STANDARD FOR APPLICATION DEVELOPMENT AND ACQUISITION

 

The University of Texas at San Antonio

Office of Information Technology

Office of Information Security (OIS) Standards

 

OIS 3 – Standard for Application Development and Acquisition

 


I. STANDARD STATEMENT


Secure development of applications requires familiarity with best practices which provide protection of data and prevent exposure of the application to unauthorized access. The highest appropriate levels of security should be built into any application whether it be developed internally to UTSA or purchased.

 


II. RATIONALE


This standard supports HOP Policy 8-12 Information Resources Use and Security Policy

 


III. SCOPE



This standard applies to all UTSA faculty, staff, and students.


IV. CONTACTS


If you have any questions about Standard OIS (Number and Name) contact the following office:

 

The Office of Information Security

informationsecurity@utsa.edu


V. PROCEDURES  


1.     The standard practices outlined here represent the minimum requirements for the security of UTSA software.

    1. All production systems and applications must follow the Information Technology Standards for granting access to the system.
    2. All confidential information within an application under development must be identified and documented.
    3. Applications running on systems with confidential data must provide safeguards to protect the data from exposure.
    4. The transfer of such data requires encryption.
    5. During the development of an application the data owner(s), data custodian(s) and system administrator(s) must be identified.
    6. Developers must ensure that applications validate input, execute proper error handling, and properly authenticate users through identity management processing.
    7. Information security, security testing, and audit controls must be included in all phases of the system development lifecycle or acquisition processing.
    8. Copies of production data shall not be used for testing, unless the data have been authorized for public release or unless all custodians involved in testing are otherwise authorized to access the data.

 

2.     All security-related information resources changes shall be approved by the data owner through a change control process.

 


VI.  DEFINITIONS


"on a regular basis" - at least annually

 

 

______________________________________________________________________________

Effective Date: January 1, 2012
Last Revised: April 10, 2013

<< Back