Supervisory Policy Manual
TM-G-1 General Principles for Technology
Risk Management
V.1 – 24.06.03
17
3.6.3 In controlling access by third-party personnel (e.g. service
providers) to secure areas, proper approval of access
should be required and their activities should be closely
monitored. It is also important that proper screening
procedures including verification and background checks,
especially for sensitive technology-related jobs, are
developed for recruitment of permanent and temporary
technology staff, and contractors.
4. System development and change management
4.1 Project management
4.1.1 AIs should establish a general framework for
management of major technology-related projects. This
framework should, among other things, specify the project
management methodology to be adopted and applied to
these projects. The methodology should cover, at a
minimum, allocation of responsibilities, activity
breakdown, budgeting of time and resources, milestones,
check points, key dependencies, quality assurance, risk
assessment and approvals.
4.2 Project life cycle
4.2.1 AIs should adopt and implement a full project life cycle
methodology governing the process of developing,
implementing and maintaining major computer systems.
In general, this should involve phases of project initiation,
feasibility study, requirement definition, system design,
program development, system and acceptance testing,
training, implementation, operation and maintenance.
4.2.2 The project life cycle methodology should define clearly
the roles and responsibilities for the project team and the
deliverables from each phase. It also needs to contain a
process to ensure that appropriate security requirements
are identified when formulating business requirements,
built during program development, tested and
implemented.
4.2.3 An independent party (e.g. the quality assurance function,
the TRM function or the technology audit team), which is
not involved in the project development, should conduct a
quality assurance review of major technology-related