2023

SP-9 Software
Development Lifecycle
(SDLC)

STATUS – UNDER REVIEW

VERSION – 1.2

KURT MILLER, SNOWBE ONLINE | 6/25/2023

<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Purpose
The purpose of this policy is to establish a standard expectation for implementation of a
Software Development Lifecycle (SDLC) that produces software that is secure, accessible,
mobile ready, and compliant with Company development standards, policies, and practices.

Scope
The scope of this policy includes all SnowBe employees, contractors, and temporary workers
involved in the development of company software.

Roles & Responsibilities

The acting CTO and/or information security officer will facilitate and maintain this policy and
ensure all employees have reviewed and read the policy.

Policy
Software development projects must address the following areas in a manner consistent with
standard agency and SnowBe business and development practices. All SDLC phases must be
addressed and incorporated in a consistent manner. Agencies and developers may make
necessary adaptations based on the size and complexity of projects. Policy implementation may
incorporate agency standards and guidelines that may be more stringent than the control
points or phases identified in this SDLC.
Phase 1: Preliminary Analysis
Based upon a stakeholder’s initiation request, the objective of this phase is to conduct a
preliminary analysis, propose alternative solutions, describe costs and benefits and submit a
preliminary plan with recommendations.
• Conduct the preliminary analysis: In this step, document the agency’s objectives and the
nature and scope of the problem under study.
• Propose alternative solutions: In digging into the agency’s objectives and specific
problems, some solutions may already be evident. Alternate proposals may come from
interviewing employees, clients, suppliers, and/ or consultants. With this data, there are
five choices: leave the system as is, improve it, develop a new system, adapt a system
from another agency or Company, or purchase a commercial application.
• Describe the costs and benefits. Look at tangible costs versus tangible and intangible
benefits. Address the benefits of new development versus improvements to existing
systems, adaptations of other agency or Company systems, doing nothing, or purchasing
a commercial solution.

1
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

• Identify risks: Every project or task has risks. Cost, time, implementation, security,
privacy, and regulatory risks may be identified. Risk reduction and mitigation plans are
to be considered as part of the preliminary analysis of any development effort.
• Agency and SNOWBE budget approval. Obtain management and financial approval for
the project and add pertinent business case documentation as required.
Phase 2: Systems analysis, requirements definition
Defines project goals into defined functions and operation of the intended application. Analyzes
end-user information needs. Address requirements for security, mobility, accessibility, and
platform use expectations.
Phase 3: Systems design
Describes desired features and operations in detail, including screen layouts, business rules,
process diagrams, pseudo code and other documentation. Depending upon the size of the
project, prototyping is useful in this stage. Larger complex projects require more definition and
more controls. Smaller projects may move directly to faster methodologies.
Phase 4: Development
Actual development of code, preferably in functional components that can be tested
separately. Apply company standards such as:
• Accessibility: Applications need to be delivered and compliant with company
accessibility guidelines
• Privacy: Application implementation and data collection need to be compliant with
company Privacy Policies
• Security: Applications must be deployed within a secure hosting environment and be
compliant with the SnowBe Security Policy.
• Mobility and Usability: Applications need to be deployable in any major browser.
Applications need to be responsive and usable on desktop and mobile devices and
consistent with the SnowBe Mobile Strategy and Mobile Platform Design Guidelines.
• Web Standards: Web implementation of applications needs to be compliant with Web
Standards and Guidelines; and associated design documentation.
Phase 5: Integration and testing
Brings all the pieces together into a testing environment, then checks for errors, bugs and
interoperability, accessibility, mobility, performance, standards compliance, and an
independent security review.
• Accessibility Testing
• Environment, Integration, and System Testing
• User Interface and Unit Testing
• Load Testing and Performance Tuning
• Privacy Policy Compliance
• Security Code Testing
• Mobility and Usability Testing
• Standards Compliance Testing

2
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Phase 6: Acceptance, installation, deployment

The final stage of initial development, where the software is put into production and runs
actual business. This is the final checkpoint on architectural compliance, application, and
hosting security. Development (DEV), Acceptance (AT), and Production (PROD) environments
must be physically separate instances on different servers.
Phase 7: Maintenance plan
What happens during the rest of the software’s life: changes (compliance with SnowBe Change
Control policies), corrections, additions, moves to a different hosting platform,
decommissioning, and more.
See Also: Change Management Process
See Also: Server Audit Process

Exceptions/Exemptions
A business case for non-compliance must be established and the request for exemption
approved in advance through a risk acceptance process where the Chief Information Officer or
authorized designee is notified and approval for the exception is granted.

Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and
including termination.

Version History Table

Date Version Description of Changes Owner Approval
6/24/2023 1 SDLC policy created and adopted IT Director IT Director
6/25/2023 1.1 Policy revisions, removal of definitions IT Director IT Director
12/22/2023 1.2 Updated grammar IT Director IT Director

3
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Citation
https://SnowBe.utah.gov/policies/software-development-life-cycle-sdlc-policy