Information Security Standards



The purpose of the system development procedure is to describe the requirements for developing and/or implementing new application software in the University.


This procedure applies to University information resources that store or process mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with System Development and implementation of new application software. The intended audience for this procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.


1. Information security owners, and their designees, are responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) plan. All software developed in-house that runs on production systems shall be developed according to an SDLC plan. At a minimum, this plan must address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and, post-implementation maintenance and review. The requirement for such methodology ensures the software will be adequately documented and tested before it is used in production.

2. All applicable systems shall have designated owners and custodians. Owners, and/or their designees, shall perform periodic risk assessments of production systems to determine whether the controls employed are adequate.

3. The department head or owner of an information resource shall ensure that all applicable systems have a documented access control process to restrict who can access the system as well as restrict the privileges available to system users. A log of permission(s) granted shall also be maintained.

4. Where resources permit, there shall be a separation between the production, quality assurance and development environments. This ensures that security is rigorously maintained for the production system, while the development and test environments can maximize productivity with fewer security restrictions. At least two people will review and approve a change before it is moved into production.


University Information Security Standard, Change and Configuration Management


Last Updated March 31, 2014