Responsible Office: Office of Cybersecurity	Last Review: 03/01/2025 Next Review: 03/01/2027
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

Software applications and systems are used at the University of Tennessee Health Science Center (UTHSC) to meet a variety of needs. This standard requires that as part of these information system’s lifecycle, security features are considered an integral part of the planning, creating, testing, and deploying of information systems to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information.

Scope

All Information Systems planned, created, tested, and installed at UTHSC that process, store, access, or transmit UTHSC data or information. Information systems may be hardware only, software only, or a combination of both. The concepts and principles of this Standard apply to information systems that are either software only, or a combination of hardware and software (Application Systems).

Definitions

Application – the system, functional area, or problem to which information technology is applied. The application includes related manual procedures as well as automated procedures. Payroll, accounting, and management information systems are examples of applications.

Responsibilities

Individuals who install, develop, upgrade, test, or modify Application Systems on UTHSC IT Resources, including end user workstations, are responsible for notifying the UTHSC Office of Cybersecurity about the Application Systems for purposes of inventory and security evaluation.

Said individuals are responsible for actively participating in the security evaluation of the Information Systems.

UTHSC developers are responsible for ensuring that any custom-developed Application Systems developed and deployed by UTHSC must meet security features per IT1516-HSC-B.01-Application System Security Features to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information.

Standard

1. An up‐to‐date inventory of Application Systems installed, owned, or used for UTHSC must be maintained and kept current per IT1516-HSC-B.01-Application System Security Features, for any Application Systems used to access, transmit, modify, or store UTHSC data or information.
2. The use of Application Systems for non-UTHSC purposes, such as for personal, entertainment, or non-UTHSC business use is subject to departmental policy. When permitted, such Information Systems must also comply with this standard.
3. A security evaluation on new Application Systems purchases, development, major upgrades, enhancements, platform migrations, application service provider and software, as a service solution, must be performed prior to use of the Application Systems in a production environment, prior to use by users, and prior to interaction with UTHSC data or information with a level 2 categorization per IT0005-HSCA-Data & System Categorization.
4. Application Systems determined by the security evaluation process to present an unacceptable security risk to UTHSC are prohibited from accessing or using the UTHSC network, and from interacting with UTHSC data or information with a level 1 or above categorization per IT0005-HSCA-Data & System Categorization.
5. UTHSC IT Security Team may at any time require an individual to uninstall or remove Application Systems that have been verified to create an unacceptable security risk.
6. Any custom-developed Application Systems developed and deployed by UTHSC must meet security features per IT1516-HSC-B.01-Application System Security Features to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information.
7. Any UTHSC Application System for credit card processing activities, including debit card processing and e-commerce activities must comply with UT Fiscal policy FI0311 – Credit Card Processing.
8. Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the software and/or disciplinary action per IT0003-HSC-A.03-Information Security Violations for the individual(s) violating the policy.

Policy History

Version #	Effective Date
1	03/20/2016
4	06/17/2020
5	05/18/2022
6	09/29/2022
7	03/01/2025 – new naming convention

References

1. IT1516-Information Technology Service Provider Management and Application Software Security
2. IT0003-HSC-A.03-Information Security Violations
3. IT0005-HSC-A-Data & System Categorization
4. IT1516-HSC-B0.1-Application System Security Features
5. UTHSC-Information Security Program
6. UT Fiscal Policy: FI0311 Credit Card Processing