• Home
  • Systems Development Life Cycle (SDLC) Policy

Systems Development Life Cycle (SDLC) Policy

Policy
Purpose: 

The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.

Applies to: 

University employees (faculty, staff, and student employees), students, and other covered individuals (e.g., University affiliates, vendors, independent contractors, etc.) that perform any type of software or systems development work under the auspices of the University.

In the event a KU Department or Unit chooses to seek an exemption for reasons such as inability to meet specific points, tasks, or subtasks within the SDLC Policy or Standards, a SDLC Review Committee, comprised of representatives from across campus as designated by Information Technology, will convene in order to assess the specific merits of the exemption request(s) while still adhering to the main principles behind the SDLC Policy and Standards.

Campus: 
Lawrence
Policy Statement: 

KU Information Technology (KU IT) at the University of Kansas, is responsible for developing, maintaining, and participating in a Systems Development Life Cycle (SDLC) for KU system development projects. All entities at the University, engaged in systems or software development activities, must follow the KU SDLC. This SDLC is detailed in the KU Systems Development Life Cycle (SDLC) Standards document.

Additionally, the following apply:

  • All software developed in-house which runs on production systems must be developed according to the KU SDLC Standards. At a minimum, a software development plan should address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post-implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used in conjunction with critical and/or sensitive University of Kansas information.
  • All development work shall exhibit a separation between production, development, and test environments, and at a minimum have at least a defined separation between the development/test and production environments unless prohibited by licensing restrictions or an exception is made. These separation distinctions allow better management and security for the production systems, while allowing greater flexibility in the pre-production environments.
  • Where these separation distinctions in environments have been established, development, and QA/test staff must not be permitted access to production systems unless absolutely required by their respective job duties/descriptions.
  • All application/program access paths utilized in development or testing, other than the formal user access paths, must be deleted or disabled before software is moved into production.
  • Documentation must be kept and updated during all phases of development from the initiation phase through implementation and ongoing maintenance phases. Additionally, security considerations should be noted and addressed through all phases.
  • All software and web applications that create, manage, use, or transmit Level I information, as defined by the KU Data Classification and Handling Policy, must be developed and maintained solely by KU Information Technology. Other development work involving Level II and Level III information may be done outside of KU IT provided the KU Systems Development Life Cycle (SDLC) Standards are followed.
Exclusions or Special Circumstances: 

Exceptions to this policy and associated standards shall be allowed only if previously approved by the KU SDLC Review Committee and such approval documented and verified by the Chief Information Officer.

Consequences: 

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

Contact: 

Chief Information Officer
345 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

Approved by: 
Chief Information Officer
Approved on: 
Tuesday, December 1, 2009
Effective on: 
Tuesday, December 1, 2009
Review Cycle: 
Annual (As Needed)
Definitions: 

These definitions apply to these terms as they are used in this document.

University affiliates are the people and organizations associated with the University through some form of formalized agreement.

Level I information is that University Information with a high risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed

Level II information is that University Information with a moderate requirement for Confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed.

Level III information is that University Information with a low requirement for Confidentiality [information is public] and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.

Keywords: 
systems development, software development, production systems
Review, Approval & Change History: 

10/17/2014: Policy formatting cleanup (e.g., bolding, spacing).
10/08/2010: Updated to clarify compliancy in Policy Purpose.

Information Access & Technology Categories: 
Information Access
Privacy & Security

Can't Find What You're Looking For?
Policy Library Search
New Policies in the last 30 days
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times