Systems Development Life Cycle Policy (SDLC) | Five to Nine 

The purpose of Five to Nine’s Systems Development Life Cycle (SDLC) Policy is to outline the standard operating procedures for developing or implementing software at Five to Nine.



Five to Nine employees and/or contractors that perform any type of development work for Five to Nine.

Employees and/or contractors who violate this policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.


Five to Nine’s tech team is responsible for developing, maintaining, and participating in SDLC for development work. All employees and/or contractors at Five to Nine, engaged in development activities, must follow the SDLC Policy.

The minimum required phases and considerations for the SDLC are listed below. For any Level I data, all of the following phases and considerations, are mandatory if the system or software development deals with Level I data (defined below). For Level II or Level III data (defined below), the phases and considerations are recommended processes within the development cycle.

System Initiation

  • A need is defined and a proposal is created.
  • A feasibility study is outlined and performed.

System Analysis

  • Analyze defined user needs and develop user requirements.
  • Outlined a detailed list of security and user requirements.

System Design

  • Outline a detailed description of the software design based on the functions of the outline user and security requirements.
  • Perform a standard risk analysis of the outlined design before final feasibility review.

System Configuration

  • Manual and automated testing must be performed during this phase.
  • During the testing period, assess any and all security considerations.

System Testing and Acceptance

  • Employees and/or contractors separate from the development group should perform Quality Assurance (QA) testing.
  • Individuals from the user group should conduct user acceptance testing.
  • Documentation during testing should detail and match testing criteria to specific requirements.
  • Perform additional testing of security needs.
  • Any problems identified during the previous phases must be resolved or remediated before implementation.

System Implementation

  • The finished, tested, and user-accepted software is moved from the testing environment to production.
  • All tools, code, or access mechanisms used for development or testing must be removed from the software that will be pushed into the production environment.
  • Any necessary user training should be done by this phase.

System Maintenance

  • Any planned changes to the software should be scheduled, communicated, and documented.
  • Continuous security penetration testing is conducted on software throughout its life cycle at regularly scheduled intervals.
  • Security testing is conducted when any major change is performed.


The following definitions apply as they are mentioned in this SDLC Policy.

Level I information is that Five to Nine information with a high risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed.

Level II information is that Five to Nine information with a moderate requirement for Confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed.

Level III information is that Five to Nine information with a low requirement for Confidentiality (e.g. public information) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed.