Application Development and Deployment

Objective: 

This Business Policy defines requirements for applications developed and/or deployed for SF State.

Statement: 

Purpose and Scope

This Policy defines requirements for applications (including software on appliances) developed or deployed (whether on or off-campus) for San Francisco State. This applies to technology purchased, obtained at no cost or custom developed (in-house or by third-parties). 

Policy

It is the responsibility of unit managers to ensure that this and other University Policies and Campus Technology Policies are followed. Exceptions to the requirements of this or any other Policies must be documented and approved.

Use of sensitive data

• Applications will not store or transmit sensitive data unless absolutely necessary
• Need for sensitive data will be verified and approved by the data owner (e.g. HR for HRMS, Fiscal Affairs for FMS)
• Sensitive data must be encrypted in transit
• Use of Level 1 Confidential data must be approved by the Information Security Officer
• Level 1 Confidential data must be encrypted in storage and backups

Testing

• Security testing criteria, including testing for common vulnerabilities, will be scheduled, documented, maintained and followed prior to custom-developed applications being moved into production
• Updates to custom-developed applications will be regression tested and verified before deployment

General

• Default configurations for servers, applications and code libraries (e.g., default admin accounts with blank or published password) will be evaluated prior to installation
• Server administration, logging and debugging information will not be publicly accessible in production systems
• Principles of separation of duties will be followed regarding access to production source code and systems