Minimum Security Standards for Application Development and Administration

Application Development
Compliance with these requirements does not imply a completely secure application or system. Instead, these requirements should be integrated into a comprehensive system security plan.

This standard applies to all software applications that are being developed or administered by faculty, staff, student employees, contractors, vendors and that are running on devices, physical or virtual, where university data are classified as Category I, II, or III (see Data Classification Standard).

β™»: A recurring task; this should be automated when possible

πŸ‘Β Recommended

βœ”:Β  Required

Β 
Practice Category I Categories II & III
Classify the university data handled or managed by the application (see Data Classification Standard).

βœ”

βœ”

Prominently display a Sytem Login Banner to the screen or interface in use by the application, depending on the type of data being accessed (for example, FERPA, HIPAA, etc.). Do not display Category-I data that has been specifically restricted by law or policy (for example, Social Security Numbers, Protected Health Information, or Credit Card data) unless permitted by the HSC Information Security Office and the HSC Office of Integrity and Compliance.

βœ”

πŸ‘

Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. SeeΒ http://www.owasp.org/Β for more information and examples.

βœ”

πŸ‘

Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. SeeΒ http://www.owasp.org/Β for more information and examples.

βœ”

πŸ‘

Ensure applications processing data properly authenticate users through central authentication systems, specifically: Enterprise Authentication, HSC Active Directory, or UNT System
Shibboleth.

πŸ‘

πŸ‘

Establish authorizations for applications by affiliation, membership, or employment, rather than by individual.

πŸ‘

πŸ‘

If individual authorizations are used, these should expire and require renewal on a periodic (at least annually) basis.  

βœ”

 

πŸ‘

Provide automated review of authorizations where possible.

πŸ‘

πŸ‘

Use central authorization tools where possible, and if additional functionality is needed, coordinate development with Information Technology Services (ITS).

πŸ‘

πŸ‘

Ensure applications make use of secure storage for university data as far as system administrators, in accordance with the provisions of theΒ Minimum Security Standards for Systems, provide such storage.

βœ”

πŸ‘

Services or applications running on systems manipulating Confidential data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs.

βœ”

πŸ‘

Implement the use of application logs to the extent practical, given the limitations of certain systems to store large amounts of log data. When logging access to university data, store logs of all users and times of access for at least 14 days.

βœ”

πŸ‘

Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential Confidential data, documenting the actions that were taken.

βœ”

πŸ‘

Information Security Office to complete initial application security assessment of internet applications and sites. Vulnerability Assessment Scan requested IT ticketing system

βœ”

πŸ‘

Ensure that obsolete applications, or portions of applications, are removed from any possible execution environment.

βœ”

βœ”

Implement and maintain aΒ change management processΒ for changes to existing software applications.

βœ”

πŸ‘

Third parties, for example, vendors, providing software and/or receiving institutional data must enter into written agreements with UNTHSC to secure systems and data according to the provisions of the UNTHSC Information Security Policy

βœ”

πŸ‘

 

Application Administration
Β 
Practice Confidential Controlled & Published
Maintain a full inventory of all applications, using the Information Security Office’s Application Registry (TBA), which includes descriptions of authentication and authorization systems, the data classification and level of criticality for each application, and the custodian(s) assigned to each application.  

βœ”

πŸ‘

Document clear rules and processes for vetting and granting authorizations.  

βœ”

πŸ‘

On at least a semi-annual basis, review and remove all authorizations for individuals who have left the university, transferred to another department, or assumed new job duties within the department.  

βœ”

πŸ‘

Individuals who administer computer systems associated with university data or engage in programming or analysis of software that runs on such systems must: (a) undergo a background check , and (b) acknowledge these minimum standards on at least a two year cycle, and (c) complete yearly Cyber Security Training units per UNTHSC policies and Texas law.  

βœ”

πŸ‘