7.0 SDLC Requirements

  • A project management methodology must be created by management which defines the project development phases. There may be one or more methodologies for various size projects but some means to determine a project size and appropriate methodology must be determined and defined.
  • The project management methodology must meet the organization's policies and procedures.
  • The project management methodology defines or references relevant policies, standards and procedures.
  • The project management methodology must provide processes that are to be followed when systems are developed, acquired, implemented, and maintained.
  • When projects are begun, any variance from the project management methodology must be specified.
  • Processes or guidelines must exist in the SDLC method (project management methodology) so any major design problems are identified which would require the redesign of the system.
  • The project management methodology must require a statement of work which defines the business case for the project, the scope of the project, and what should be accomplished. The statement of work should be written before work begins.
  • The project management methodology must allow for customization when relevant.
  • All projects must follow the project management methodology.
  • All project designs must comply with set specifications.
  • The project management methodology must be reviewed a minimum of every other year to be sure it is consistent with current technology, current needs, and consistant with organizational program management and structure. Industry standards, new technologies, automation methods, risk management, ways to identify and report noncompliance, and current productivity tools should be considered when evaluating and/or revising the project management methodology.
  • A project management methodology review process must be created and ways to update the methodology should be included. It should include planning, testing, version control, risk management, training in the new methodology, and communication of the new methodology.
  • When the project management methodology is revised, management should review the effectiveness of the change to be sure the objectives of the change was obtained. This should take place about two or three months after the methodology was revised.
  • Audits and project reviews must be used to assess and improve the effectiveness of the project management methodology.
  • The project management methodology must satisfy any regulatory requirements or local statutes that apply to project management and must allow any requirements to be applied to the project.
  • The project management methodology must provide for a review of the project feasibility by upper management. Upper management should be sure the project fits the organization's priorities before allowing the project to continue and assure appropriate resources are allocated based on the need.
  • The project management methodology must ensure that operational requirements, operational procedures, service levels, and training materials are developed in a timely manner.
  • The project management methodology must provide a process for defining the service levels and operational requirements to support the business goals. These include required maintenance and monitoring to keep services operational for minimum periods of time or specifying maximum downtime of the system.
  • The project management methodology must allow for projects of different types and sizes to be effectively and efficiently managed, monitored and controlled. When minor changes are made the project management methodology must allow them to be delivered promptly while being reasonably well controlled.
  • The project management methodology must be capable of managing both new projects and projects that are modifying or replacing a system. If the technology used in a project is new the project management methodology must be capable of managing it effectively.
  • The project management methodology must provide for reporting project status on a regular basis. The status of cost and work done compared to the budget and schedule should be provided so any serious risks are addressed.
  • The project management methodology must provide for continuous key stakeholder and end user participation during the project life cycle. This participation must be outlined during the project initiation phase and further defined as the project continues. The project management methodology should include a communication plan to allow for project status and checkpoint reporting, required approvals to be obtained, user training, user training, user procedures and documentation to be provided and other items.
  • The project management methodology must provide processes during all project stages which require communication and coordination between system inplementers, customers, and users. Project specification, planning, testing, and implementation stages require close coordination.
  • Service level agreements and contracts should be used to define minimum coordination and communication along with quality standards where it is helpful.
  • Formal training in the use of the project management methodology must be created and communicated by management for all personnel who are affected by the project management methodology. Project management methodology must be provided to developers, designers, project managers, testers, users, and stakeholders.
  • The project management methodology must provide processes to define roles and responsibilities for documentation and training along with specifying the delivery timeframe of materials.
  • The project management methodology must provide processes to determine the quality of documentation and training materials through evaluation of the users.
  • The project management methodology must include or reference standards required by projects and provide guidelines for use of applicable standards where required.
  • Documentation standards must be published and communicated to project stakeholders.
  • Standards for unit testing must be included in the project management methodology and test standards and procedures must be identified or created.
  • Test standards must provide detailed instruction about how to conduct full system testing which includes integration testing, unit testing, test result verification, documentation of testing, and retention of test data.
  • The project management methodology must provide processes to define roles and responsibilities for unit testing.
  • The project management methodology must require the test report to provide evidence that the system testing was successful before the system is accepted.
  • The project management methodology must provide test standards and requirements. Management must implement processes to be sure testing and test plans are compliant with test standards.
  • The test standards provided by the project management methodology must be periodically reviewed to determine their effectiveness. The number and types of bugs found during testing and found during system operation which was missed by testing should be considered. Management should implement a process for this periodic review.
  • The testing methodology must include test plans, test procedures for unit and overall system testing, test requirements, test results documentation and verification.
  • The project management methodology must include a process to review the project and test results against development standards and other quality standards according to the Quality Assurance Policy.
  • A process must be developed to communicate the conclusions of quality assurance reviews to project managers, project stakeholders, and senior management as appropriate.
  • A process must be developed which can be used to use the conclusions from quality assurance reviews to improve project adherance to quality standards.
  • The project management methodology must ensure that Information Technology security personnel must work with Information Technology management to review new programs or changes so it can be determined whether access or change controls are working.

