IBM Cloud Docs
SA-15 - Development Process, Standards, and Tools

SA-15 - Development Process, Standards, and Tools

Control requirements

SA-15 (a)

Require the developer of the system, system component, or system service to follow a documented development process that:

  1. Explicitly addresses security and privacy requirements;
  2. Identifies the standards and tools used in the development process;
  3. Documents the specific tool options and tool configurations used in the development process;
  4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development.

SA-15 (b)

Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].

Additional IBM Cloud for Financial Services specifications

Documentation for the organization's application should contain self-documenting (or self-describing) source code and user interfaces and follow naming conventions and structured programming conventions that enable use of the system without prior specific knowledge. The purpose of this self-explanatory design principle is to make source code easier to read, understand, and maintain, and reduce the need for users/developers to consult external documentation sources such as code comments and software manuals.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

NIST supplemental guidance

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.