IT-30: Data Security for Online and Mobile Applications Policy

PURPOSE

Sam Houston State University wants to protect the privacy of individuals by preserving the confidentiality of information processed by websites or applications.

This document establishes specific minimum requirements for information that must be supplied to the Sam Houston State University Information Security Officer. (See Texas Government Code Title 10, Subtitle B, Chapter 2054, Subchapter A, Section 517). 

SCOPE

The Data Security for Online and Mobile Applications policy applies to all online and mobile applications that processes confidential information for Sam Houston State University. 

POLICY STATEMENT

  1. The developer of an online or mobile application that processes confidential information for Sam Houston State University must submit the following information to the Information Security Officer:
    • The architecture of the website or application;
    • The authentication mechanism for the website or application; and
    • The administrator level access to data included in the website or application.
  2. If the developer of the application is a cloud or software-as-a-service (SaaS) vendor, additional questions provided by the Sam Houston State University Information Security Office concerning security controls of the vendor’s website or application must be answered and submitted to the Information Security Officer.
  3. Before deploying an Internet website or mobile application that processes confidential information, Sam Houston State University must subject the website or application to a vulnerability and penetration test conducted internally or by an independent third party. The results of this test must be submitted to the Information Security Officer. 

RELATED POLICIES, REFERENCES AND ATTACHMENTS

An index of approved IT@Sam policies can be found on the SHSU Information Technology Services Policies website at http://intranet.shsu.edu/intranet/policies/information_technology_policies/index.html. Reference materials, legal compliance guidelines, and policy enforcement are available in the IT-00 Policy Compliance Document.   The SHSU Information Security Program and SHSU Information Security User Guide are also available on the Information Technology Services Policies website. 

Version: 1.0
Approved By: President’s Cabinet, February 18, 2019
Reviewed By: Mark C. Adams, Vice President for Information Technology, February 18, 2019
Next Review: February 2022

Print Article