This article uses qualitative research and grounded theories, to explore information security issues in the development of information systems. Its findings are: first, three security issues are identified: security plans, resources, and a security policy to implement information security mechanisms. Second, there are strong connections between security plans, resources and security policy. Third, managers implement several critical security issues across stages of system development life cycle. This article identifies the opportunities and challenges facing security management issues. Clear security policies or plans can guide software practitioners in an organization to focus on security issues, and keep controlling threats thereafter. In order to improve the quality of security management and to identify possible threats over a longer term, organizations have to monitor and manage their application service providers and security techniques.