Manage Access Control Playbook

Edit this page

Step 10 - Manage the System Development Life Cycle

The System Development Life Cycle (SDLC) is a systematic, repeatable process that agencies can follow to develop new systems that will help them achieve their access control goals. It will help you manage existing and developing tools and technologies. While there are many variations of the SDLC, the simplest and most commonly used model is the waterfall model that includes five phases: Planning, Requirements and Design, Build, Implement, and Operate and Maintain.

Most agencies have some variation of the SLDC in place to manage and maintain elements of their enterprise architecture. The same SDLC can be used to develop the tools and technology that are used as enablers within the Access Management Framework.

Checklist

 Prepare all elements required to begin the development of a system. During this step, you’ll need to prepare a communications plan, cost/benefit analysis of access control tools procurement and development, business plan, implementation plan/schedule, and a risk management plan. The goal of this phase is to develop a plan for the specific access control tools and technologies that need to be developed for the access control solution.

 Document the requirements and design of the access control solution. During this step, you’ll need to define how the solution should operate in the existing infrastructure. This phase can include gathering and validating requirements, securing funding, acquiring resources, and documenting the access control tool/technology design and solution architecture. Successful completion of the Requirements and Design phase can prevent unnecessary rework as the tool/technology is built and implemented.

 Build the technical solution, configure, and test the system. During this phase, you’ll configure servers/hardware, install software, implement security controls, and test the build. You’ll need to focus on building the access control tool/technology based on the outputs of previous phases within the SDLC. You’ll also need to test the solution to make sure the tool/technology meets defined requirements and performs as intended.

What are examples of tools and technologies that my agency might employ?

Tools and technologies can range from a centrally managed enterprise solution that handles extensive policy compliance and enforcement to a locally developed tool that helps a resource owner manage the ACL for their resource.

  • Processes for provisioning access to a resource
  • Forms requesting that access to a resource be provisioned for a user
  • Locally controlled management tools
  • Native resource access controls
  • Identity and Access Management (IAM) suites
  • Policy authorization engines

 Implement the access control solution. During this phase, you’ll migrate the solution from a development/test environment to an agency’s production infrastructure. Some activities include deploying the tool/technology to the production environment, conducting user acceptance testing and user training, and performing awareness and outreach activities so that all stakeholders understand how the new access control methods work and why they’re important.

 Perform ongoing management and system maintenance activities. Once you’ve implemented the access control solution, you must maintain the system’s operational status and make appropriate updates to uphold the security integrity and make sure the system operates correctly. Some activities in this phase include monitoring security controls, installing upgrades and patches, refreshing technology, and performing ongoing user training.