From 070926285de2b5e79f5c825403c8bd139cb45582 Mon Sep 17 00:00:00 2001 From: Eleri Valiant Date: Fri, 28 Nov 2025 15:44:06 +0000 Subject: [PATCH 1/2] First draft of policy --- .../Lifecycle/DecommissionGuidance.md | 0 .../Lifecycle/LifecyclePolicy.md | 54 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 software-engineering-policies/Lifecycle/DecommissionGuidance.md create mode 100644 software-engineering-policies/Lifecycle/LifecyclePolicy.md diff --git a/software-engineering-policies/Lifecycle/DecommissionGuidance.md b/software-engineering-policies/Lifecycle/DecommissionGuidance.md new file mode 100644 index 00000000..e69de29b diff --git a/software-engineering-policies/Lifecycle/LifecyclePolicy.md b/software-engineering-policies/Lifecycle/LifecyclePolicy.md new file mode 100644 index 00000000..3c7bc9d3 --- /dev/null +++ b/software-engineering-policies/Lifecycle/LifecyclePolicy.md @@ -0,0 +1,54 @@ +# Software Lifecycle Management Policy + +## Purpose + +This policy ensures that all software systems are designed, developed, deployed, maintained, and retired in a consistent, secure, and efficient manner aligned with organizational standards. + +## Scope + +This policy applies to all software engineers, contractors, and teams involved in developing or maintaining internal or customer-facing software. + +## Policy Requirements + +### Planning & Design + +- All new software must include documented requirements, architecture diagrams, and risk assessments. +- Designs must consider security, scalability, observability, and maintainability. +- [Naming conventions](../NamingConventions/NamingConventions.md) must be defined and followed consistently. + +### Development + +- Code must be version-controlled using approved [source control](../SourceControl/SourceControl.md) solutions. +- Code must follow established [coding standards](../CodingStandards/CodingStandards.md). +- Code must be peer reviewed in line with [code review policy](../CodeReview/CodeReviewPolicy.md). +- [Secure Development](../SecureDevelopment/SecureDevelopment.md) practices must be followed to mitigate vulnerabilities. +- Automated testing (unit, integration, and security checks) must be implemented before merge. + +### Testing & Quality Assurance + +- Testing must include unit, integration, system, and security tests. +- Testing should be automated where possible, following the [test strategy](../QualityAssurance/TestStrategy.md). +- Test coverage and results should be documented and reviewed. +- Performance and load testing should be conducted for critical systems. + +### Deployment & Release Management + +- Deployment pipelines must comply with the [pipeline policy](../Pipelines/Baseline_Policy.md). +- Rollback procedures must be defined and tested. +- IaC (Infrastructure as Code) practices should be used for environment provisioning. + +### Operational Maintenance + +- Teams must monitor system performance, security alerts, and error logs. +- Critical vulnerabilities must be remediated within defined SLAs. +- [Technical debt](../TechnicalDebt/TechnicalDebt.md) should be periodically reviewed and addressed. + +### Documentation + +- Architecture, APIs, deployment steps, and dependencies must be kept up-to-date. +- [System documentation](../SystemDocumentation/SystemDocumentation.md) must be comprehensive and accessible. + +### Decommissioning + +- Software approaching End-of-Life (EOL) must have a documented migration or decommission plan. For more information, refer to the [decommission guidance](../Lifecycle/DecommissionGuidance.md). +- Data retention and disposal must comply with organizational and regulatory requirements. From fbd142cfcefe1e2f6e1e2382f52914e175957362 Mon Sep 17 00:00:00 2001 From: Eleri Valiant Date: Fri, 19 Dec 2025 12:04:15 +0000 Subject: [PATCH 2/2] Updated from review comments --- .../Lifecycle/LifecyclePolicy.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/software-engineering-policies/Lifecycle/LifecyclePolicy.md b/software-engineering-policies/Lifecycle/LifecyclePolicy.md index 3c7bc9d3..d145c37a 100644 --- a/software-engineering-policies/Lifecycle/LifecyclePolicy.md +++ b/software-engineering-policies/Lifecycle/LifecyclePolicy.md @@ -12,8 +12,9 @@ This policy applies to all software engineers, contractors, and teams involved i ### Planning & Design -- All new software must include documented requirements, architecture diagrams, and risk assessments. -- Designs must consider security, scalability, observability, and maintainability. +- All new software must include documented requirements, architecture diagrams, threat models and risk assessments. +- Designs must consider security (ref. [POL201 - Secure by Design](https://ukho.sharepoint.com/sites/docstore-prd/_layouts/15/Doc.aspx?sourcedoc=%7BD068DDEC-D0A6-49A6-AA88-B16D4A3B6A30%7D&file=POL201.docx&action=default&mobileredirect=true&DefaultItemOpen=1)), scalability, observability, and maintainability. +- Designs should be peer reviewed to identify any sharable components. - [Naming conventions](../NamingConventions/NamingConventions.md) must be defined and followed consistently. ### Development @@ -35,13 +36,14 @@ This policy applies to all software engineers, contractors, and teams involved i - Deployment pipelines must comply with the [pipeline policy](../Pipelines/Baseline_Policy.md). - Rollback procedures must be defined and tested. -- IaC (Infrastructure as Code) practices should be used for environment provisioning. +- [IaC (Infrastructure as Code) practices](../InfrastructureAsCode/terraform.md) should be used for environment provisioning. ### Operational Maintenance -- Teams must monitor system performance, security alerts, and error logs. -- Critical vulnerabilities must be remediated within defined SLAs. +- Teams must monitor system performance, security alerts, and error logs as per the [observability policy](../observability/observability_policy.md). +- Critical vulnerabilities must be remediated within defined SLAs (ref. [POL218 - Patch Management Policy](https://ukho.sharepoint.com/sites/docstore-prd/_layouts/15/Doc.aspx?sourcedoc=%7B82EA818D-00AA-44EE-B9A1-E901879DE72E%7D&file=POL218.docx&action=default&mobileredirect=true&DefaultItemOpen=1)). - [Technical debt](../TechnicalDebt/TechnicalDebt.md) should be periodically reviewed and addressed. +- Disaster recovery procedures must be defined and tested. ### Documentation