Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: August 2, 2022
Publication Date: February 2, 2024
Policy Reviewed Date: November 21, 2023
Policy Owner: VP for Information Technology


11.06 Application Administrator Policy


I. POLICY STATEMENT


An Information Technology Resource must be properly procured and/or implemented in order to maintain its security and integrity. This policy ensures that the protection of Information Technology Resources is considered during the development and/or purchase of new Information Technology Resources. 


II. RATIONALE


This policy sets forth procedures relating to the procurement, implementation, and administration of Information Technology Resources, as set forth in The University of Texas System (UT System) Policy 165 and UT System Standard 21.


III. SCOPE


All UTSA employees who develop or acquire Information Technology Resources must be familiar with and follow this policy.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter11/11.06.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UTSA HOP Policy 11.07, Cloud Computing.
    2. UT System HOP 4.1.1 Information Technology Resources Acceptable Use and Security Policy.
    3. UT System Policy UTS 165, UT System Information Technology Resources Use, and Security Policy.
    4. UT System Security Standard 21, System Development and Deployment.
  2. Other Policies and Standards
    1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C.
    2. Higher Education Opportunity Act of 2008
    3. Texas Computer Crimes Act, Title 7, Chapter 33 Computer Crimes.
    4. UTSA Security Standards
    5. UTSA Financial Guideline, Clickwrap Agreements

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.06, Application Administrator Policy, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@utsa.edu
  2. UTSA Tech Solutions
    210-458-4555
    TechCafe@utsa.edu  

VII. DEFINITIONS


  1. Application Administrator: An employee who manages an application on a day-to-day basis. The Application Administrator is responsible for ensuring the application is set up and managed in accordance with UTSA policies and UTSA Security Standards.
  2. Change Control: The formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner.
  3. Click-Wrap Agreement: Standard online terms and conditions are displayed in a way that requires a purchaser to click “accept” before the Data User can secure the goods or services of an Information Technology Resource.
  4. Cloud Services Provider: A third-party provider of services that maintain, store or process Data on a network of remote technology platforms and/or servers outside of UTSA’s Information Technology Resources.
  5. Confidential Data: Data that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state and federal laws. See also “Category I” data in the Data Classification definition.
  6. Data: Information that is recorded - regardless of form or media – that is used to support the mission of the UTSA, whether in an administrative, academic, or research capacity. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats.
  7. Data Custodian: The Data Custodian is designated by the Data Owner. The Data Custodian is an employee who is responsible for the day-to-day maintenance of UTSA Information Technology Resources. In some instances, this responsibility is assigned to a department or College staff member, a third-party vendor, or UTSA Technology Solutions. 
  8. Data Owner: The manager or agent responsible for the business function supported by the Information Technology Resource or the individual upon whom responsibility rests for carrying out the program using the resources. Where appropriate, ownership may be shared. The terms "information owner" and "information ownership" reflect the context of UT System UTS 165 and TAC 202 and do not reflect any context of the same or similar terms related to intellectual property and rights to information under any other UT System policies.
  9. Data Review: Verifying the data is error-free.
  10. Data User: An individual who is authorized by the Data Owner to access the Information Technology Resource, in accordance with the Data Owner's procedures and rules. The Data User is any person who has been authorized by the Data Owner to read, enter, or update that information whether done individually or through facilitation or responsibility for an automated application or process.
  11. Information Technology Resources: The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
  12. High-Risk Procurement: One Card purchases to secure Information Technology Resource goods or services through the use of a Click-Wrap agreement that includes any of the following aspects:
    1. Any use of Category I or Category II Data (sensitive or confidential data, such as FERPA-related data). This includes sharing, access to, storage, or hosting services by the Click-Wrap provider. See UTSA’s Data Classification Categories at https://utsacloud.sharepoint.com/sites/OISInternal/SitePages/OIS-Standards.aspx ;
    2. Any maintenance, storing, or processing of UTSA Data on a network of remote technology platforms and/or servers outside of UTSA Information Technology Resources.
    3. Unsupervised interaction with students or any reasonable risks to students.
    4. Interaction with minors.
    5. Safety, health, or medical matters.
    6. Risk to UTSA property.
    7. Access to UTSA’s network.
    8. Solicitation on campus.
    9. Providing any intellectual property of UTSA, or any other aspects related to copyright or publication rights.
    10. Modifications to UTSA property.
    11. Use of UTSA property by another entity.
    12. Required use of the service by students.
    13. Processing, collection, or storage of UTSA funds (for example, a payment processer or reseller).
    14. A vendor/contractor who is a non-U.S. entity or individual.
    15. Providing the contracted entity with use of any UTSA trademarks, logos, or related marks; or
    16. Any other aspect, or service that could reasonably be determined to signify a significant risk to UTSA or the UTSA community.
  13. Low-Risk Procurement: One Card purchases to secure Information Technology Resource goods or services through the use of a Clickwrap agreement with a contract term not to exceed one year and a total contract value less than $5,000.
  14. Production Environment: The setting where software and other products are put into operation for their intended uses by end-users.
  15. Vulnerability Scan: A procedure designed to identify security weaknesses in the application and to assist in the mitigation of those weaknesses.

