The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 3 – Standard for Application Development and Acquisition
I. STANDARD STATEMENT
Secure development of applications requires familiarity with best practices which provide protection of data and prevent exposure of the application to unauthorized access. The highest appropriate levels of security should be built into any application whether it be developed internally to UTSA or purchased.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about Standard OIS (Number and Name) contact the following office:
The Office of Information Security
1. The standard practices outlined here represent the minimum requirements for the security of UTSA software.
- All production systems and applications must follow the Information Technology Standards for granting access to the system.
- All confidential information within an application under development must be identified and documented.
- Applications running on systems with confidential data must provide safeguards to protect the data from exposure.
- The transfer of such data requires encryption.
- During the development of an application the data owner(s), data custodian(s) and system administrator(s) must be identified.
- Developers must ensure that applications validate input, execute proper error handling, and properly authenticate users through identity management processing.
- Information security, security testing, and audit controls must be included in all phases of the system development lifecycle or acquisition processing.
- Copies of production data shall not be used for testing, unless the data have been authorized for public release or unless all custodians involved in testing are otherwise authorized to access the data.
2. All security-related information resources changes shall be approved by the data owner through a change control process.
“on a regular basis” – at least annually
Effective Date: January 1, 2012
Last Revised: April 10, 2013