System Development Lifecycle Plan
Internal Use
System Development Lifecycle Plan
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.1 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-2, DCF-3, DCF-4, DCF-5, DCF-6, DCF-10, DCF-11, DCF-12, DCF-13, DCF-14, DCF-15, DCF-16, DCF-17, DCF-18, DCF-19, DCF-20, DCF-21, DCF-23, DCF-24, DCF-25, DCF-26, DCF-27, DCF-28, DCF-29, DCF-30, DCF-31, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-46, DCF-47, DCF-51, DCF-52, DCF-53, DCF-54, DCF-55, DCF-56, DCF-57, DCF-58, DCF-60, DCF-62, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-83, DCF-84, DCF-96, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this plan is to provide a structured framework for planning and managing the lifecycle of systems developed or operated by Dispel, including stages, processes, and methodologies from ideation through decommissioning.
1.2 Scope
This plan applies to:
- Systems and major components developed or significantly customized by Dispel.
- All lifecycle phases (planning, analysis, design, implementation, testing, deployment, maintenance, and retirement).
- All Covered Persons involved in system development, operation, and governance.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.3, CC3.2 | Supports change management and risk assessment controls for system development lifecycle activities. |
| 2 | ISO/IEC 27001 | A.8.25, A.8.28 | Supports secure development lifecycle and secure coding requirements. |
| 3 | NIST SP 800-53 | SA-3, SA-8, SA-10 | Implements system development lifecycle, security and privacy engineering principles, and developer configuration management controls. |
| 4 | IEC 62443 | 62443-4-1 | Supports secure product development lifecycle requirements for industrial and OT systems. |
| 5 | HIPAA | 164.308(a)(1) | Supports risk management for systems handling ePHI throughout the development lifecycle. |
2. POLICY STATEMENTS
2.1 Management Commitment
See the Management Commitment Statement in the System Development Lifecycle Policy (P-System_Development_Lifecycle_POLICY).
2.2 Primary Policy Statement
Dispel SHALL manage the system development lifecycle through documented stages and activities that incorporate security, privacy, and quality requirements.
2.3 Secondary Policy Statement
- SDLC stages and responsibilities SHALL be defined for each system.
- System development plans SHALL be maintained and aligned with organizational objectives.
3. REQUIREMENTS
3.1 SDLC Stage Definition and Governance
Objective: Define and govern SDLC stages for systems.
Mandatory Activities:
- System development lifecycle stages (e.g., planning, analysis, design, implementation, testing, deployment, maintenance, retirement) SHALL be defined for each in-scope system.
- Roles and responsibilities for each stage SHALL be documented.
- The system development lifecycle plan SHALL be reviewed and updated as systems or organizational needs change.
Required Outputs:
- Documented SDLC stages and RACI assignments.
Security Controls: NIST SP 800-53 SA-3.
3.2 Security and Privacy Integration
Objective: Integrate security and privacy into SDLC stages.
Mandatory Activities:
- Security and privacy requirements SHALL be identified and integrated into each stage of the SDLC as appropriate.
- Risk assessments and threat modeling SHOULD be performed for higher-risk systems.
- Security and privacy considerations SHALL be reflected in design, implementation, and testing activities.
Required Outputs:
- Security and privacy requirements mapped to SDLC stages.
- Risk and threat modeling artifacts where applicable.
Security Controls: NIST SP 800-53 SA-8, RA-3.
3.3 Stakeholder and RACI Planning
Objective: Ensure clear responsibilities across stakeholders.
Mandatory Activities:
- Stakeholders (e.g., Security, Engineering, DevOps, Product, Legal) SHALL be identified for each system.
- RACI (Responsible, Accountable, Consulted, Informed) or similar matrices SHALL be defined for SDLC stages.
- Stakeholder responsibilities SHALL be reviewed and updated as systems evolve.
Required Outputs:
- Stakeholder lists and RACI matrices.
Security Controls: NIST SP 800-53 PL-2, PM-11.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner / SDLC Owner
Responsibilities:
- Owns this System Development Lifecycle Plan.
- Ensures consistency with SDLC Policy and related documents.
- Coordinates updates and communication of SDLC practices.
4.2 System Owners
Responsibilities:
- Apply this plan to systems under their responsibility.
- Ensure SDLC stages and responsibilities are tailored and documented for their systems.
4.3 Engineering, DevOps, and Security Leads
Responsibilities:
- Implement SDLC practices in their teams.
- Ensure SDLC stages, security activities, and quality gates are adhered to.
5. PROCEDURES
5.1 System Development Lifecycle Stages (High-Level)
| Stage | Objective | Example Activities |
|---|---|---|
| Planning | Define objectives, scope, and feasibility | Stakeholder analysis, feasibility studies, high-level requirements |
| Analysis | Refine requirements | Detailed requirements, risk analysis, privacy impact assessments |
| Design | Specify architecture and design | Architecture diagrams, data flows, control design |
| Implementation | Build the system | Coding, configuration, integration |
| Testing | Validate behavior and security | Unit, integration, performance, and security testing |
| Deployment | Release system to production | Release planning, deployment, verification |
| Maintenance | Operate and enhance system | Incident handling, updates, improvements |
| Retirement | Decommission system | Data migration, data destruction, access revocation |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this plan SHALL be monitored through:
- Reviews of system-specific SDLC documentation and RACI matrices.
- Audits of SDLC activities against this plan.
6.2 Metrics and Reporting
The following metrics MAY be tracked and reported to support SDLC oversight:
- Percentage of systems with documented SDLC stages and responsibilities.
- Number of deviations from planned SDLC steps identified during reviews.
7. EXCEPTIONS AND WAIVERS
Exceptions to this plan SHALL follow the exception process and approval authorities defined in the System Development Lifecycle Policy (P-System_Development_Lifecycle_POLICY).
8. DEFINITIONS
System Development Lifecycle (SDLC): A structured process encompassing all stages of system creation, operation, and retirement.
9. REFERENCES
9.1 Internal References
- System Development Lifecycle Policy (P-System_Development_Lifecycle_POLICY).
- System Planning Policy and Procedures.
9.2 External References
- NIST SP 800-53, SA and PL families.
- IEC 62443-4-1.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Predates version control | Ethan Schmertzler | Initial System Development Lifecycle Plan aligned to POLICY_TEMPLATE and control mappings. |
| 1.1 | 2026-03-31 | Claude (Agent) | Removed duplicated Management Commitment and framework table (deferred to SDLC Policy). Fixed cross-references. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |