System Development

1. General

The purpose of the system development procedure is to describe the requirements for developing and/or implementing new application software in the University.

2. Applicability

This procedure applies to University information resources that store or process mission critical and/or confidential information. The purpose of the implementation of this procedure is to provide a set of measures that will mitigate information security risks associated with System Development and implementation of new application software. The intended audience for this procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.

3. Definitions

• Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
• Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
• Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.
• Owner of an Information Resource: an entity responsible for:
  • a business function (Department Head)
  • determining controls and access to information resources.

4. Procedures

1. Department Heads and information security owners, and/or their designees, are responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) plan. All software developed in-house that runs on production systems shall be developed according to an SDLC plan. At a minimum, this plan shall address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and, post implementation maintenance and review. The requirement for such methodology ensures the software will be adequately documented and tested before it is used in production.
2. All applicable systems shall have designated owners and custodians. Owners, and/or their designees, shall perform periodic risk assessments of production systems to determine whether the controls employed are adequate.
3. The department head or owner of an information resource shall ensure that all applicable systems have a documented access control process to restrict who can access the system as well as restrict the privileges available to system users. A log of permission(s) granted shall also be maintained.
4. Where resources permit, there shall be a separation between the production, development, and test environments. This ensures that security is rigorously maintained for the production system, while the development and test environments can maximize productivity with fewer security restrictions. At least two people will review and approve a change before it is moved into production (See University Information Security Standard, Change Management).