System and Application Security Policy

Title: System and Application Security Policy 
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All students, faculty, and staff  
Campus Applicability: All campuses except UConn Health 
Approval Date: August 30, 2023
Effective Date: August 31, 2023
For More Information, Contact: UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu
Official Website: https://security.uconn.edu/

PURPOSE 

To ensure the security of university data and systems by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.

APPLIES TO 

This policy applies to all individuals responsible for operating or overseeing any University system or application, whether on premise or in the cloud.

DEFINITIONS  

Academic / Research System: A system whose primary responsibility relates to individual academic work or research

Administrative System: Any system that is used in support of the operation of the university excluding individual Academic / Research Systems.

Client Network: A client network is a computer network where individual machines are connected. Client networks consume services and do not offer services to the general population

ITS: Information Technology Services

IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

Local Network: The local network is those computers logically located in the same subnet

SaaS: Cloud-based service that is delivered via the web based on either a monthly or annual subscription

PaaS:  Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services

PII (Personally Identifiable Information):  Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals

Public Availability: Services offered publicly include services offered outside of the local network

Regulated Data: Any data that has regulations around its protection prescribed either by law or contract is automatically considered administrative data. Examples include: Personally Identifiable Information (PII), Payment Card Information (PCI), Personal Health Information (PHI) and FERPA (Family Educational Rights and Privacy Act)

System Owner: The individual who is responsible for the planning and operation of the service. All systems must have a designated system owner.

POLICY STATEMENT  

The proper management, maintenance and support of systems and applications is critical to protecting the data they store or process from a confidentiality, integrity, and availability perspective.

Basic Requirements (all systems including academic, administrative and research)

System Ownership

All systems including cloud-based systems supporting any aspect of the University must have an identified owner and responsible party for ensuring the controls specified in this policy.

All software and services used to process University information are subject to an Information Security review and sign off prior to their purchase or development. Information Security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The system owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application.

System Access

Access to information in the possession of or under the control of the University must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved need for the information. For most applications, this requires the use of proper authentication methodologies and the use of Single Sign On (SSO) is encouraged.

Information may only be used for its intended purpose, and other uses of university information without the approval of the data owner is prohibited.

Patching and Maintenance

All system owners must ensure the timely implementation of operating systems and application patches to provide for the confidentiality, integrity, and availability of the systems or data. The ongoing maintenance of applications and the application of software updates is an activity that must be minimally scheduled on a quarterly basis.

System and Application Lifecycle Management

System owners are responsible for the planning of and budgeting for system maintenance and obsolescence. Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible.  The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.

Cloud based systems

Software as a Service / Platform as a Service

While patching and maintenance of Cloud-based SaaS and PaaS systems is typically handled by the vendor, identified individuals are responsible for proper security configurations and user management associated with providing the service. A Vendor Risk Management review is necessary for all newly procured services.

Infrastructure as a Service (IASS)

IAAS provides a significant amount of flexibility in the configuration and use of the platform. This requires additional expertise that requires management by an IT Professional and where applicable must meet the same requirements as Administrative Systems.

Administrative Systems

System and Application Security

Administrative systems due to their complexity must be managed by an IT Professional.

Administrative systems will be required to adhere to all regulatory requirements and meet security controls / standards as set forth by the Information Security Office based on institutional requirements.

Encryption

All systems housing administrative data are expected to have data encrypted in transit and at rest to protect data. Where available, encryption keys should reside outside of the application.

User Management

University of Connecticut Information Technology Services (ITS) provides centralized user identity and access management that supports identity validation and access management (IAM) using a NetID and password providing for single sign on (SSO) across multiple systems. Systems and applications that rely on the University IAM platform for authenticating individual access rights can forgo the need for user management outside that of assigning any roles within the system or application, as necessary. The use of SSO for all systems is highly recommended.

Systems and applications that do not use the central IAM solution must have a written plan and designated individual responsible for the creation, modification, and deletion of user IDs. User IDs, including student accounts, must be reviewed when faculty, staff, or students separate from the University at least annually. This includes a process for ensuring the secure creation of passwords and a secure password reset process for validating an individual’s identity prior to resetting the password.

Systems where individuals have access to a significant amount of the PII of other constituents, including but not limited to students, faculty, staff, alumni, and vendors, or significant amounts of regulated data require two-factor authentication wherever possible.

Software Maintenance

Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers and other individual productivity tools should be limited to the management of the system only.

Auditing of Systems and Application Logs

System and application logs must be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. All administrative systems must log to the centralized logging and reporting platform events related to login activity and security event data.

Mandatory Reporting

All suspected policy violations, system intrusions, and other conditions that might jeopardize University information or information systems must be immediately reported to the Information Security Office.

ENFORCEMENT 

Systems and applications that do not follow the standards set forth in this policy may be administratively shut down or have access restricted. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct, applicable collective bargaining agreements, and the Student Code.

PROCEDURES/FORMS 

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) or UConn Reportline (1-888-685-2637)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

POLICY HISTORY 

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: August 30, 2023 (Approved by the Senior Policy Council and the President)