THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC)（系统开发生命周期(SDLC)）.pdf

THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology The most effective way to protect information and information systems is to integrate security into every step of the system development process, from the initiation of a project to develop a system to its disposition. The multistep process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system, is called the System Development Life Cycle (SDLC). The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its general guide that helps organizations plan for and implement security throughout the SDLC. The revised guide provides basic information about the comprehensive approach that NIST has developed for managing risks to systems and for providing the appropriate levels of information security based on the levels of risk. Federal agencies are directed to incorporate security controls and services into the SDLC under the Federal Information Security Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III. NIST Special Publication (SP) 800-64, Revision 2, Security Considerations in the System Development Life Cycle Revision 2 of NIST SP 800-64, Security Considerations in the System Development Life Cycle, was developed by Richard Kissel, Kevin Stine, and Matthew Scholl of NIST, with the expert assistance of Hart Rossman, Jim Fahlsing, and Jessica Gulick, of Science Applications International Corporation (SAIC). In addition, many individuals in the public and private sectors contributed to the revision by reviewing it and providing constructive comments. The guide focuses on the information security components of the SDLC. One section summarizes the relationships between the SDLC and other information