System & Application Security
Application development procedures are vital to the integrity of systems. If applications are not developed properly, data may be processed in such a way that the integrity of the data is corrupted. In addition, the integrity of the application software itself should be maintained, both in term of change control and terms of attack from malicious software.
System Development Lifecycle (SDLC)
In order to ensure that systems security is considered during the development and maintenance stages Michigan Tech has defined an SDLC and the following minimum requirements during each phase:
- Feasibility Phase – high level review to ensure security requirements can support the business case.
- Requirements Phase – define any initial security requirements or controls to support the business requirements.
- Design Phase – verify appropriate security controls for the baseline have been identified and ensure change control is established and used for the remainder of the life cycle. Repeat verification with each design change or as warranted.
- Development Phase – to verify and validate all security controls identified from design phase. Repeated throughout as changes are made or as warranted.
- Implementation Phase – final verification of existing controls and the appropriate levels of risk mitigation.
Change Control
Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors.
Michigan Tech is currently in the process of developing a University-wide Change Management process, which will include the following elements:
- Change Request Initiation and Control
- Impact Assessment
- Control and documentation of Changes
- Documentation and Procedures
- Authorized Maintenance
- Testing and User sign-off
- Testing environments
- Version Control
- Emergency Changes
- Distribution of Software
- Hardware and Systems Software Changes