Procedure: University of Minnesota Duluth
The purpose of these procedures is to describe special requirements for application management that apply on the UMD campus. The focus of these guidelines is larger applications that may store private University data, research data, or serve large numbers of internal customers. It does not apply to standard desktop software, such as Word, Excel, Google Apps, or Dreamweaver. In general we are looking for applications that run on servers, not on desktops. It also does not apply to small apps running on tablets or smart phones.
All application administrators must comply with the University of Minnesota Security Policies and Information Security Standards. UMD Information Technology Systems and Services (ITSS) will provide oversight and assistance for the entire campus.
In the event that it is impossible for some policy or standard to be implemented, the application administrator must request a risk assessment from University Information Security, who will document the exception. ITSS will ensure that such a risk assessment is completed and will monitor for compliance.
Data Security Classification
The first thing an application administrator must do is to review the types of data stored on each application administrated.
Procedures for managing applications will vary depending upon the classification of the data stored on the server. Application administrators must review the Policy on Data Security Classification as well as the accompanying Appendix on Identifying Security Level.
Applications that store private highly-restricted data must be given extra security, and application administrators of such systems must work closely with ITSS to ensure this. Special requirements for such applications are spelled out in the sections below.
Application administrators must ensure that their systems comply with the Account Provisioning Standard. ITSS will provide an account provisioning procedure that application administrators outside of ITSS are welcome to use. Applications that store private highly-restricted data must use the ITSS procedures.
Application Registration, Inventory, and Deregistration
UMD ITSS is responsible for maintaining a list of all campus applications, whether administered by ITSS or not. In order to facilitate the maintenance of this list, all application administrators must register their applications with ITSS. ITSS will do an annual survey to ask for application information.
For applications not reported in the annual survey, please email the ITSS enterprise team ([email protected]) to provide registration information. Similarly, send email when you retire an application.
Awareness, Education, and Training
Application owners must ensure that the administrators and users of their systems comply with the Information Security Standard on Awareness, Education, and Training Standard. Owners of applications that store private highly-restricted data must partner with ITSS to ensure compliance
All applications must comply with the Authentication Standard outlined in Basic Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.
Data and applications must be backed up according to the Backups section of Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. An Information Security Standard on backups is in development.
ITSS will provide backup at no charge for servers that we manage. Administrators who manage their own applications and servers may contract with ITSS for backup services on a billable basis. Administrators of applications that store private highly-restricted data must partner with ITSS to ensure compliance.
Applications must comply with the Change Control for Software Development and System Implementation section of Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.
ITSS has developed a set of change processes and a UMD Change Approval Board, in which application administrators outside ITSS are welcome to participate. Administrators for applications that store private highly-restricted data must participate in the UMD Change Approval Board processes.
Applications must reside on a server that meets the Procedures for UMD Server Management. Cloud applications must be reviewed and approved by UM Purchasing and the Office of General Counsel.
Consult the Guidelines for Purchasing Software before beginning the purchase process. Purchasing software is often more complex than many people realize.
Technical Vulnerability Management Standard for IT Professionals
Application administrators must comply with the Technical Vulnerability Management Standard for IT Professionals. Administrators of applications that store private highly-restricted data must partner with ITSS to ensure compliance.
- Effective: May 2014