• Policies, Procedures & Guidelines
• Best Practices & Resources
• Secure Passwords
• Training
• Incident Response
• Breach Notification
• ISRS Security Forms
• Steering Committee

System Development Standard

Introduction
Scope
Application Design
Application Development
Application Implementation
System Design

1.0 Introduction

1.1 Purpose

The System Development standard will address security and development management issues related to design and development of software and systems for the MnSCU system office and campuses. There are three primary areas within System Development that need to be addressed in this standard. The first area is application design. Application design must ensure that all other MnSCU standards, such as the Data Protection Standard, are adhered to from the design perspective. The second area is the Application Development process itself. The third area deals with the implementation of the developed software and systems. Standards need to be in place to ensure the software that is implemented is maintainable and recoverable.

1.2 Background

Application software is responsible for the actual maintenance and reporting of the complete inventory of data as stored in MnSCU systems (for example ISRS). The application must be designed, developed and implemented to prevent unauthorized access and improper reporting of the data, some of which is protected under various data privacy policies and laws.

2.0 Scope

2.1 Users

This standard shall apply to all users who develop applications that interact with the MnSCU defined and/or managed systems.

2.2 Systems

All systems developed/maintained that access data owned and/or managed by MnSCU are within the scope of this standard.

3.0 Application Design

These application design requirements shall apply to both commercial products and MnSCU developed code.

3.1 System Definition

• The Information Security Manager or designee shall furnish information security requirements during system definition and specification.
• The Information Security Manager or designee shall be available for consultation and interpretation of developmental information security requirements

3.1.1 Capacity Planning

• All system specification and design shall incorporate capacity planning information.

3.2 Application Security

• The application design process shall include a process to ensure that access to information and ability to update follows defined access standards. These standards are defined in the MnSCU Data Protection Standard.

3.2.1 Menus and Presentation Forms

• Access to menus and presentation forms shall be role based.

3.2.2 Parameter checking

• System specifications shall incorporate boundary checking and parameter validity checks

3.2.3 Reports and Processes

• Access to reports that may be printed and/or sent to an individual via e-mail shall be role based.

3.3 Database Security

• The application design process shall include a process to assign the appropriate security at the database level.
• The three main classes of data that will require database security definitions are UNRESTRICTED, RESTRICTED, and PROTECTED data.
• Database security shall be design to meet the Data Stewardship requirements as defined in MnSCU Data Protection Standard.

3.3.1 Production Databases

• All updates to data shall be initiated and controlled on production databases.
• The application design shall provide definition for all access to production databases to include presentation and database access.

3.3.2 Replicated Databases

• The application design shall provide definition for all access to replicated databases.

3.3.3 Campus Databases

• The application design shall provide definition for all access to information in campus defined databases.

3.3.4 Databases Containing RESTRICTED or PROTECTED data

• The application design shall provide definition for all access to information in databases containing RESTRICTED of PROTECTED data.
  

3.4 Design Audit

• The Information Security Manager or designee shall be involved with all design walkthroughs to insure information security requirements are being met.

4.0 Application Development

4.1 Source Code Management

To maintain the integrity and security of application software developed to support MnSCU institutions, strong source code management is required. Source code management will include the maintenance of prior versions as well as the documentation of changes to include the author of the change (userid).

• A source code management process shall be used to maintain and/or store four generations of source code.
• A source code management process shall be used to maintain and/or store all 4th generation source (procedure) code.
• A source code management process shall be used to maintain and/or store code used to generate web applications.
• Training shall be provided to all development staff in the proper use of code management tools.

4.2 Software Quality Assurance

Software Quality Assurance is defined as a process to verify that software will be developed in accordance with all appropriate standards and that it meets the business requirements defined in the application design phase.

• A Quality Assurance review shall occur prior to the start of coding for major new applications and significant changes to current applications.
• A Quality Assurance review shall occur at major milestones within a project to ensure design and business requirements are being met.
• A Quality Assurance review shall occur prior to quality control testing.
• Design reviews shall be used to support quality assurance requirements.

4.3 Secure Coding

4.3.1 System Tools

• System and Development managers shall be responsible for maintaining current revisions of system development tools.
• System Managers shall be responsible for tracking information security news sources to maintain awareness of current exploits applicable to MnSCU system development tools

4.3.2 Training

• Secure coding training shall be required for all MnSCU system development personnel.

4.4 System Integrity

• All MnSCU system development shall include revision control

5.0 Application Implementation

5.1 Software Quality Assurance

• Prior to the implementation of MnSCU software, Quality Assurance testing shall occur to ensure the application will meet the business requirements as agreed to in the application design.

5.2 Software Quality Control/Rollout

• Quality Assurance testing shall occur for MnSCU software prior to implementation to ensure that all applicable standards have been adhered to.

5.3 Production Support � Change Management

• Changes to productions software shall follow approved standards for enhancements and bug corrections.

5.4 Acceptance Testing

• The Information Security Manager or designee shall furnish a security acceptance test plan validating compliance with information security requirements.
• All acceptance test plans shall include a regression plan.

6.0 System Design

• Systems may incorporate either or both commercial and MnSCU developed applications
• Servers may host multiple applications or applications may be distributed among multiple servers.
• Interactions may be difficult to predict

6.1 System Integration

• New systems shall have a system integration plan approved by the Information Security Manager or designee

6.2 System Test

• New systems shall have a system acceptance test plan approved by the Information Security Manager or designee.