Application Security

August 2007
Chapter 13

INFORMATION TECHNOLOGY AND TELECOMMUNICATION
Section: 13:120

Application Security

Introduction

The purpose of this policy is to avoid inadvertent release of confidential or sensitive information, comply with regulatory mandates, minimize risks to users and the institution and ensure the availability of critical applications.

This policy applies to applications developed by University staff as well as to those acquired from outside providers. All applications are subject to this policy regardless of whether the application is hosted on University equipment or elsewhere.

Policy

All applications used to acquire, store, report, manipulate, or transmit University owned information assets (data) must be registered with the Division of Information Technology and must meet the security requirements of the MU Data Classification System (MU DCS).

Responsible Parties

Application owners, developers and system administrators must register their custom and vended applications and ensure such systems meet the security requirements of the MU DCS. Your divisional/departmental IT staff must be consulted before developing or procuring Web based applications.

Deans, Department Chairs, Directors and other University administrators must be aware of application and information security policies and provide the resources necessary to ensure the departments they oversee develop and procure applications in a manner consistent with this policy.

The Division of Information Technology is responsible for the enforcement of this policy and has the authority to audit systems as required and to prohibit the use of insecure applications. The Division of Information Technology is also responsible for providing procurement guidelines, training, policy clarification, and technical information to assist departments in meeting this policy. Auditing costs may be passed on to the application owners.

Transition

Due to the volume of existing applications and the ongoing need for new applications, policy compliance will occur over a multi-year period. Departments must inventory their information assets, classify them according to the MU DCS and prioritize their data security efforts. Applications that hold or utilize protected data or other information subject to controlled release must be considered the first priority. The Division of Information Technology will assist departments in assessing the status of their applications and will schedule audits.

Examples

After inventorying the applications in use at MU, the Division of Information Technology will focus its efforts on security applications that hold or utilize data sets containing student information/records, personally identifiable information such as social security numbers or credit card numbers, and other categories of data that are protected by federal or state laws or regulations. Ultimately, to ensure application availability and reliability, all applications must be secured regardless of the type of information they utilize.

MU Data Classification System (MU DCS)

The MU DCS applies to all schools, colleges and divisions as well as individuals accessing, creating or managing data or managing systems where information assets are stored. When information assets protected by federal or state laws conflict with the MU data classification system the strictest requirements apply. The MU DCS can be found at http://infosec.missouri.edu/classification/

Except where mandated by federal or state law, or other university policies, the MU DCS will require departments to utilize server housing, server hosting or system administration services provided by the Division of Information Technology depending on the type of application and the data assets it holds. All other exceptions must be authorized by the MU CIO with approval by the IT Executive Committee.

Resources:

The name of your divisional/departmental IT professionals can be found at http://doit.missouri.edu/it-pro/list.html.

Contact the Division of Information Technology’s IT security department at ISAM@missouri.edu to schedule a security consultation, request assistance in developing bid specifications, request security training or to request an audit.

Contact the IT Help Desk at 882-5000 for questions related to server hosting and system administration services or to schedule a consultation.