I. STANDARD STATEMENT
This standard defines the duties of an application administrator.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
This standard applies to all UTSA faculty, staff, and students.
Contact the Office of Information Security at firstname.lastname@example.org
“on a regular basis” – at least annually
A. Application Administrator – The application administrator must perform a vulnerability scan, or ensure the Office of Information Security performs a vulnerability scan for Web applications:
- Prior to moving the application to the Production environment
- After a compromise of the Web application
- On a regular basis, for all mission-critical operations
- As requested by the application owner when potential or existing risks are identified within the environment
- The application administrator must complete a risk assessment on a regular basis, as specified in the Standard for Information Security Risk Assessment.
- The application administrator must complete a data review prior to moving the application to the Production environment
- Any request to access or use application data must be approved by the data owner.
- Data owner should be notified if data is to be stored outside of the university
- If the data is to be hosted outside of UTSA, an agreement must be reviewed by the UTSA Purchasing and Legal departments and the Office of Information Security.
B. Application Developer or Application Acquisition Team
- Follow standards for granting access to the application, as specified in the Standard for Account Management.
- Identify all confidential information and document the business need for having that data.
- Provide safeguards to protect data from exposure.
- Encrypt all data in transit.
- Identify all data owners, data custodians and system administrators.
- Ensure the application validates input, executes proper error handling and authenticates users through identity management processing if local authentication is supported.
- Include information security, security testing and audit controls in all phases of the development/acquisition process.
- Institute a change control process so the data owner approves all security-related information resources changes.
- Ensure the application enforces passphrase requirements as described in the Standard for Passwords and Passphrases.
C. Office of Information Technology Staff Member
- Create and maintain the Application Registry. Ask for the following:
- Purpose of the application
- Staff members responsible for the application
- Data classification
- Relevant technical information
- Enforcement of this policy.
- Perform audits and monitoring activities to detect any unsecured systems.
- Provide technical assistance to departments so they can meet the requirements.
- Policy Review
- In order to maintain currency of the Information Security Program, this policy is subject to review by the Office of Information Security on a regular basis.
- Any exception to requirements set forth in this policy must be approved in writing by the UTSA Office of Information Security.
Title: OIS 43 – STANDARD FOR APPLICATION ADMINISTRATOR
Effective Date: September 12, 2014
Reviewed: June 11, 2020