Development and Acquisition

FFIEC IT Examination Handbook - Development & Acquisition Booklet

Completion Progress0 / 23 Controls

Track your SDLC and change management compliance

Overall Completion0%

Project Management

0 of 6 controls verified

Complete

SDLC methodology documented and approved by management

High Risk

Project management standards include planning, configuration, QA, risk management

High Risk

Roles and responsibilities clearly defined for development projects

Medium Risk

Project plans include scope, schedule, resources, and risk assessments

High Risk

Configuration management controls version control and change tracking

High Risk

Quality assurance testing performed throughout SDLC phases

High Risk

Development Procedures

0 of 6 controls verified

Complete

SDLC phases (initiation, planning, design, development, testing, implementation, maintenance, disposal) documented

High Risk

Security requirements integrated into design phase

High Risk

Code reviews and secure coding standards enforced

High Risk

Testing includes unit, integration, system, and user acceptance testing

High Risk

Implementation phase includes rollback procedures and data conversion validation

Medium Risk

Development and production environments properly segregated

High Risk

Acquisition

0 of 5 controls verified

Complete

Vendor selection process includes due diligence and risk assessment

High Risk

Software licensing agreements reviewed for compliance and liability

Medium Risk

Contracts include SLAs, security requirements, and right-to-audit clauses

High Risk

Escrowed documentation arrangements for critical systems

Medium Risk

Source code review performed for acquired software

Medium Risk

Maintenance & Change Management

0 of 6 controls verified

Complete

Change management process covers all modifications (major, routine, emergency)

High Risk

Patch management program includes testing and deployment procedures

High Risk

Library controls prevent unauthorized changes to production code

High Risk

Emergency changes documented and reviewed post-implementation

High Risk

Utility access restricted and monitored

High Risk

Documentation updated to reflect all system changes

Medium Risk

Examiner Expectations

SDLC Documentation

Examiners expect documented SDLC methodology covering all phases from initiation through disposal, with clear security integration points and testing procedures.

Change Management Controls

Strong segregation between development and production, formal change approval processes, and comprehensive testing requirements for all changes including emergency modifications.

Third-Party Acquisition

Vendor due diligence, contract review for security and liability provisions, and ongoing monitoring of acquired software performance and vendor financial stability.