Information Systems Acquisition, Development, and Maintenance Supplemental Policy
Number: 8070.0 Revised: August 15, 2010
The Information Security Officer is delegated all necessary authority to set and enforce standards for the appropriate security of all software and web applications, as well as to monitor, establish and enforce remediation timelines and sanctions for non-compliant systems campus-wide. The Information Security Officer will establish security standards for the acquisition, development, deployment and maintenance of all software and web applications handling sensitive information or that are accessible from off campus.
All campus software and web application acquisitions or upgrades involving handling of Level 1 and/or Level 2 information and/or access from off campus must be reviewed and approved by the Information Security Officer or his designee(s) in writing prior to purchase. All contracts for work involving handling of Level 1 and/or Level 2 information and/or access from off campus must also be reviewed and approved by the Information Security Officer or his designee(s) in writing prior to acquisition.
Application and advanced web development involving protected classes of information (Level 1 and Level 2) is a distinct and limited activity engaged in by only a few campus employees. All application and web developers must familiarize themselves and follow the campus Application Development Standards to ensure they are employing secure procedures for any application or web development involving Level 1 and/or Level 2 data. All application code for such applications must be reviewed and approved in writing by the Information Security Officer or his designee(s) prior to deployment. All significant changes in application code must also be reviewed for vulnerabilities prior to deployment. All applications or web processes handling, processing or storing critical and business information must be housed only within secure data centers identified by the Information Security Officer on systems meeting all applicable security policies and standards.
Maintenance and Testing
Access to source code and other critical system resources during testing, development, or production must be limited to only authorized personnel with an authorized work-related need.
Back to to Sacramento State Information Security Policy Website