Application Development and Deployment

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Wednesday, September 1, 2010

Authority: 


Objective: 

This Business Practice Directive defines requirements for applications developed and/or deployed for SF State.


Statement: 

Purpose and Scope

This Practice Directive defines requirements for applications (including software on appliances) developed or deployed (whether on or off-campus) for San Francisco State. This applies to technology purchased, obtained at no cost or custom developed (in-house or by third-parties). 

Practice Directive

It is the responsibility of unit managers to ensure that this and other University Practice Directives and Campus Technology Practice Directives are followed. Exceptions to the requirements of this or any other Practice Directive must be documented and approved.

Use of sensitive data

  • Applications will not store or transmit sensitive data unless absolutely necessary
  • Need for sensitive data will be verified and approved by the data owner (e.g. HR for HRMS, Fiscal Affairs for FMS)
  • Sensitive data must be encrypted in transit
  • Use of Level 1 Confidential data must be approved by the Information Security Officer
  • Level 1 Confidential data must be encrypted in storage and backups

Testing

  • Security testing criteria, including testing for common vulnerabilities, will be documented, maintained and followed prior to custom-developed applications being moved into production
  • Updates to custom-developed applications will be regression tested and verified before deployment

General

  • Default configurations for servers, applications and code libraries (e.g., default admin accounts with blank or published password) will be evaluated prior to installation
  • Server administration, logging and debugging information will not be publicly accessible in production systems
  • Principles of separation of duties will be followed regarding access to production source code and systems