Information Resources Use and Security Policy

25.1. The university must ensure that the protection of Information Resources (including data confidentiality, integrity, and accessibility) is considered during the development or purchase of new computer applications. The following procedures are required:

25.1.1. All associated systems and applications must restrict access and must provide methods for appropriately restricting privileges of authorized users. Access to applications is granted on a need-to-access basis.

25.1.1.1. All applications processing Category-I data must comply with the Minimum Security Standards for Application Development and Administration.

25.1.2. Separate production and development environments will be maintained to ensure the security and reliability of the central production system. Whenever possible, new development or modifications to a production system will be made first in a development test environment. These changes should be thoroughly tested for valid functionality before being released to the production environment.

25.2. Information technology outsourcing contracts must address security, backup, and privacy requirements, and should include right-to-audit or other provisions to provide appropriate assurances that applications and data will be adequately protected. Vendors must adhere to all federal and state laws and Regent's Rules pertaining to the protection of Information Resources and privacy of Category-I Digital Data.