-S-

The established boundary (or extent) of what must be accomplished; during planning, this defines what the project will consist of (and just as importantly, what the project will not consist of ).

The establishment and application of safeguards to protect data, software, and hardware from accidental or malicious modification, destruction, or disclosure.

Tool that permits developers to make informed decisions relating to the acceptance of identified risk exposure levels or implementation of cost-effective measures to reduce those risks. See Requirements Analysis phase.

A formal test performed on an operational system, based on the results of the Security Risk Assessment in order to evaluate compliance with security and data integrity guidelines, and address security backup, recovery, and audit trails. Also called Security Testing and Evaluation (ST&E).

A major part of a larger system or subsystem; in software, a selfcontained portion of a computer program.

A system or subsystem that requires an IT Systems Security Certification and Accreditation; contains data requiring security safeguards.

Assesses the potential effect on inputs (costs) and outcomes (benefits) depending on the relative magnitude of change in certain factors or assumptions.

Computer programs (code), procedures, documentation, and data pertaining to the operation of a computer system. Compare with hardware.

Contains all of the information pertaining to the development of each unit or module, including the test cases, software, test results, approvals, and any other items that will help explain the functionality of the software.

Mandatory requirements to prescribe a disciplined uniform approach to software development and maintenance activities.

A collection of components that meets the definition of a system, but is considered part of a larger system. See system.

A measure of the ability of a system to continue to function, especially in the presence of errors.

A collection of components (hardware, software, interfaces) organized to accomplish a specific function or set of functions; generally considered to be a self-sufficient item in its intended operational use.

The person responsible for planning a system installation and use of the system by other users.

Any of the discrete items that comprise a system or subsystem. See subsystem, system.

The formal Change Control Document procedure used to request a change to a system baseline, provide information concerning the requested change, and act as the documented approval mechanism for the change. See Change Control Documents.

Phase that begins after the need or opportunity has been identified in the Initiation phase. The approaches for meeting this need are reviewed for feasibility and appropriateness (e.g., cost-benefit analysis) and documented in the budget documents.

A formal document that describes the system architecture, file and database design, interfaces, and detailed hardware/ software design; used as the baseline for system development.

The organization benefiting from or requesting the project; frequently thought of as the "customer" for that project.

A formal document that establishes the processes and procedures for identifying all areas where security could be compromised within the system (or subsystem).

Software designed to facilitate the operation of a computer system and associated computer programs (e.g., operating systems, code compilers, utilities). Compare to application software.

The process of testing an integrated hardware/software system to verify that the system meets its documented requirements.

A manual that serves the purpose of an Operations Manual in a distributed (client/server) application. See Operations Manual, Client/Server.

In systems development, the process of studying and understanding the requirements (customer needs) for a system in order to develop a feasible design.

A formal model of a hardware/software project that depicts the relationship among activities, products, reviews, approvals, and resources. Also, the period of time that begins when a need is identified (initiation) and ends when the system is no longer available for use (disposition).

The individual, or group, responsible for post-implementation system maintenance, configuration management, change control, and release control. This may or may not include members of the development team.