Roles and Responsibilities

  • All projects must be sponsored by a member of senior management.
  • The role of the project sponsor must be clearly defined including how much control over the project is held by the project sponsor.
  • The project management methodology must allow key end users, end user management, and project stakeholders to participate when the project is started, requirements documented, and when the project is authorized.
  • The project management methodology must provide the methodology used to determine which staff members will have specific roles. It will help determine the roles and responsibilities of those involved and thr roles of teams including the project office or project board.
  • The project management methodology must provide the ability to hold specific project members accountable for the delivery of business requirements.
  • The project management methodology must provide for the identification of required resources to support the project during all its phases.
  • The project management methodology must provide for the identification of decision making authorities and methods of escelation.
  • The project management methodology must require that someone is responsible for managing and/or acquiring third party resources and support relationships. This responsibility must be clearly defined and the person responsible must have the appropriate authority and experience to complete the tasks.
  • Roles and responsibilities of departments not directly related to the project must be considered including auditors, Finance, Human Resources, and Procurement. For example, Human Resources may be involved with account management associated with the project.

Project Office

  • A project office must be set up to help obtain agreement at the start of each project regarding roles and responsibilities. A useful method to get agreement with key stakeholders and staff is to have a workshop and to:
    • List the possible activities on the project.
    • Evaluate the project office responsibility for each office.
    • Identify the staff or group responsible for each activity even if the project office is not responsible.
    Over time, the process for similar projects should be repeatable and can be documented in to a set of processes for project management.
  • The project management methodology must provide documentation and procedures on how to use the project office and how to define the project requirements, roles, and responsibilities.


  • The organizational project load must be evaluated either continually or periodically against the resource availability and resources to complete the required set of projects in the expected timeframe. Results of the evaluation must be acted upon in a timely manner where corrective action is required.
  • The project management methodology must allow the project needs to be evaluated against available resources at one or more points in the project process. This should be done when the project schedule is determined and any time the project requirements or staffing changes.
  • A change control process must be included in the project management methodology to allow for changes to the project scope or project requirements to be evaluated, documented, and authorized.
  • Appropriate resources appropriate to the size, risk, and complexity of each project must be selected for each project. The level of experience of staff members must be appropriate to the needs of the project.

Project Plan

  • As the project progresses, the project plan must be updated as is appropriate. Any updates to the project plan or dependent plans must be made with the approval of the business owner. Appropriate changes include changes to major checkpoints, scheduling, or budgeting.

Project Initiation

  • When the project initiation phase in underway, alternate solutions for meeting the business need must be identified.
  • The methods used to support each solution's business processes must be identified and evaluated to determine the best overall cost which will include initial costs and maintenance costs. A feasibility study is used to make this determination. The benefit and payback of each solution should be identified. Risks to the project using each solution must be identified.
  • The project management methodology requires the roles of stakeholders and other staff to be defined during the project initiation phase. These roles must be further defined as the project progresses.
  • The project requirements definition must include requirements not directly related to user tasks but related to reliability and stability. These requirements include disaster recovery, business continuity, service levels, data and system backups, system performance, security, and data migration.
  • The project requirements definition must provide a communications plan which identifies who needs to be communicated with during the project. It includes those involved with the project and those not involved who will need to be communicated with. It identifies points in time or regular meetings when communication should occur and the most effective means to communicate such as one or more of meetings, telephone, or email. The communications plan should be modified as required as project needs change.

