One West University Boulevard, Brownsville, Texas 78520 | 956-882-8200

Minimum Security Standards for Application Development and Administration

Purpose

Scope

Audience

Minimum Standard

Non-Compliance and Exceptions

Related Policies, Procedures, Best Practices and Applicable Laws

 

I. Purpose


This minimum standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will increase the security of applications and help safeguard university information technology resources.

Compliance with these requirements does not imply a completely secure application or system. Instead, these requirements should be integrated into a comprehensive system security plan.

Top

II. Scope


This standard applies to all software applications that are being developed or administered by the audience referenced in Section III and that are running on devices, physical or virtual, where university data are classified as Category A, B, or C (see Data Classification Standard).

Top

III. Audience


All faculty, staff, student employees, contractors, and vendors developing or administering applications designed to handle or manage university data.

Top

IV. Minimum Standard


This section lists the minimum standards that should be applied to the development and administration of applications working with Category A, B, or C data. Standards for Category-A are generally required.

If a solution is not available for a specific requirement, then the specific requirement is waived until an appropriate solution is made available. In such cases a security exception shall be filed (see part V below). IT owners and custodians, data stewards, lead researchers, system administrators, and application developers are expected to use their professional judgment in managing risks to the information, systems and applications they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.

Application Development

# Practice Cat A Cat B/C
1.1 Classify the university data handled or managed by the application (see Data Classification Standard). Required Required
1.2 Prominently display a Confidential Record banner to the screen or interface in use by the application, depending on the type of data being accessed (for example, FERPA, HIPAA, etc.). Do not display Category-I data that has been specifically restricted by law or policy (for example, Social Security Numbers, Protected Health Information, or Credit Card data) unless permitted by the university’s Office of Institutional Compliance. Required Recommended
1.3 Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. See http://www.owasp.org/ for more information and examples. Required Recommended
1.4 Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. See http://www.owasp.org/ for more information and examples. Required Recommended
1.5 Ensure applications processing data properly authenticate users through central authentication systems, specifically, UT Direct, Austin Active Directory, TAM (uTexas Access Manager, forthcoming), EID Fat Cookie, or Shibboleth. Recommended Recommended
1.6 Establish authorizations for applications by affiliation, membership, or employment, rather than by individual. Recommended Recommended
1.7 If individual authorizations are used, these should expire and require renewal on a periodic (at least annually) basis. Required Recommended
1.8 Provide automated review of authorizations where possible. Recommended Recommended
1.9 Use central authorization tools where possible, and if additional functionality is needed, coordinate development with Information Technology Services (ITS). Recommended Recommended
1.10 Ensure applications make use of secure storage for university data as far as system administrators, in accordance with the provisions of the Minimum Security Standards for Systems, provide such storage. Required Recommended
1.11 Services or applications running on systems manipulating Category-A data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs. Required Recommended
1.12 Implement the use of application logs to the extent practical, given the limitations of certain systems to store large amounts of log data. When logging access to university data, store logs of all users and times of access for at least 14 days. Required Recommended
1.13 Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential Category-A data, documenting the actions that were taken. Required Recommended
1.14 Conduct annual security tests of Internet applications. Request annual security scans of Internet applications (EID authentication required). Recommended Recommended
1.15 Ensure that obsolete applications, or portions of applications, are removed from any possible execution environment. Required Recommended
1.17 Implement and maintain a change management process for changes to existing software applications. Required Recommended
1.18 Third parties, for example, vendors, providing software and/or receiving university data must enter into written agreements with the university to secure systems and data according to the provisions of section 24 of the IT Security Operations Manual. Required Recommended

 

Application Administration

# Practice Cat A Cat B/C
2.1 Maintain a full inventory of all applications, using the Office of Information Security's Application Registry, which includes descriptions of authentication and authorization systems, the data classification and level of criticality for each application, and the custodian(s) assigned to each application. Required Recommended
2.2 Document clear rules and processes for vetting and granting authorizations. Required Recommended
2.3 On at least a semi-annual basis, review and remove all authorizations for individuals who have left the university, transferred to another department, or assumed new job duties within the department. Required Recommended
2.4 Individuals who administer computer systems associated with university data or engage in programming or analysis of software that runs on such systems must: (a) undergo a background check and completion of the Security Sensitive Form, and (b) acknowledge these minimum standards on at least a two year cycle. Required Recommended

 Top

V. Non-Compliance and Exceptions


For all application developers and administrators – if any of the minimum standards contained within this document cannot be met for applications manipulating Category A or B data that you support, an Exception Process must be initiated that includes reporting the non-compliance to the Office of Information Security, along with a plan for risk assessment and management. Non-compliance with this standard may result in revocation of developer or administrator access, notification of supervisors, and reporting to the Office of Internal Audit and/or the Office of Compliance.

Employees of The University of Texas at Brownsville are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Brownsville employees are required to comply with state laws and regulations.

Top

VI. Related Policies, Procedures, Best Practices and Applicable Laws


The policies and practices listed here inform the application development and administration practices described in this document. You should be familiar with these documents. (This is not a complete list of policies and procedures that affect IT resources.)

UT System UTS-165, Information Resources Use and Security Policy

UTB/TSC Information Resources Use and Security Policy

UTB/TSC Acceptable Use Policy

UTB/TSC Data Classification Policies

Top

 

For comments and questions, please contact the Webmaster.