Systems Development Life Cycle (SDLC) Policy
The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.
University employees (faculty, staff, and student employees), students, and other covered individuals (e.g., University affiliates, vendors, independent contractors, etc.) that perform any type of software or systems development work under the auspices of the University.
In the event a KU Department or Unit chooses to seek an exemption for reasons such as inability to meet specific points, tasks, or subtasks within the SDLC Policy or Standards, a SDLC Review Committee, comprised of representatives from across campus as designated by Information Technology, will convene in order to assess the specific merits of the exemption request(s) while still adhering to the main principles behind the SDLC Policy and Standards.
KU Information Technology (KU IT) at the University of Kansas, is responsible for developing, maintaining, and participating in a Systems Development Life Cycle (SDLC) for KU system development projects. All entities at the University, engaged in systems or software development activities, must follow the KU SDLC. This SDLC is detailed in the KU Systems Development Life Cycle (SDLC) Standards document.
Additionally, the following apply:
- All software developed in-house which runs on production systems must be developed according to the KU SDLC Standards. At a minimum, a software development plan should address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post-implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used in conjunction with critical and/or sensitive University of Kansas information.
- All development work shall exhibit a separation between production, development, and test environments, and at a minimum have at least a defined separation between the development/test and production environments unless prohibited by licensing restrictions or an exception is made. These separation distinctions allow better management and security for the production systems, while allowing greater flexibility in the pre-production environments.
- Where these separation distinctions in environments have been established, development, and QA/test staff must not be permitted access to production systems unless absolutely required by their respective job duties/descriptions.
- All application/program access paths utilized in development or testing, other than the formal user access paths, must be deleted or disabled before software is moved into production.
- Documentation must be kept and updated during all phases of development from the initiation phase through implementation and ongoing maintenance phases. Additionally, security considerations should be noted and addressed through all phases.
- All software and web applications that create, manage, use, or transmit Level I information, as defined by the KU Data Classification and Handling Policy, must be developed and maintained solely by KU Information Technology. Other development work involving Level II and Level III information may be done outside of KU IT provided the KU Systems Development Life Cycle (SDLC) Standards are followed.
Exceptions to this policy and associated standards shall be allowed only if previously approved by the KU SDLC Review Committee and such approval documented and verified by the Chief Information Officer.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
These definitions apply to these terms as they are used in this document.
University affiliates are the people and organizations associated with the University through some form of formalized agreement.
Level I information is that University Information with a high risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed
Level II information is that University Information with a moderate requirement for Confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed.
Level III information is that University Information with a low requirement for Confidentiality [information is public] and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.
01/26/2022: Updated contact section.
10/17/2014: Policy formatting cleanup (e.g., bolding, spacing).
10/08/2010: Updated to clarify compliancy in Policy Purpose.