Guide to Auditing for Controls and Security: A System Development Life Cycle Approach
Zella G. Ruthberg, Bonnie T. Fisher, William E. Perry, John W. Lainhart, James G. Cox, Mark Gillen, Douglas B. Hunt
This guide addresses auditing the system development life cycle (SDLC) process for an automated information system (AIS), to ensure that controls and security are designed and built into the system. The guide also presents a process for deciding which system to audit among an organization's universe of systems. It is directed toward mid-level ADP auditors having a minimum of two years experience in ADP auditing, but can also be used by security reviewers, quality assurance personnel, and as a training tool for less experienced ADP auditors. ADP managers and system developers will also find it useful guidance on security and control issues. The guide is designed to provide audit/review programs for each major phase of the SDLC process and assumes a large sensitive system. The reader is expected to make appropriate modifications for small less sensitive systems. The guide represents the results of the past four years of activities by the Electronic Data Processing (EDP) Systems Review and Security Work Group of the Computer Security Project within the President's Council on Integrity and Efficiency (PCIE).
, Fisher, B.
, Perry, W.
, Lainhart, J.
, Cox, J.
, Gillen, M.
and Hunt, D.
Guide to Auditing for Controls and Security: A System Development Life Cycle Approach, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NBS.SP.500-153
(Accessed March 3, 2024)