Purpose

Software applications and systems are used at UTHSC to meet a variety of needs. This standard requires that as part of these information system’s lifecycle, security features are considered an integral part of the planning, creating, testing, and deploying of information systems to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

All Information Systems planned, created, tested, and installed at UTHSC that process, store, access or transmit UTHSC data or information. Information systems may be hardware only, software only, or a combination of both. The concepts and principles of this Standard apply to information systems that are either software only, or a combination of hardware and software (Application Systems).

Responsibilities

Individuals who install, develop, upgrade, test, or modify Application Systems on UTHSC IT Resources, including end user workstations, are responsible for notifying the UTHSC Office of Cybersecurity about the Application Systems for purposes of inventory and security evaluation.

Said individuals are responsible for actively participating in the security evaluation of the Information Systems.

UTHSC developers are responsible for ensuring that any custom-developed Application Systems developed and deployed by UTHSC must meet security features per SC-003.02-Application System Security Features to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information.

Standard

An up‐to‐date inventory of Application Systems installed, owned, or used for UTHSC must be maintained and kept current per Practice-InfoSec-SC-003.02-Application System Security Features, for any Application Systems used to access, transmit, modify, or store UTHSC data or information.
The use of Application Systems for non-UTHSC purposes, such as for personal, entertainment or non-UTHSC business use is subject to departmental policy. When permitted, such Information Systems must also comply with this standard.
A security evaluation on new Application Systems purchases, development, major upgrades, enhancements, platform migrations, application service provider and software, as a service solution, must be performed prior to use of the Application Systems in a production environment, prior to use by users, and prior to interaction with UTHSC data or information with a classification ranking of 3 in any area.
Application Systems determined by the security evaluation process to present an unacceptable security risk to UTHSC are prohibited from accessing or using the UTHSC network, and from interacting with UTHSC data or information with a classification ranking of 3 in any area.
UTHSC IT Security Team may at any time require an individual to uninstall or remove Application Systems that have been verified to create an unacceptable security risk.
Any custom-developed Application Systems developed and deployed by UTHSC must meet security features per Practice-InfoSec-SC-003.02-Application System Security Features to prevent unauthorized use, access, transmission, modification, or destruction of UTHSC data or information.
Any UTHSC Application System for credit card processing activities, including debit card processing and e-commerce activities must comply with UT Fiscal policy FI0311 – Credit Card Processing.
Failure to comply with this policy will be reported as an information security violation and may result in loss of network and system privileges for the software and/or disciplinary action per Practice-InfoSec-GP-001.04-Information Security Violations for the individual(s) violating the policy.