K-State’s new System Development and Maintenance Security Policy helps ensure that security is considered at all stages of an information systems’ life cycle. Too often, security is an afterthought when a new application is implemented, or a change to an existing system introduces a new security vulnerability and thereby places university data at risk.
This policy targets anyone involved in the acquisition, implementation, or maintenance of an enterprise information system or “systems that require special attention to security due to the risk of harm resulting from loss, misuse, or unauthorized access to or modification of the information therein.” An example of the latter would be a departmental or college system that contains confidential student or personnel data.
The policy addresses the following areas:
- Developing and maintaining a security plan and appropriate documentation
- Using separate test, development, and production environments
- Proper handling of test data
- Managing vulnerabilities in all components of the system
- Ensuring that these requirements are addressed when a system or component is acquired from a third-party vendor
It also identifies a new role, information system security administrator, that has overall responsibility for security of the information system. The intent is to make sure someone pays attention to the security of the system, which typically does not require hiring additional staff since in most cases someone is already filling that role. As the policy says, this “role may be filled by someone directly involved with the development, maintenance, and/or operation of the information system.”
If you have questions about this or any other IT security policy, contact Harvard Townsend, chief information security officer (harv@k-state.edu, 785-532-2985).