Rockhurst University Secure Development Practices Policy   

Purpose

The purpose of this Secure Development Practices Policy is to establish guidelines and best practices for the development of internally developed applications and processes at Rockhurst University. This policy aims to ensure the security, privacy, and integrity of information assets by implementing industry-standard security measures throughout the development lifecycle.

Policy Statement

Rockhurst University is committed to incorporating secure development practices into all internally developed applications and processes. This policy applies to all developers, system administrators, and personnel involved in the development and maintenance of these applications and processes.

Secure Development Lifecycle

Rockhurst University will adopt a secure development lifecycle approach, integrating security into all phases of application and process development. The following practices should be followed:

3.1. Requirements Phase:

  • Conduct thorough threat modeling exercises to identify potential security threats and vulnerabilities.
  • Define security requirements and incorporate them into the project's functional requirements.

3.2. Design Phase:

  • Apply secure coding standards and best practices, such as OWASP Top 10, SANS guidelines, or CWE.
  • Implement appropriate security controls and countermeasures based on the identified threats.
  • Design secure authentication and authorization mechanisms.
  • Ensure secure communication channels and data protection mechanisms.

3.3. Development Phase:

  • Follow secure coding practices and guidelines.
  • Perform strong input validation and output encoding to prevent common vulnerabilities like SQL injection, XSS, and command injection attacks.
  • Regularly update and patch software components and libraries to address known vulnerabilities.
  • Use secure APIs and libraries that have undergone security testing and validation.

3.4. Testing Phase:

  • Conduct comprehensive security testing, including penetration testing, code reviews, and vulnerability scanning.
  • Implement fuzz testing, security unit testing, and security regression testing.
  • Address identified vulnerabilities and conduct retesting before deployment.

 

3.5. Deployment Phase:

  • Ensure secure deployment practices, including hardening the underlying infrastructure, secure configuration settings, and secure storage of credentials and sensitive data.
  • Implement secure communication protocols such as HTTPS/TLS.
  • Regularly update and patch deployed applications and systems.

3.6. Maintenance and Monitoring Phase:

  • Continuously monitor and log security-relevant events.
  • Regularly review logs and implement security incident response procedures.
  • Perform periodic security assessments and audits.
  • Keep up-to-date with security best practices, emerging threats, and industry developments.

Security Training and Awareness

Rockhurst University will provide regular security training and awareness programs to developers, system administrators, and other personnel involved in the development process. Training should cover secure coding practices, secure development methodologies, and the importance of following security policies and procedures.

Compliance with Regulations

Rockhurst University will ensure compliance with relevant security and privacy regulations, including but not limited to the General Data Protection Regulation (GDPR), Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry Data Security Standard (PCI DSS). Compliance should be integrated into the development process.

Policy Compliance and Enforcement

Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate.

Policy Review

This Secure Development Practices Policy will be reviewed and updated periodically to ensure its effectiveness and alignment with industry best practices and regulatory requirements.

By adhering to this Secure Development Practices Policy, Rockhurst University aims to mitigate security risks, protect sensitive data, and ensure the development of secure and reliable applications and processes.