Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: January 25, 2016
Responsible Executive: VP for Academic Affairs


8.21 Application Administrator Policy


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the Data, intellectual property, and Information Resources used to carry out UTSA business.

The UTSA computer network provides access to many applications that allow faculty and staff members to perform their work duties. Application Administrators must ensure that the applications adhere to university standards.


II. RATIONALE


This policy sets forth procedures relating to the implementation and administration of computer applications. An application that is not properly implemented or not properly maintained may allow unauthorized access to protected data and/or introduce malware into the university computer network.  This policy addresses requirements set forth in The University of Texas (UT System) policy UTS165, Sec. 29 – System Development and Deployment.


III. SCOPE


All individuals who are involved with the development or the acquisition of computer applications that are accessed via the UTSA computer network must be familiar with and follow this policy. This can include UTSA faculty, staff, students, alumni, vendors, and contractors.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-21.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UT System Policy INT124, Information Resources Acceptable Use and Security Policy
  2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 
  4. UTSA Data Classification Standard

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C
  2. Higher Education Opportunity Act of 2008
  3. Texas Computer Crimes Act

VI. CONTACTS


If you have any questions about HOP policy 8.21, Application Administrator, please contact the following office: 

Office of Information Technology (OIT) or Office of Information Security (OIS)
(210) 458-4555


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Application Administrator: A faculty or staff member who manages an application on a day-to-day basis. The Application Administrator is responsible for ensuring the application is set up and managed in accordance with university policies and Office of Information Technology (OIT) Standards.

Change Control:  formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner.

Confidential Data: Data that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state and federal laws. See also “Category I” data in Data Classification definition.

Data: Information which is recorded - regardless of form or media – that is used to support the business of the university, whether in an administrative, academic, or research capacity.  Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other format.

Data Classification: At UTSA, data is classified as Category I, Category II, or Category III.  Definitions, protection requirements and examples of the types of data can be found in the Standard for Data Classification.

Data Custodian: A staff member who is responsible for day-to-day maintenance of UTSA Information Resources. In some instances, this responsibility is assigned to a third-party vendor or OIT.  

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the resources.  Where appropriate, ownership may be shared. The terms "information owner" and "information ownership" reflect the context of UTS165 and TAC202 and do not reflect any context of the same or similar terms related to intellectual property and rights to information under any other UT System policies. 

Data Review:  Verifying the data is error free.

Information Resources : Any and all computer printouts, online display devices, mass storage media (including external storage devices such as external hard drives and flash drives), and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDAs), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Mission-critical Information Resource: An Information Resource defined by UTSA to be essential to the university’s function and that, if made unavailable, will inflict substantial harm to the university and the university’s ability to meet its instructional, research, patient care, public service missions, (etc.)  More information, including a list of systems identified as "mission-critical," can be found in the Standard for Data Owners.

Production Environment: Production environment is a term used mostly by developers to describe the setting where software and other products are actually put into operation for their intended uses by end users.

User: An individual, automated application or process that is authorized by the Owner to access the resource, in accordance with the Owner's procedures and rules. The User is any person who has been authorized by the Information Owner to read, enter, or update that information. The User is the single most effective control for providing adequate security.

Vulnerability Scan:  Vulnerability scanning is a procedure designed to identify security weakness in the application and to assist in mitigation of those weaknesses.


VIII. RESPONSIBILITIES


  1. Application Administrator
    1. Follows all applicable procedures as specified in this policy and related standards.
    2. Registers a new application by contacting OIS.
    3. Ensures the application and its data are protected against intrusion and illegal access.
    4. Notifies OIS in the case of any security event.
  2. OIT Staff Member
    1. Provides guidance and advice.
    2. Maintains a registry of all campus applications.
  3. Application Developer or Application Acquistion Team
    1. Follows all applicable procedures as specified in this policy and related standards.

IX. PROCEDURES


  1. Application Administrator
    1. The Application Administrator must perform a vulnerability scan, or ensure OIS performs a vulnerability scan for Web Applications:
      1. Prior to moving the Application to the production environment
      2. After a compromise of the Web application
      3. On a regular basis, for all mission-critical operations, and/or
      4. As needed when potential or existing risks are identified within the environment.
    2. The Application Administrator must complete a risk assessment on a regular basis, as specified in the Standard for Information Security Risk Assessment.
    3. The Application Administrator must perform a data review prior to moving the application from the development/test environment to the production environment.
      1. Any request to access or use Application Data must be approved by the Data Owner.
      2. Data Owner should be notified if Data is to be stored outside of the university.
      3. If the Data is to be hosted outside of UTSA, an agreement must be reviewed by the UTSA Purchasing Department, the UTSA Office of Legal Affairs and OIS.
  2. Application Developer or Application Acquisition Team
    1. Follow OIT standard for granting access to the application, as specified in the Standard for Account Management.
    2. Identify all Category I data and document the business need for having that Data using the UTSA Information Security Assessment form.
    3. Provide safeguards to protect Data from exposure.
    4. Encrypt all Data in transit.
    5. Identify all Data Owners, Data Custodians, and System Administrators.
    6. Authenticates Users through centralized identity management processing.
    7. Include information security, security testing, and audit controls in all phases of the development/acquisition process as specified in the Standard for Application Development and Acquisition.
    8. Institute a change control process so the Data Owner approves all security-related information resources changes.
    9. Ensure the application enforces passphrase requirements as described in the Standard for Passwords and Passphrases.
  3. Office of Information Technology Staff Member
    1. Create and maintain the Application Registry. Ask for the following:
      1. Purpose of the application
      2. Staff members responsible for the application
      3. Data classification
      4. Relevant technical information
    2. Enforcement of this policy.
    3. Perform audits and monitoring activities to detect any unsecured systems.
    4. Provide technical assistance to departments so they can meet the requirements.
  4. Policy Review
    1. The policy is subject to review by the OIS on a regular basis.

Any exception to requirements set forth in this policy must be approved in writing by the UTSA Office of Information Security.


X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


UTSA Information Security Assessment form 


XII. APPENDIX


None