Project Approval

  • Project requirements including the project statement of work and project requirements definition must be agreed upon by key stakeholders. Critical success factors and key performance indicators must be included in the documentation.
  • The acceptance of the project requirements and statement of work must be formalized with a project approval document which is signed by key stakeholders. The approved document must be available to the stakeholders for reading.
  • The project management methodology provides for specified managers and users to review, approve or accept deliverables in each project phase before work can continue into the next project phase of the SDLC.
  • The project approval process must consider the cost of the project phase against the estimated costs along with the business benefits. When significant differences exist, the project board must re-assess the business case to determine whether the project cost is justified.
  • A clearly defined acceptance criteria must be defined and agreed upon between stakeholders and the project team before work begins on the deliverables for each project phase.


  • All interfaces (including structure, format, content, source, and method of support) to the system must be inventoried prior to finalization of the preliminary system requirements.
  • All interfaces must be properly specified, designed, and documented.

Design Approval

  • The design must be formally reviewed and approved prior to the start of the construction phase of the project.

Requirement Specifications

  • Project specifications must be developed and approved by management.
  • Specifications must include the need for redundancy and backups to prevent failures of the system and data loss.
  • The users must help provide system requirements for security requirements, control requirements, and business functional requirements during the requirements phase.
  • Internal and application security and internal must be considered during the requirements phase of the project.
  • Controls over completeness, accuracy, authorization, and timing (scheduling) must be considered during the requirements gathering phase.
  • The project specifications must meet the requirements of the organizational security policies.
  • The system must be properly documented to allow for the system to be well maintained. Requirements for minimum standards for guides and maintenance documents must be developed.
  • The systems supporting the project must be capable of operating on multiple platforms where appropriate or where redundancy is desired or required.

SDLC Security Requirements

  • Security risks of solutions must be identified and assessed. The possibility of exploits and possible impact must be assessed.
  • Security requirements must be assessed considering information about costs, benefits, and risks such that final decisions meet tht business need based on the organization's ability toi accept risk and pay for costs of risk mitigation.
  • Security requirements of the system must be identified, documented, and agreed to by all parties during the planning phase of the project which includes requirements gathering.
  • A point in time must be reached where management accepts the security requirements of the system and a decision to accept or reject the proposed security controls is made.
  • Business continuity management for the business functionality provided by the project under development must be considered as part of the security requirements. Activation of alternate sites, business continuity of services, and resumption of services must work well with the proposed solution.


  • The project management methodology must require a formal project implementation plan describing activities required to implement and satisfy the project requirements. This document is a statement of work. The business risk must be evaluated. The risk and statement of work must be reviewed and formally approved by key stakeholders.

