The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS-43 – Standard for Application Administrator
I. STANDARD STATEMENT
This standard defines the duties of an application administrator.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS-43 – Standard for Application Administrator contact the following office:
The Office of Information Security
- “on a regular basis” – at least annually
A. Application Administrator
1. The application administrator must perform a vulnerability scan, or ensure the Office of Information Security performs a vulnerability scan for Web applications:
a. Prior to moving the application to the Production environment
b. After a compromise of the Web application
c. On a regular basis, for all mission-critical operations
d. As requested by the application owner when potential or existing risks are identified within the environment
3. The application administrator must complete a data review prior to moving the application to the Production environment
a. Any request to access or use application data must be approved by the data owner.
b. Data owner should be notified if data is to be stored outside of the university
c.If the data is to be hosted outside of UTSA, an agreement must be reviewed by the UTSA Purchasing and Legal departments and the Office of Information Security.
B. Application Developer or Application Acquisition Team
2. Identify all confidential information and document the business need for having that data.
3. Provide safeguards to protect data from exposure.
4. Encrypt all data in transit.
5. Identify all data owners, data custodians and system administrators.
6. Ensure the application validates input, executes proper error handling and authenticates users through identity management processing if local authentication is supported.
7. Include information security, security testing and audit controls in all phases of the development/acquisition process.
8. Institute a change control process so the data owner approves all security-related information resources changes.
C. Office of Information Technology Staff Member
1. Create and maintain the Application Registry. Ask for the following:
a. Purpose of the application
b. Staff members responsible for the application
c. Data classification
d. Relevant technical information
2. Enforcement of this policy.
3. Perform audits and monitoring activities to detect any unsecured systems.
4. Provide technical assistance to departments so they can meet the requirements.
D. Policy Review
1. In order to maintain currency of the Information Security Program, this policy is subject to review by the Office of Information Security on a regular basis.
Any exception to requirements set forth in this policy must be approved in writing by the UTSA Office of Information Security.
Effective Date: September 12, 2014
Last Revised: September 30, 2016
Reviewed: August 8, 2017