Skip to content

Software Development Life Cycle (SDLC) Policy

Breakout Learning Inc


Purpose

This policy defines the high-level requirements for providing business program managers, business project managers, technical project managers, and other stakeholders guidance to support the approval, planning, and lifecycle development of Breakout Learning Inc software systems in alignment with the Information Security Program.


Roles and Responsibilities

Chief Technology Officer (CTO)

  • Overall Oversight: Provides guidance for the SDLC process.
  • Resource Allocation: Allocates resources and assigns tasks.
  • Approval and Reviews: Approves key project deliverables.
  • Risk Management: Identifies and mitigates risks.
  • Stakeholder Communication: Ensures stakeholder requirements and feedback are incorporated.

Software Engineers

  • Requirement Analysis: Participate in gathering and documenting requirements.
  • Design & Development: Implement software solutions following best practices.
  • Testing & Code Review: Develop unit tests and participate in code reviews.
  • Documentation: Prepare technical documentation.

Quality Assurance (QA)

  • Test Planning & Execution: Develop test plans and execute them to ensure quality.
  • Defect Tracking: Identify, log, and track software defects.
  • Compliance Verification: Ensure software complies with SOC2 Type1 requirements.

Project Stakeholders

  • Requirements Provision: Provide detailed requirements and feedback.
  • Milestone Approvals: Approve project milestones and deliverables.

Policy

Breakout Learning Inc must establish and maintain processes ensuring that its software follows a consistent, repeatable SDLC process that integrates information security at every stage.


Software Development Phases and Approach Standard

  1. Determine System Need Phase: Identify and define the system's necessity and allocate resources.
  2. Define System Requirements Phase: Break down user requirements into detailed specifications, including security requirements.
  3. Design System Component Phase: Create system designs that incorporate security features and technical details.
  4. Build System Component Phase: Code and integrate the system, with extensive testing for security vulnerabilities.
  5. Evaluate System Readiness Phase: Independent testers evaluate system quality and security.
  6. System Deployment Phase: Release the system to production, ensuring any further vulnerabilities are addressed.

Project Management Approaches

  • Waterfall Development
  • Agile Development
  • Iterative Development
  • Staged Delivery Development

Secure System Engineering Principles

Business Layer

  • Security Requirement Integration: Incorporate security requirements into all business processes.
  • Risk Management: Conduct continuous risk assessments.
  • Regulatory Compliance: Ensure alignment with SOC2 Type 1 and other regulatory requirements.

Data Layer

  • Data Encryption: Encrypt data in transit and at rest.
  • Data Integrity: Use checksums and hashing mechanisms.
  • Access Control: Enforce strict access control policies.

Applications

  • Secure Coding Practices: Follow OWASP and SAN guidelines.
  • Regular Audits & Penetration Testing: Conduct annual audits and penetration testing.
  • Application Hardening: Minimize attack surfaces by disabling unnecessary services.

Technology

  • Patch Management: Regularly update systems and software.
  • Access Logging & Monitoring: Maintain detailed logs and monitor access to detect security incidents.

SDLC Security Control Guidelines

  1. Separation of Environments:
    • Maintain strict separation between development, testing, and production environments.
    • Production data must not be used in testing or development environments.
    • Test environments should mirror production as closely as possible.
  2. Version Control:
    • Use version control systems to track all code changes.
    • Changes to production environments must follow the change control procedures, with proper approvals.
  3. Secure Coding and Code Reviews:
    • Enforce secure coding standards.
    • All code changes must be reviewed by personnel knowledgeable in secure coding practices.
  4. Use of Secure Programming Practices:
    • Ensure secure development principles such as OWASP Top 10 are integrated into the process.
  5. Backups & Recovery:
    • Backups of development and production environments must be stored securely.
    • Offsite backups must be maintained for disaster recovery.
  6. Threat Modeling & Vulnerability Testing:
    • Conduct regular threat modeling exercises and vulnerability tests.
    • Include incident reviews and contingency planning.
  7. Security Training:
    • All developers must complete secure coding training.
    • Annual training should include internet threats and OWASP principles.
  8. Security of Outsourced Development:
    • For outsourced development, Breakout Learning Inc will ensure that the third-party developers follow secure development practices.
    • Contracts must include clauses for secure design, development, and testing.
  9. Secure Interoperability & Data Portability:
    • Breakout Learning Inc will ensure secure management of customer data during data migration processes.

Enforcement

Violations of this policy may result in disciplinary actions, including but not limited to termination of employment or contracts.


Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version