SDLC Test Requirements

  • Acceptance test plans must be created.
  • The test plan must document resources that will be required to complete the test including test procedures, test personnel and their qualifications, test environments, and test tools.
  • The test plan must identify roles and responsibilities including test planners, test setup, documenters, and testers.
  • The test plan must identify required resources including test environments, test tools, and hardware.
  • The test plan must describe the various test stages including unit testing, system testing, system integration testing, user acceptance testing, performance testing, data conversion testion, and operational testing.
  • The test plan must be signed by the information technology management and the system owner.
  • The project must be well enough coordinated so additional project development or modifications does not negate previous testing requiring test to be redone. The test plan and project plan should assure this.
  • The test plan must include test stages, a description of each test stage, objectives of each test stage, the testing methods, entry criteria for each test stage, exit criteria for each test stage, test conditions for each test and test stage, required test data, expected test results, test scenarios, and what is covered by the testing.
  • The test plan must test the entire system including hardware, the application, backups and restores, user and administrative procedures, support, and monitoring.
  • Test data should be an accurate simulation of data used in a production environment but not include confidential or sensitive data and it should not violate any statutes.
  • Where the project is affected by organization's business cycles or can affect the organization's business cycles, the test plan must provide testing which covers the business cycle needs such as quarterly financial profit/loss reporting.
  • Acceptance testing, based on test plans, of various components of the system must be planned and be a part of the project prior to going to production.
  • Adequate time and resources for testing must be provided in the project plan.
  • The proper expertise must exist or be obtained so the technologies used may be adequately tested by experts to ensure that the components work as designed.
  • All projects must have a documented test plan.
  • The test plan must provide test cases and test types such as unit testing, and integration tests.
  • A test manager must coordinate testing through the required stages and should help coordinate efficient use of test procedures, tools, and other resources.
  • Test results must be documented and include errors and queries.
  • Test results must be documented and auditable. Errors and results must be reported to project management. Possible needs for changes to the test plan and project plan must be considered as testing is completed and documented.
  • Testing must be done in an environment provided explicitly for testing rather than production.
  • Testing must be satisfactory completed before the project moves into the production phase.
  • Regression testing is required when any code has been corrected of errors or modified.
  • Test standards must define when pilot or parallel testing is warranted and the procedures and requirements for conducting the testing. Parallel testing may be required when a new system is replacing an older legacy system.
  • Test standards must define methods of producing test documentation and how long it should be retained. The test standards should define who will retain and manage the documentation.
  • Test documentation includes the test strategy, the test plan, test results, logs, scripts, and ratings of issues. The test documentation should refer to the test plan and test requirements.
  • The test standards, test requirements, test procedures, and test documentation should support the quality assurance processes and policy. A process should be put in place to monitor the effectiveness of testing against quality assurance requirements.
  • Management must maintain and use a process to periodically review test standards including the circumstances when pilot or parallel testing is conducted. Any changes must be properly communicated to all affected parties.
  • The test plan must specify what conditions will warrent pilot or parallel testing and what conditions will determine when it is complete. Pilot testing is done to be sure the system works in the real user environment. Parallel testing is done to be sure a new application performs consistantly relative to the original application.
  • The system test plan must provide procedures for pilot or parallel testing if pilot or parallel testing is used.
  • The test plan must provide controls that assure that data or print outputs from pilot or parallel testing, if done, are not confused with normal production processing.


  • The project management methodology and change control process must be followed for all changes whether the changes are for technical reasons or business reasons such as the modification of the business process. Documentation reflecting the changes must be updated before the changes are deployed to the production system.
  • All changes must be classified to reflect risk according to specific change criteria. Changes may be rated as essential, major, moderate, or minor. Changes may be rated according to category such as security changes (fixes), functional enhancements, Functional error correction, or other categories.
  • Major changes should be handled as though they are new systems being developed when applying procedures for maintaining and obtaining software for the application.

Data Validation

  • Data that must be collected must be specified and the methods for data validation for each set of data must be determined.
  • The data validation process must be sure no data is lost due to data validation and collection inadequacies.
  • Data validation rules should be formalized and may include mathematical verification, comparison to currently collected or example data, or checks against what is reasonable considering what is expected.

Data Storage

  • Organizational standards for data record storage, retrieval, location, and retention should be applied to projects.
  • A procedure should be developed and used to be sure project data storage requirements comply with organizational standards.
  • A naming convention should be established for naming files and database objects. Instructions for naming tables, fields, columns, views, and indices should be provided.
  • The method for storage and retrieval of records must be defined by a file requirements definition document.

Component Use

  • A repository of reusable components or shared routines must be available for every project.
  • Procedures must support the use of the repository of reusable components or shared routines for every project. Existing code must be reused when appropriate.


  • The project management methodology must require that the file and database formats are documented.
  • The project management methodology must require that hardware structure and configuration be documented to minimum standards.
  • The project management methodology must require that software, software configuration, and program source code be documented to minimum standards.
  • Minimum documentation standards must be rigid enough to allow documentation to provide long term maintainability and the capability to re-build the system.


  • The project management methodology must require training for end users and operators of the system.
  • The project management methodology must provide training procedures, available to all involved parties, which define the roles, authority, and responsibilities of system designers, trainers, and end users.
  • The project plan must consider the training plan. The project plan must consider the required training time and resources and provide milestones that cover training. Project dependencies and critical paths must be identified so delivery with training can be as scheduled.
  • When projects change practices that end users use or change the way staff maintain the system, a training plan must be created.
  • Training plans must consider both end users, system administrators, administrators of the application, IT application developers, and any additional support staff.
  • Various effective training strategies must be considered including intranet based training, user accreditation, and training for those that train users. The most cost effective approach that is effective in solving the training needs and requirements should be used.

