|Title:||Secure Web Application Development, Information Technology|
|Policy Owner:||Information Security Office|
|Applies to:||Students, Employees, Users|
|Campus Applicability:||Storrs and Regionals|
|Effective Date:||May 16, 2012|
|For More Information, Contact||Chief Information Security Officer|
|Contact Information:||(860) 486-8255|
This policy is available in the Information Security Policy Manual.
Departments will ensure that development, test, and production environments are separated. Confidential Data must not be used in the development or test environments.
Production application code shall not be modified directly without following an emergency protocol that is developed by the department, approved by the Data Steward, and includes post-emergency testing procedures.
Web servers that host multiple sites may not contain Confidential Data.
All test data and accounts shall be removed prior to systems becoming active in production.
The use of industry-standard encryption for data in transit is required for applications that process, store, or transmit Confidential Data.
Authentication must always be done over encrypted connections. University enterprise Central Authentication Service (CAS), Shibboleth, or Active Directory services must perform authentication for all applications that process, store, or transmit Confidential or Protected Data.
Web application and transaction logging for applications that process, store, or transmit Confidential Data or Regulated Data must submit system-generated logs to the Information Security Office’s central logging system.
Departments implementing applications must retain records of security testing performed in accordance with this policy.
Policy Created: May 16, 2012