I. STANDARD STATEMENT

Secure development of applications requires familiarity with best practices which provide protection of data and prevent exposure of the application to unauthorized access. The highest appropriate levels of security should be built into any application whether it be developed internally to UTSA or purchased.

II. RATIONALE

This standard supports HOP Policy 8-12 Information Resources Use and Security Policy

III. SCOPE

This standard applies to all UTSA faculty, staff, and students.

IV. CONTACTS

If you have any questions contac: The Office of Information Security at informationsecurity@utsa.edu

V. PROCEDURES

  1. The standard practices outlined here represent the minimum requirements for the security of UTSA software.
    1. All production systems and applications must follow the Information Technology Standards for granting access to the system.
    2. All confidential information within an application under development must be identified and documented.
    3. Applications running on systems with confidential data must provide safeguards to protect the data from exposure.
    4. The transfer of such data requires encryption.
    5. During the development of an application the data owner(s), data custodian(s) and system administrator(s) must be identified.
    6. Developers must ensure that applications validate input, execute proper error handling, and properly authenticate users through identity management processing.
    7. Information security, security testing, and audit controls must be included in all phases of the system development lifecycle or acquisition processing.
    8. Copies of production data shall not be used for testing, unless the data have been authorized for public release or unless all custodians involved in testing are otherwise authorized to access the data.
  2. All security-related information resources changes shall be approved by the data owner through a change control process.

VI.  DEFINITIONS

“on a regular basis” – at least annually

 

Effective Date: January 1, 2012
Last Revised: June 9, 2020