Source: Sony Pictures

100 Program Development

New
Control /
Program Development Comment
primary/optional Process of Policies and Procedures for Program Development
Established, documented and approved
Systems Development Lifecycle (SDLC)
PRIMRY RISK policies and procedures do not exist, are not
RISK approved or are not followed for the Edited for
101.1 LABEL application or application group. Clarity
Controls are in place
to ensure that a formal
Systems Development
Lifecycle (SDLC)
CONTROL methodology policy
101.1.1
LABEL exists, is properly
documented and
approved and updated
regularly by
management.
Controls are in place
to ensure the Systems
Development
Lifecycle (SDLC)
methodology is
CONTROL applied thoroughly
101.1.2
LABEL and consistently by all
developers (internal
and external) in all
projects for the
application or Edited for
application group. Clarity
Controls are in place
to ensure the Systems
Development
Lifecycle (SDLC)
methodology is
CONTROL
101.1.3 communicated to all
LABEL
developers (internal
and external) in all
projects for the
application or Edited for
application group. Clarity
There is not a regular review to ensure that
RISK the system and supporting infrastructure are
PRIMRY RISK
LABEL developed in accordance with its
101.2 documented policies and procedures
Controls are in place
CONTROL
101.2.1 to review that systems
LABEL
are developed in
 compliance with the
existing Systems
Development
Lifecycle (SDLC)
methodology.
Controls are in place
to review that IT
infrastructure
components are
changed (installed,
CONTROL
101.2.2 removed or upgraded)
LABEL
in compliance with the
existing Systems
Development
Lifecycle (SDLC)
methodology.
101.3 The security Office/Function is not actively
involved in the system design, development
RISK and implementation process of the new
LABEL system
Controls are in place
to ensure that the
Security
Office/Function
reviews and signs-off
CONTROL on new/existing
101.3.1
LABEL system's go-live/UAT
procedures as part of
the Systems
Development
Lifecycle (SDLC)
methodology.
Controls are in place
to ensure that the
Security
Office/Function
reviews and signs-off
CONTROL on new system's
101.3.2
LABEL requirements
documentation as part
of the Systems
Development
Lifecycle (SDLC)
methodology.
101.4 Third party development contracts are not
defined and managed to support the
RISK company program development
LABEL requirements and process.
Controls are in place
to ensure that external
CONTROL
101.4.1 third party groups
LABEL
understand and agree Edited for
to follow company Clarity
 Systems Development
Lifecycle (SDLC)
methodology and
policy
Controls are in place
to ensure that systems
developed by third
CONTROL party vendors follow
101.4.2
LABEL the same policies and
procedures applicable
to in-house system Edited for
development projects. Clarity
Controls are in place
to ensure that all
development by third
CONTROL party/external
101.4.3
LABEL resources include a
formal agreement and
requirements Edited for
document. Clarity
101.5 The development of new systems by third-
parties is not supervised by a Company
person/function to ensure that the vendor
meets the level of performance and quality
RISK required by the business and internal
LABEL standards.
Controls are in place
to ensure that the
responsibility to
CONTROL monitor and report
101.5.1
LABEL vendor performance
against agreement and
Company policy has
been clearly assigned.
Controls are in place
to ensure that vendor
performance is
CONTROL recorded and
101.5.2
LABEL evaluated at key
project milestones
against project time
and objectives.
Process of Project
initiation (project
planning, scope
definition, and
approval
requirements)
All projects, including project scopes and
PRIMRY RISK RISK project plans are not approved by
102.1 LABEL management prior to project initiation.
102.1.1 CONTROL Controls are in place
 LABEL to ensure that system
development projects
with budget and
resource allocation
requirements obtain IT
and business
management sign-off.
A formal business requirements document is
RISK not developed prior to the start of designing
PRIMRY RISK
LABEL or programming of any new or existing Edited for
102.2 program development. Clarity
Controls are in place
to ensure that system
requirements
documentation is
CONTROL developed, completed
102.2.1
LABEL and follows the format
outlined in the
Systems Development
Lifecycle (SDLC)
methodology.
Controls are in place
to ensure that system
development
CONTROL requirements are
102.2.2
LABEL reviewed, approved
and signed off by IT
and business
management
Users are not involved in the approval of the
RISK design and/or selection of systems
PRIMRY RISK
LABEL (including business and functional
102.3 requirements).
Controls are in place
to ensure that system
requirements
documentation is
CONTROL
102.3.1 reviewed and signed-
LABEL
off by users/user
representative prior to
application Edited for
selection/development. Clarity
Controls are in place
to ensure that system
requirements
documentation is
CONTROL
102.3.2 reviewed and signed-
LABEL
off by technical
support and operations
groups prior to system Edited for
go-live /development. Clarity
Process of Analysis
 & Design,
including business
and technical
specifications
The business and technical specifications /
PRIMRY RISK RISK design documents are not completed and
103.1 LABEL reviewed prior to program development.
Controls are in place
to ensure that system
technical
specifications are
CONTROL
103.1.1 mapped to specific
LABEL
business requirements
prior to writing
program Edited for
code/development. Clarity
Controls are in place
to ensure that design
specifications are
CONTROL written, and signed off
103.1.2
LABEL by business unit
management, prior to
program development Edited for
beginning. Clarity
The system and supporting infrastructure
are not designed or developed under
procedures outlined in the organization's
RISK system development life cycle including the
103.2 LABEL acquisition and planning process
Controls are in place
to ensure that systems
are designed under the
CONTROL
103.2.1 Systems Development
LABEL
Lifecycle (SDLC)
methodology policy
and procedures
Controls are in place
to ensure that systems
are designed so that
CONTROL
103.2.2 they can be integrated
LABEL
into supporting
technology
infrastructure
Controls are in place
to ensure that
CONTROL technical specification
103.2.3
LABEL are developed and
documented for each Edited for
development project. Clarity
Process of
Software/hardware
package selection
 procedures
Software/hardware selection procedures
(such as RFQ, FRS, RFI,) do not exist or are
RISK not followed for major systems and
104.1 LABEL supporting infrastructure initiatives.
Controls are in place
to ensure that
acquisition of
technology products
and services follow a
formal selection
CONTROL
104.1.1 process that includes
LABEL
identification of viable
providers and
development of
vendor system
rating/comparison
analysis.
