IT Security Standard: Web Application Approval Process

Brief Description:

This standard is intended to provide developers and administrators of campus web applications with an understanding of the approval process required for initial development and change requests.

Introduction:

In order to help safeguard university web applications from unauthorized changes, and to ensure that they are consistent with user and management expectations, owners of web applications must create and implement an approval process for initial development and on-going change requests. Where possible, this approval process should enforce separation of duties for those individuals who are involved in one or more of the following processes: developing/modifying web applications, approving changes, and/or authorizing deployment into production environments.  In those organizations where separation of duties is not possible due to staffing limitations or availability, the organization must employ proper management oversight and approval.

Scope:

This standard applies to any departments that develop and maintain web applications.

Standard:

Required:

  1. Create, document, and implement a process of approval for the web application. 
  2. This process must include implementing a documented trail of approval that can be provided to auditors on demand.
  3. The records of the approved changes must be retained for three (3) years.
  4. Enforce separation of duties for approval and deployment by implementing one of the following options:
    1. Deployment to production must be approved by an individual/group who has proper authority and who was not involved in developing or making changes to the application.
    2. If a department cannot separate these responsibilities due to staffing limitations or availability, the department must ensure that proper management oversight is in place to monitor, document, and approve all changes.

Recommended:

  1. The manner in which web application development and change requests are documented, approved, and retained is left largely up to the discretion of the individual departments.  For example, JIRA or SRS tickets, e-mail, blogs, wikis, or a workflow can be used for tracking changes and approval. 
  2. The department should define the roles and responsibilities that form a chain of approval from the client who requested the web application, the functional group who supports and/or “owns” the data, the developers of the web application, the tech support group who will be supporting/maintaining it, etc. 
  3. The approval process should document at a minimum:
    1. A description of the modification to be approved
    2. Any important details (e.g. deployment details, modification details)
    3. Any deviations from the normal process (e.g. deployment details, chain of approval changes)
    4. The name and position of the approver
    5. The name and position of the individual/group who made the changes
    6. The name and position of the individual/group who is responsible for moving the changes to production
    7. The name and position of the individual/group who authorized the changes to production
    8. The date and time of approvals

Definitions:

Separation Of Duties - The designated approver must not have access to deploy the code him/herself.  The developer(s) who modifies a web application should not have access to deploy those changes to production.

Web Application - For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and that dynamically accepts user input.

Responsibilities: 

All approvers and developers must have the proper authority and security access to authorize and implement software changes.

Non-Compliance and Exceptions:

During the annual risk assessment process or in response to an audit, departments may be required to produce documentation describing their approval process. If none exists, the department will be required to produce said documentation within a specified timeframe. 

Implementation:

Effective Date: 9/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages
9/30/2010 Release of New Document All
9/04/2014 Reviewed Standard All

 

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips