7.1.9 System Development and Acquisition
A. Purpose
To address Systems Development Life Cycle (SDLC) processes at The University of Texas at Tyler (the "University").
B. Persons Affected
This policy does not apply to research (scientific discovery) projects funded or otherwise.
C. Definitions
MODERATE TO SIGNIFICANT DEVELOPMENT RESOURCES: The following is provided as guidance for a risk based approach in determining whether a formal SDLC procedure should be in place. Note that ANY project defined as a "Major Information Resources Project" according to TGC § 2054 requires a formal SDLC in alignment with the Department of Information Resources Texas Project Delivery Framework (DIR TPDF). All other projects which satisfy two or more of the following criteria typically should follow an SDLC methodology:
- Implementation hours exceed 1,000 hours
- Impacts broad numbers of users throughout the University
- Satisfies University strategic goals
- Requires interoperability with existing IT systems/data
SYSTEMS DEVELOPED IN-HOUSE: Does not include standard maintenance, reports, and inter- application interfaces for existing software-based applications and systems.
D. Policy
To ensure reliable and stable systems, all departments developing software applications are required to establish best practice SDLC methodologies and require compliance from individuals who develop new systems.
All systems development requires prior approval by the appropriate Director, Dean, Chair or designee.
All systems developed in-house that require moderate to significant development resources must be documented through an SDLC methodology. Based on risk, each department should assist the developer to develop/formalize documentation which includes the following:
- Project governance
- Resource planning
- Preliminary analysis or feasibility study
- Value assessment
- Risk identification and mitigation
- User authentication and access management
- Data and information security review
- General design and detail design
- Project work plan
- Quality assurance and acceptance testing
- Implementation
- Post-implementation maintenance and review
- Issues management
- Source code repository
All systems developed in-house that do NOT require moderate to significant development resources must, at a minimum, have the following items documented:
- Project governance
- Preliminary analysis or feasibility study
- User authentication and access management
- Data and information security review
- Quality assurance and acceptance testing
- Source code repository
SDLC controls must also be in place for departments that purchase computer applications and/or contract with Application Service Providers (ASP) for an outsourced application solution.
Based on risk, procured solutions must be properly secured and backed-up. Contracts should address security, back-up, disaster recovery, privacy requirements, and ensure compliance with applicable laws, rules, and regulations. Contracts should include right-to-audit provisions to provide appropriate assurances that contractual obligations are met.
All information systems, whether developed in-house or provided by an outside vendor, must be compliant with Payment Card Industry (PCI) data security standards if processing payment card information.
H. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 10/2021
AMENDED: 05/2023