6.17 SYSTEM REQUIREMENTS ANALYSIS AND SPECIFICATION
Effective: August 15, 2024
Purpose: Emporia State University is committed to maintaining the confidentiality, integrity, and availability of the information assets it owns or controls. To assist in this effort, policies, standards, and guidelines will be developed and promulgated throughout the ESU community.
Retrofitting a process or system to meet University adopted policies is an expensive endeavor. This policy sets out to ensure that information security is considered early in the development cycle for all new business processes.
Scope: This policy applies to all information systems and software created by or used within ESU.
Responsible Office: Information Technology
Policy Statement: The project manager is responsible for engaging the Information Security Officer (ISO) during the requirements phase of the project.
Appropriate Information Technology (IT) staff will be assigned to consult on all projects, to ensure that the appropriate controls and audit trails or activity logs are active, and to perform the appropriate risk assessments.
The ISO or designee will document the security assessment and specifications as part of the project using the Security Specifications Procedures.
The ISO is responsible for monitoring and reporting compliance with this policy. In all cases, information will be disclosed as required by controlling law.
Information Security
It is the policy of ESU to include information security in all aspects of acquisition for new information systems and software applications. Any modifications to or removal of software and information systems must include an assessment from information security. Solutions that are being considered for change in hosting platform (e.g. on premises versus cloud-based) will be fully assessed before a change is made. Therefore:
- Security specifications must be identified at the requirements phase of all projects and justified, agreed upon, and documented as part of the overall business case for the project;
- Appropriate controls and audit trails or activity logs must be designed into new applications, including both commercial-off-the-shelf and in-house-developed applications; and
- Each approved IT solution will be reassessed at least biennially, based on the date the solution was originally approved.
Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.
Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.
[Information Technology procedures - coming soon]
Related Policy Information: [coming soon]