TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
I'm guessing that by SDLC you are talking about a systems/software development life cycle.
The basic standard for this is ISO/IEC/IEEE 12207:2017, Systems and software engineering -- Software life cycle processes, https://ieeexplore.ieee.org/document/8100771
See clause 4 and Annex A; your goal is to show that you have full or tailored conformance to the outcomes in all or many of the life cycle processes described in clause 6 of 12207.
I would not try to show conformance to activities and tasks, just focus on the process outcomes.
More to the point of HITRUST, you may want to demonstrate conformance to ISO/IEC/IEEE 16085-2020 - ISO/IEC/IEEE Systems and software engineering -- Life cycle processes -- Risk management, https://ieeexplore.ieee.org/document/9325968
It is worth your time to pay for copies of these standards to avoid having to kludge together a life cycle process model based on life as it is lived at RealDocs.
If anybody in your organization is talking about DevSecOps, you could look at IEEE 2675:2021, IEEE Standard for DevOps: Building Reliable and Secure Systems Including Application Build, Package, and Deployment https://ieeexplore.ieee.org/document/9415476
I'm hoping that from your work with HiTRUST that you have already come into contact with these source standards, which you probably will need to reference as well:
ISO/IEC 27002:2013: Information Technology Security Techniques Code of Practice for Information Security Controls [ISO/IEC 27002:2013]
ISO/IEC 27799:2016: Health Informatics â Information Security Management in Health using ISO/IEC 27002 [ISO/IEC 27799:2016]
ISO/IEC 29100:2011: Information Technology â Security Techniques â Privacy Framework [ISO/IEC 29100:2011]
ISO/IEC 29151:2017: Information Technology â Security Techniques â Code of Practice for Personally Identifiable Information Protection [ISO/IEC 29151:2017]
Good luck,
Annette Reilly
Editor, ISO/IEC/IEEE 12207
ISO/IEC JTC 1/SC7 WG2 Secretary
Systems, software, and services documentation
-----Original Message-----
From: Jason L <dotlogue -at- gmail -dot- com>
Sent: Thursday, November 3, 2022 6:52 PM
To: techwr-l -at- lists -dot- techwr-l -dot- com
Subject: SDLC Documentation
Hello,
*TL;DR version: I need help developing an SDLC document that will help this large healthcare IT company prepare for an external audit, and oh by the way, I've never developed an SDLC from scratch. *
I am a contract technical writer and recently started working remotely for a healthcare IT company. This is a large-ish company that has been gobbling up other smaller IT companies, and one of those companies (a medical credentialing company I will call RealDoc from now on) is the one I'm tasked with helping.
As a whole, this company is going through the HITRUST audit certification process (think NIST, SOC, HIPAA, etc), and they needed help with documentation in the process. This is the third HITRUST process I've been a part of, and I'd like to think I know enough to be helpful and even do some BA work as well.
I came on board about three weeks ago, and initially they asked me to read through and do some basic editing of their policies. This was the third or fourth go around, so I didn't find many issues. There have been no daily stands or even weekly meetings yet. I have not been given access to any typical matrices that show audit requirements, gaps, exceptions, or who owns those areas, etc.
After I finished the initial policy reviews, I had to poke and prod a bit to find out what was next. The hiring manager said I needed to work with a director of RealDoc and find out how I can help them with their SDLC process. After some awkward meetings with product managers, the director and back and forth emails, I've discovered RealDoc does not have an SDLC at all - they are trying to create one from scratch. They had developed a product team playbook and sent it to me, but it didn't really go into things I expect to see in an SDLC (planning, requirements gathering, development, quality assurance), but instead was focused on talking about epics/user stories/features or bugs/issues. There were some basic Visio diagrams that mapped out the different software development states.
As I said earlier, I'm communicating consistently with the RealDocs director. I am hoping to get an idea from him about who I should have meetings with - the SMEs, the respective leads for each application's qa, devops, cloud, and release teams. My plan is to meet with them and have them walk me through their parts of the SDLC process. And after that probably create an outline, workflow diagram and go from there. I've been googling SDLC document, but keep coming up with deliverables in the SDLC like use cases, business requirements, design docs, test scripts, etc.
Do any of you have input on this? It seems overwhelming and vague right now, and as I said, it's been hard to connect with stakeholders.
Thanks for your help.
-Jason
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Visit TechWhirl for the latest on content technology, content strategy and content development | https://techwhirl.com
