ensure the compliance of those in IT with this Policy.
5.3 Managers of organizational entities that develop or modify systems shall:
5.3.1 Review planned activities and changes prior to each SDLC stage identified in Paragraph 4.4.
5.3.2 Provide written approval/authorization to proceed with each SDLC stage.
5.4 Users of Group-owned or operated workstations shall comply with this Policy and notify appropriate
personnel (e.g., system administrators, others) of any activities in violation of the guidance in this
Standard.
6.0 References
6.1 National Institute of Standards and Publications (NIST) Publication 800-64, Revision 2, Security
Considerations in the System Development Life Cycle
7.0 Definitions
7.1 DCAA: This is the Defense Contract Audit Agency. The DCAA conducts audits for the U.S. federal
government on Department of Defense contracts and supporting systems.
7.2 DFARS: Defense Federal Acquisition Regulations Supplement, a supplement to the FAR that
provides the Department of Defense specific acquisition regulations.
7.3 Entity: Entities are the business units of AECOM such as Design & Consulting Services (DCS),
Construction Services (CS), MS Group, Corporate, Hunt, and Tishman
7.4 Joint Venture: A joint venture is a business agreement for which parties agree to develop, for a
defined period of time, a new entity and new assets by contributing equity. They exercise control
over the enterprise and consequently share revenues, expenses and assets at their predefined
ownership level.

Company Proprietary Page 3 of 5 Policies 12.311-000.000Rev02

IT Systems Development Lifecycle (SDLC) – MS Group
 The intranet-posted version of this guidance is the document of record.

7.5 SDLC: The process of creating or altering systems, and the models and methodologies that people
use to develop these systems.
7.6 SOX: This is an abbreviation for the Sarbanes-Oxley Act of 2002. The act was intended to protect
investors in public companies from fraudulent accounting practices.
7.7 Systems: Information Technology hardware, software, and their associated elements used for
managing, storing, processing or transferring information.
8.0 Attachments
8.1 Attachment 1: Change History
9.0 Distribution
All MS Group employees

Company Proprietary Page 4 of 5 Policies 12.311-000.000Rev02

IT Systems Development Lifecycle (SDLC) – MS Group
 The intranet-posted version of this guidance is the document of record.

Attachment 1
Change History
Chg No. Date Rev Change Description

1 07/11/17 00 Initial version

2 06/24/19 01 Removed all references to Technical & Operational Services (TOS).

10

Company Proprietary Page 5 of 5 Policies 12.311-000.000Rev02

IT Systems Development Lifecycle (SDLC) – MS Group