VIII. RESPONSIBILITIES


  1. Application Administrator
    1. Follows all applicable procedures as specified in this policy and related standards.
    2. Ensures the Information Technology Resources are protected against unauthorized access and unlawful use.
    3. Notifies Tech Café in the case of any security event.
  2. Office of Information Security Staff Member
    1. Provides guidance and advice.
    2. Maintains a registry of all university-side applications.
  3. Data Owner and Data Custodian or Application Acquisition Team
    1. Follows all applicable procedures as specified in this policy and related standards.

IX. PROCEDURES


  1. Application Administrator
    1. The Application Administrator must perform a Vulnerability Scan or ensure UTSA Office of Information Security (OIS) performs a vulnerability scan for Web Applications as follows:
      1.1 Prior to moving the Application to the Production Environment;
      1.2 After a compromise of the Web application;
      1.3 On a regular basis, for all mission-critical operations, and/or
      1.4 As needed, when potential or existing risks are identified within the environment.
    2. The Application Administrator must complete a risk assessment on a regular basis, as specified in the Standard for Information Security Risk Assessment (UTSA Internal Access Required).
    3. The Application Administrator must perform a Data Review prior to moving the application from the development/test environment to the Production Environment.
      3.1 Any request to access or use Data must be approved by the Data Owner.
      3.2 Data Owner should be notified if Data is to be stored outside of UTSA Information Technology Resources.
      3.3 If the Data is to be hosted outside of UTSA, appropriate procurement of Information Technology Resources and data sharing agreements must be initiated by the Application Administrator in the Office of Business Contracts, Purchasing, Privacy Office and/or UTSA Tech Solutions.
  2. Data Owner and Data Custodian Application Acquisition Team
    1. Follow the  Standard for Account Management for granting access to the Information Technology Resources.
    2. Identify all Category I data and document the business need for having that Data using the UTSA Information Security Assessment form.
    3. Provide safeguards to protect Data from exposure.
    4. Encrypt all Data in transit and while resting.
    5. Identify all Data Owners, Data Custodians, and System Administrators.
    6. Authenticates Data Users through centralized identity management processing.
    7. Include information security, security testing, and audit controls in all phases of the development/acquisition process as specified in the Standard for Application Development and Acquisition.
    8. Institute a Change Control process so the Data Owner approves all security-related changes to Information Technology Resources.
    9. Ensure the application enforces passphrase requirements as described in the Standard for Passwords and Passphrases.
  3. UTSA Tech Solutions
    1. Creates and maintains the Application Registry and documents the following:
      1.1 Purpose of the application.
      1.2 Staff members responsible for the application.
      1.3 Data classification.
      1.4 Relevant technical information.
    2. Enforces this policy.
    3. Performs audits and monitoring activities to detect any unsecured systems.
    4. Provides technical assistance to employees and departments.
    5. Reviews terms and conditions of only Click-Wrap agreements that are
      5.1 Low-Risk Procurements and
      5.2 Paid for by the department on a UTSA One Card.
  4. Office of Business Contracts and/or Procurement
    1. Reviews Click-Wrap agreements that are High-Risk Procurements.
    2. Reviews all Cloud Services Provider agreements.
    3. Reviews all other Information Technology Resource goods and services agreements.
  5. Any exception to requirements set forth in this policy must be approved in writing by the UTSA Office of Information Security.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


UTSA Information Security Assessment form.Note: User must be on campus or utilize VPN to access this form.


XII. APPENDIX


None


XIII. Dates Approved/Amended


02-02-2024
08-02-2022
(Editorial)
01-25-2016