Policy Redesign Project

All policies and procedures are being reviewed as part of this project. This document is pending review, but remains in effect until the review is carried out.

IT Application Acquisition and Development Policy

Establishment: Vice-Chancellor, 5 December 2014
Last Amended: n/a
Nature of Amendment: n/a
Date Last Reviewed: n/a
Responsible Officer: Director, Information Technology Services

1.  Objectives

Flinders University (the University) requires business application software (IT Applications) to enable its teaching, learning and administration processes. The objective of this policy is to define the conditions for the acquisition, development, implementation and maintenance of new IT Applications by the University.

IT Applications store and process a significant amount of the University’s critical and confidential information. It is imperative that IT Applications are appropriately acquired or developed to ensure the minimum security requirements and procurement processes are followed to prevent duplication of purchasing and ensure supportability.

This policy is written to be consistent with the Information Security Standards AS/NZS ISO/IEC 27001:2006 and AS/NZS ISO/IEC 27002:2006.

2.  Scope

This policy is applicable to all IT Applications purchased with University funds used to support administrative, teaching and learning functions of the University, this specifically includes:

  • All IT Applications hosted on University IT System Assets; and
  • All IT Applications hosted by third-party providers contracted by the University including those under cloud or outsourced arrangements.

This policy does not apply to desktop applications or applications that used by a small group of users in an experimental situation (e.g. to test new functionality). Refer to the IT Asset Management Policy for the specific requirements relating to the acquisition of desktop applications.

3.  Definitions

  • IT Applications includes all in-house developed, business, mobile applications, off-the-self, third-party and user developed applications within the scope as described above;
  • Mobile Applications (‘apps’) are applications designed specifically for use on mobile devices typically purchase via an online application store;
  • IT System Assets includes information, the computer systems that support business and control functions, networks and communication links, business applications and programs, and all forms of electronic storage media;
  • FITS is the Flinders Information Technology Standards which outlines the ITS supported architecture(s) that must be considered at each stage of the technology life cycle, including system conception, development, implementation, extension, maintenance, replacement or retirement;
  • Key Application is an IT Application with key status (as defined in FITS) as formally endorsed by the Flinders University Enterprise Applications Reference Group (EARG);
  • Business Owner is the person who is responsible for the sponsorship and ongoing management of an IT Application in support of a specific University outcome, and is responsible for vetting access application access requests;
  • IT Disaster Recovery is the supporting processes and procedures that enable recovery of an IT environment, including network and communication systems, in the event of a serious outage.

4.  Business Requirements

Business requirements must be defined and documented prior to the acquisition or development of any IT Application. The requirements must include, at a minimum, the following components:

  • The business problem(s) to be resolved by the implementation of the IT Application;
  • The key functionality to be implemented by the IT Application;
  • The information to be stored in the application, with its accompanying information classification rating;
  • Interfaces into existing University systems and/or other data sources;
  • Accessibility requirements of the application are defined to ensure that the application is usable by the widest possible audience (this is especially important for web applications that are accessible to the public). Such requirements must include as a minimum, reference to Australian Government Accessibility Standards, with which the University is must comply;
  • The security and availability requirements of the IT Application; and
  • The Business Owner responsible for the sponsorship and ongoing management of the new IT Application.

5.  Business Case Justification

The decision to proceed with the acquisition or development of an IT Application must be based on the development of a formal business case and approval by a relevant authority.

The business case must include the following elements:

  • Business problem analysis;
  • Options analysis;
  • Cost/benefit analysis;
  • Risk analysis.

The Flinders University Enterprise Application Reference Group (FUEARG) is responsible for reviewing the business case for, and recommending to the Pro Vice-Chancellor (Information Services) the acquisition and/or development of IT Applications that have strategic significance to the University.

The acquisition and/or development of IT Applications deemed to be ‘strategic’ require the formal approval of the PVC IS as recommended by the Flinders University Enterprise Applications Reference Group. Strategic IT Application acquisitions may include applications that will be used across the University, provide critical services to the University community or represent a large investment as determined by the FUEARG. IT Applications that are not deemed strategic acquisitions are to be referred to Director, ITS for formal approval. Cases for any exemptions to this policy must be made in writing to Director, ITS who may refer these matters to the PVC IS.

