111 Information Security for Software Development, Management, and Administration
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | System/ Application Owners | System Custodians/ Administrators | Office of Resource Management (ORM) | OIS | WashU IT/ IT @ WashU | Departments, Schools, Units |
|---|---|---|---|---|---|---|---|
| Default administrator and system passwords must be changed. | ✔ | ✔ | ✔ | ||||
| Software platforms and applications must be documented per Standard 211. | ✔ | ✔ | ✔ | ✔ | |||
| OIS will conduct a risk assessment prior to production of applications that involve Confidential or Protected Information. | ✔ | ||||||
| System and application owners will adhere to logging processes described in Policy 101. | ✔ | ✔ | ✔ | ||||
| Test environments will be separate from the production environment and protected behind VPN. | ✔ | ✔ | ✔ | ||||
| Separation of duties will be established and monitored. Mitigating controls will be applied when not feasible. | ✔ | ✔ | ✔ | ||||
| Any application developed in-house must adhere to Open Worldwide Application Security Project (OWASP) secure coding practices. | ✔ | ✔ | ✔ | ||||
| OIS will coordinate with ORM to assess third-party vendor applications prior to adoption. | ✔ | ✔ | |||||
| Contracts with third-parties are reviewed by ORM. | ✔ | ||||||
| Applications in use at WashU must be regularly updated and patched according to Policy 104. | ✔ | ✔ | ✔ | ✔ | |||
| Response and recovery planning and testing for third-party partners will adhere to Policy 107. | ✔ | ✔ | ✔ | ✔ |
Summary of Policy
The Information Security for Software Development, Management, and Administration communicates requirements and recommendations for secure software development and procurement by WashU departments and schools. This policy discusses applications developed in-house, in cooperation with third parties, or acquired as commercial off-the-shelf products. The directives communicated in this policy are based on regulatory requirements, university policies, and industry best practices for protecting the Confidentiality, Integrity, and Availability (CIA) of WashU information resources throughout the lifecycle.
Full Text of Policy
Policy 111 Information Security for Software Development, Management, and Administration
This policy establishes secure application development and procurement practices for departments and schools at Washington University in St. Louis (WashU).
Related Information
100 Information Security Program
This policy is the foundation of the policy library and provides a rationale for the directives communicated in all other information security policies.
101 Information Security Status Monitoring, Reporting, and Review
This policy communicates logging requirements for academic, clinical, administrative, research, and technical information security activities at WashU.
102 Information Security Authentication, Authorization, and Audit
This policy outlines the process for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations at Washington University in St. Louis (WashU).
104 Information Security Vulnerability Management
This policy communicates the core principles and objectives for information security vulnerability management, including planning, detection, mitigation, and patching.
105 Information Security Risk Management
This policy describes how the Office of Information Security (OIS) helps manage technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).
107 Information Technology Business Continuity and Disaster Recovery Planning
This policy communicates the expectations for developing, maintaining, and practicing risk-based plans for Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR).
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
200.1 Information Security Awareness, Behavior, and Culture
This standard establishes and describes a cybersecurity awareness training program for the WashU community.
202 Information Security Identity, Authentication, and Access Control
Review and revision of this standard is in progress. Please contact infosec@wustl.edu
211 Secure Software Development, Management, and Administration
DRAFT This standard establishes a comprehensive framework for ensuring the security and integrity of software systems within WashU.