Policy 111 Information Security for Software Development, Management, and Administration
- Purpose
- Applicability and Audience
- Roles and Responsibilities (100.01)
- Policy
- Policy Compliance
- Related Policies, Standards, and Guidelines
- References
- Policy Review
Purpose
This policy establishes secure application development and procurement practices for departments and schools at Washington University in St. Louis (WashU). Such applications may be developed in-house, in cooperation with a third party, or acquired as commercial off-the-shelf products (COTS). Secure development principles are based on regulatory requirements, university policies, and industry best practice to protect the Confidentiality, Integrity, and Availability (CIA) of WashU information resources throughout the lifecycle.
Applicability and Audience
This policy applies to all WashU applications, systems, and network segments.
All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.
Information Security Roles and Responsibilities (100.01)
Policy
111.00 Introduction
The WashU Community relies on software applications for many university activities. These applications may be commercially available, developed in-house, or procured from a third-party vendor. Whatever the origin of the application, the OIS establishes appropriate security controls throughout the application’s lifecycle to protect university information resources from unauthorized access. Controls are assigned commensurate with risk and according to system and information classification.
This policy establishes secure development and procurement practices that system and application owners must implement and document for applications developed or purchased for use in WashU activities.
Refer to Standard 211: Information Security for Software Development, Management, and Administration for additional information.
111.01 Requirements for All Software Platforms and Applications
The following controls are required for COTS, third-party vendor applications, and applications developed in-house:
- Default administrator and system passwords must be changed.
- Software platforms and applications must be documented per Standard 211: Information Security for Software Development, Management, and Administration.
- The OIS will conduct a risk assessment prior to production of applications that will store, access, create, and/or transmit WashU Confidential and/or Protected Information. Refer to Policy 105: Information Security Risk Management for additional information. Standard 200: Information Security Classification, Labeling, and Handling includes details about Confidential and Protected Information.
- System and Application Owners will adhere to logging processes described in Policy 101: Information Security Status Monitoring, Reporting, and Review.
- Refer to Policy 102: Information Security Authorization, Authentication, and Audit and Standard 202: Information Security Identity, Authentication, and Access Control.
111.02 Additional Requirements for Software Applications Developed In-House
The security controls for software applications developed in-house (i.e., software that is developed by a team of WashU employees) listed below are applied according to the classification of data involved, the criticality of the application, and the potential for harm or loss to WashU if a threat exploits a vulnerability in the software. These controls apply to all lifecycle states of the application. If it is not possible to meet the expectations listed below, the OIS will review and document an exception request.
- Test environments will be separate from the production environment and protected behind VPN. Documented exceptions to this requirement will be handled on a case-by-case basis.
- Separation of duties will be established and monitored to prevent conflicting roles and ensure that no individual is granted access to all phases of the development and implementation process. Mitigating controls will be applied when separation of duties is not feasible.
- Any application developed in-house must adhere to Open Worldwide Application Security Project (OWASP) secure coding practices.
Refer to Standard 211: Information Security for Software Development, Management, and Administration for more information about requirements and Standard 200.1: Information Security Awareness, Behavior, and Culture for details about accessing appropriate training.
111.03 Additional Requirements for COTS and Third-Party Partner Applications
The following controls are required for COTS and third-party vendor applications, including WashU customizations of COTS:
- The OIS will coordinate with the Office of Resource Management to assess third-party vendor applications prior to adoption. Using the IT Procurement Vendor Intake process, the OIS will identify, prioritize, and assess third-party vendors and evaluate potential risks in the associated cyber supply chain. Refer to Policy 105: Information Security Risk Management for more information about the risk assessment process.
- Contracts with suppliers and third-party partners are reviewed by the Office of Resource Management to ensure they meet university security expectations, among other requirements.
- Applications in use at WashU must be regularly updated and patched according to Policy 104: Information Security Vulnerability Management.
- Internal Audit will routinely assess suppliers and third-party partners using audits, test results, and other evaluations to ensure they are meeting contractual obligations.
- Response and recovery planning and testing for suppliers and third-party partners will proceed according to Policy 107: Information Technology Business Continuity and Disaster Recovery Planning.
- Refer to Standard 202: Information Security Identity, Authentication, and Access Control for more information about vendor access to WashU applications and systems.
Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct.
Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees.
Related Policies, Standards, and Guidelines
- Policy 100: Information Security Program Policy
- Policy 101: Information Security Status Monitoring, Reporting, and Review
- Policy 102: Information Security Authentication, Authorization, and Audit
- Policy 104: Information Security Vulnerability Management
- Policy 105: Information Security Risk Management
- Policy 107: Information Technology Business Continuity and Disaster Recovery Planning
- Standard 200: Information Security Classification, Labeling, and Handling
- Standard 200.1: Information Security Awareness, Behavior, and Culture
- Standard 202: Information Security Identity, Authentication, and Access Control
- Standard 211: Information Security for Software Development, Management, and Administration
References
Open Worldwide Application Security Project
Policy Review
This policy will be reviewed by the OIS at a minimum of every three years.
Policy Number and Title: 111 Information Security for Software Development, Management, and Administration
Owner: The Office of Information Security
Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: October 8, 2024
Current Version Publication Date: December 6, 2024