All Mobile Applications (or ‘apps’) branded with the Flinders University logo must be reviewed and approved by Associated Director, Application Services prior to being submitted to any mobile application stores (such as iTunes and Google Play) and must be submitted using a central Flinders University control developer account.

6.  Implementation, Testing and Change Management

Implementation of new IT Applications, whether procured or developed, should adhere to the following requirements:

Implementation – General

  • All IT applications must comply with the  Flinders IT Standards (DOCX 157KB) which outline the ITS supported architecture to be considered at each stage of the technology life cycle;
  • All contracts for work involving handling of University information and/or access must be reviewed and approved by ITS Security Services, in writing, prior to execution;
  • IT Applications should incorporate appropriate cryptographic controls in protecting sensitive University information;
  • All licenses shall be the property of the University unless otherwise stated in legal contracts;
  • Ownership of application code must be defined in legal contracts with third party developers to ensure the protection of the University’s interests and in most cases ownership should remain with the University;
  • Major changes or upgrades to IT Applications must be formally managed as a project;
  • All IT Applications handling, processing or storing University information must be housed only within secure data centres, approved by Information Technology Services.

Implementation – Software Acquisition

  • Acquired IT Applications should be fully licensed. No uncertified or unlicensed IT applications will be allowed in the production environment.

Implementation – Software Development

  • Internal software development must comply with all relevant IT security and software development policies, procedures and standards;
  • Outsourced IT Application development must also comply with FITS and should be appropriately supervised and monitored by the University;
  • Access to program source code must be restricted to technical development staff only.

Testing

  • All new IT Applications must undergo user and security testing prior to production release;
  • Any data that is used during the development and test phase of preparing IT Applications should be protected and controlled. If sensitive data is used it must be in line with applicable Information Classification Framework (PDF 326KB) guidelines and/or Service Level Agreements (SLA); Where possible, sensitive data should not be used in testing environments;
  • All custom accounts, test user identifiers, and passwords shall be removed from the IT Application prior to installation into the University’s production environment.

Change Management

7.  Ongoing Support and Maintenance

After implementation, IT Applications should adhere to the following requirements for ongoing support and maintenance:

  • IT Applications supported by third parties must have a current, appropriate and documented maintenance and support agreement. No single points of dependency should exist in relation to the support of the IT Application and users must be appropriately trained in the use of the IT Application;
  • Third-party supplied IT Applications must be maintained at the level supported by the Application vendor. IT Application patches and hot fixes must be applied within 12 months of availability (provided there are no compatibility issues);
  • Timely information about technical vulnerabilities of IT Applications used by the University should be obtained, evaluated in terms of University exposure and risk, and appropriate countermeasures taken;
  • All IT Applications should undergo periodic security testing to identity potential security vulnerabilities.

Business Owners are required to:

  • Take reasonable steps to ensure that all data maintained by the IT Application is correct, compliant and up-to-date and meets the requirements of the IT Asset Management Policy;
  • Ensure that validation checks are in place to detect the corruption of information through processing errors and that training is available to users to enable their correct use of an IT Application;
  • Ensure that IT Application security controls and audit trails are designed and implemented based on a risk assessment to prevent application errors, loss and unauthorised modification or misuse of University information.

8.  Backup, Business Continuity and Disaster Recovery

All Key IT Applications must be compliant with the requirements of the IT Disaster Recovery Policy.

Availability requirements, backup schedules, system recovery targets and data retention periods must be documented and agreed between the Business Owner and Information Technology Services.

Business Continuity Plans, in relation to processes reliant on an IT Application, should exist for Organisational Units to follow in the event of extended IT Application unavailability. Business Continuity Plans should also align with the relevant IT Disaster Recovery Plans.

9.  Compliance and Enforcement

  • Manager, ITS Security Services is responsible for:
    • Ensuring the implementation of IT Application security controls to ensure the ongoing adherence to the requirements of this policy; and
    • Monitoring compliance with this policy and investigating and reporting breaches of this policy.
  • Associate Director, Applications Services is responsible for the development and maintenance of this policy and ensuring the ongoing adherence to the requirements.

10.  Related Documents

This policy should be read in conjunction with other University policies, including:

Flinders IT Standards (DOCX 157KB)

Information Security Policy

IT Disaster Recovery Policy

Information Classification Framework (PDF 326KB)

Change Management Charter