Performance and Optimization

  • The project management methodology must require the application software to be optimized for adequate performance based on project requirements and load.
  • The project management methodology must require monitoring and a time to be sure that system optimization tasks are performed when required.
  • The project management methodology must require procedures to be sure any issues that arize from system optimization and performance sizing are reviewed due to budgeting. This is due to possible scaling problems where additional load balancing systems may be required to meet the user demand.

System Conversion

  • The project management methodology must require a system conversion plan when a system is being replaced with a new system. The plan should ensure that the business processes continue to function as needed. The plan will ensure that the required functions of the old system are carried to the new system.
  • The project management methodology must require an assessment of the functions of any current system that will be replaced by a new system in order to define the new system requirements.
  • Roles and responsibilities of staff that will be involved in any system conversion process must be previously defined.
  • All system conversion plans must be reviewed and approved to be sure task coordination is achieved and enough resources are available at the required times.
  • The system conversion plan should provide the procedures for converting the old system to the new system and the effectiveness of the conversion should be evaluated.
  • The project management methodology must require a software deployment plan with a data conversion plan included when a system is being replaced with a new system. The owners of the system will be accountable for being sure the data was successfully converted.
  • The data conversion plan must be able to ensure that required resources are available and that proper coordination and communication occur by providing formal control and approval milestones.
  • The data conversion plan must provide methods to identify and resolve any errors in the data conversion process.
  • The data conversion plan should require testing to compare the original data with the converted data or files.
  • The data conversion plan should require the converted data to be tested on the new system to be sure it is compatible.
  • The data conversion plan should require a check of the new files or data to be sure they are accurate.
  • The data conversion plan must require any transactions that modify master files to update both old format type and converted files if there is an operational period during the conversion.
  • The new system must have its data output tested in detail by using various testing techniques as range limit tests, consistency tests, testing for proper output under various conditions, and testing data integrity.

Project Acceptance

  • Each project phase must have an acceptance criteria for project phase acceptance. The project phase acceptance requirements may include training, software capabilities, design documentation, delivery of procedures, or documented test results.
  • Before the project goes live, its readiness is assessed through an evaluation of functionality and factors which can be used to determine quality of the system. These factors should consider the business functions and support requirements for the system. The factors used to evaluate the system should have been previously determined when the project was planned.
  • Project stakeholders and users should approve the project to move into the next phase by signing an approval document.


  • The project plan must include a quality plan and both must be reviewed and approved by stakeholders.
  • The quality plan must identify quality assurance tasks. Quality assurance tasks should be identified while the project is in the planning phase.
  • The quality plan must provide ways to measure the quality of the infrastructure, business solution, and applicarion.
  • The quality plan must assign responsibilities for implementing tasks that assure or provide quality.
  • The quality plan must provide for independent appraisal of the business and technical solution where project size and complexity warent it.
  • The quality plan must include parts of the project that are being developed by third party contractors or vendors.
  • System accreditation requirements must be considered.
  • The security features and internal controls of the system must be evaluated during system accreditation.
  • A party that is independent of the project team and management and stakeholders should provide project quality assurance. Those who provide project quality assurance should be sufficiently skilled. The project quality assurance team should report to the project sponsor or project board.
  • At the beginning of the maintenance phase of the project or at the end of the implementation phase, a project review must be conducted to determine whether quality assurance standards were upheld for the project.
  • Procedures must be developed for the SDLC which define what is done during a quality assurance review to assure that development standards are followed.

Project Risk

  • Formal risk assessment and management members and processes should be established early in the project.
  • Project risk assessment should consider probabilities and potential impact along with priority and criticality of the various parts of the project that may be impacted.
  • Project risk mitigation should concentrate on the highest priority risks with the greatest chance of materialization combined with potential damage.
  • The responsibility for assessing the project risk must be clearly assigned to one or more individuals who have the proper skills to assess project risk.
  • When the project risks are identified, the project managers must discuss the risk with the stakeholders and agree upon mitigations.
  • Project risk should be reassessed at every project phase or when significant project changes are made such as requirements changes or staffing changes.
  • A project risk log should be created and maintained.
  • A project issues log which identifies and problems or potential problems with the project should be created and maintained.
  • The project risk log and project issues log should be reviewed by the risk assessment team regularly.
  • The owners of the project risk should be identified and notified when new project risks or issues are identified.
  • Mitigating actions to project risks or issues should be considered and presented to the risk holders. Cost and likely effectiveness of mitigation activities should be considered.