The purpose of the Systems Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the Health Note and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines.
This policy is applicable to all employees (full time, or part time), contractors, and other covered individuals (e.g., vendors, independent contractors, etc.) that perform any type of software or systems development work under the purview of Health Note. In the event a department chooses to seek an exemption for reasons such as inability to meet specific points, tasks, or subtasks within the SDLC Policy or Standards, a SDLC Review Committee, comprised of representatives from across departments as designated by Information Technology, will convene in order to assess the specific merits of the exemption request(s) while still adhering to the main principles behind the SDLC Policy and Standards.
Information Technology at Health Note, is responsible for developing, maintaining, and participating in a Systems Development Life Cycle (SDLC) for system development projects. All entities at the company, engaged in systems or software development activities, must follow the SDLC.
SDLC Phases:
- Initiation
- Development / Acquisition
- Implementation / Assessment
- Operations and Maintenance
- Disposal
If an exemption from this policy is required, a Policy Exemption request needs to be submitted and it needs to clearly articulate the reason for the exemption. An operational risk assessment will be conducted to identify the risks associated with this exemption. Exceptions to this policy and associated standards shall be allowed only if previously approved by the SDLC Review Committee and such approval documented and verified by the Chief Technology Officer. If the committee can accept the risk, an exemption to this policy may be granted.
Information Technology is responsible for managing security assessments for the company according to established requirements. Any systems under the policy authority of IT with requirements that deviate from the policies are required to submit a Policy Exemption Form to IT for consideration and potential approval. Any attempt by personnel to circumvent or otherwise bypass this policy or any supporting policy will be treated as a security violation and subject to investigation. The results of the investigation may entail written reprimand, suspension, termination, and possibly criminal and/or civil penalties.
| Revision Date | Revision Description | Notes |
|---|---|---|
| 5/27/2021 | Initial | Initial |
| 2/24/2022 | Reviewed | No changes |
| 4/10/2023 | Reviewed | No changes |
| 5/03/2024 | Reviewed | No changes |