Controls are in place
to ensure that
acquisition of
CONTROL
104.1.2 technology products
LABEL
follow a formal
vendor review Edited for
process. Clarity
Controls are in place
to ensure that
acquisition of
technology products
CONTROL
104.1.3 and services includes a
LABEL
formal selection
process (such as RFP,
RFQ, RFI) for major
initiatives
Process of
Development,
Testing & Quality
Assurance
Testing procedures do not exist and/or are
not followed for system and supporting
PRIMRY RISK infrastructure development such as unit,
RISK system, integration and user acceptance Edited for
105.1 LABEL testing Clarity
Controls are in place
to ensure that detailed
CONTROL testing plans are
105.1.1
LABEL developed to cover all
aspects in all Edited for
development projects. Clarity
Controls are in place
CONTROL
105.1.2 to ensure that end Edited for
LABEL
users are involved in Clarity
 testing and provide
sign-off for all
development projects.
Controls are in place
to ensure that test
CONTROL
105.1.3 results are
LABEL
documented, reviewed
and evaluated
Testing procedures for interfaces with other
systems are not tested to confirm that data
RISK transmissions are complete, secure, accurate
105.2 LABEL and valid
Controls are in place
to ensure that test
strategies and test
CONTROL plans include steps to
105.2.1
LABEL ensure interface data
transmissions are
complete, secure, Edited for
accurate and valid Clarity
Controls are in place
to ensure that interface
CONTROL test plans include
105.2.2
LABEL sample set of test data
following thru the
systems
Controls are in place
to ensure that test
strategies and test
CONTROL
105.2.3 plans include all
LABEL
related and
interdependent
business processes.
Process of Data
Conversion
A defined data migration/conversion
strategy does not exist, including detailed
RISK descriptions and data mapping for each data
106.1 LABEL element to be migrated.
Controls are in place
to ensure that a data
CONTROL
106.1.1 migration strategy is
LABEL
developed and
followed.
Controls are in place
to ensure that all data
CONTROL
106.1.2 is migrated per the
LABEL
data migration Edited for
conversion strategy. Clarity
RISK All production data is not backed up and
106.2 LABEL archived at the point of migration and all
 production systems are not backed up at
final cutover for future recovery
considerations
Controls are in place
to ensure that
CONTROL sufficient backups are
106.2.1
LABEL made, retained and
documented prior to
any data conversion
Controls are in place
to ensure that system
CONTROL implementation
106.2.2
LABEL activities include
rollback procedures
for production data.
Controls are in place
to ensure that
contingency
CONTROL procedures specific to
106.2.3
LABEL the data conversion
and based on business
risk are in place prior
to initial rollout.
Conversion of data is not tested and signed
off between its origin and its destination to
RISK confirm that it is complete, secure, accurate
106.3 LABEL and valid.
Controls are in place
CONTROL to ensure that all data
106.3.1
LABEL migration is tested and
signed-off
Controls are in place
to ensure that
procedures include
CONTROL
106.3.2 comparisons and detail
LABEL
data reconciliation to
ensure completeness
and accuracy.
Controls are in place
to ensure that
procedures include
CONTROL
106.3.3 comparisons and detail
LABEL
review to ensure all
converted data is
authorized.
Process of "Go-live" procedures
A "go-live" plan including a detailed list of
check-points and testing sign-off is not
PRIMRY RISK RISK produced, before the final cutover of any
107.1 LABEL new system rollout or and/or system Edited for
functionality upgrade Clarity
 Controls are in place
to ensure that all new
CONTROL system development
107.1.1
LABEL or existing system
upgrades include a
"go-live" plan
Controls are in place
to ensure that "go-
CONTROL live" plans required
107.1.2
LABEL and obtain user sign-
off of functionality
and data conversion
Process of
Development, User
and Technical
documentation and
training
Implementation of new systems is not
RISK communicated to affected businesses in Edited for
108.1 LABEL sufficient (documented) detail. Clarity
Controls are in place
to ensure that system
CONTROL users representing all
108.1.1
LABEL affected business areas
receive training on Edited for
new system functions. Clarity
Controls are in place
to ensure that users
receive or have access
CONTROL
108.1.2 to (i.e. intranet)
LABEL
materials suitable to
describe and explain
system functionality
Controls are in place
to ensure that all
technology operations
support staff develop
CONTROL an operations manual
108.1.3
LABEL specific to the system
development/update,
which is available to
all technology Edited for
operations. Clarity
There is insufficient user training and
RISK supporting documentation for the system
108.2 LABEL development.
Controls are in place
to ensure that system
CONTROL
108.2.1 users receive training
LABEL
on new system Edited for
functions. Clarity
108.2.2 CONTROL Controls are in place
 LABEL to ensure that
technology operations
administration support
staff has adequate
training and
documentation
User and administration reference and
RISK support manuals are not regularly updated
108.3 LABEL and available
Controls are in place
CONTROL to ensure that all users
108.3.1
LABEL and administration Edited for
material are available. Clarity
Controls are in place
to ensure that all users
CONTROL and administration
108.3.2
LABEL material are updated
regularly, at least Edited for
annually. Clarity