Computing and Information Services
Network Group

Texas A&M University
Computer Security Policy

December 9, 1994

Appendix L - Computer Application Development Controls.

All computer applications development staff are required to adhere to the following security guidelines. Responsibility for compliance is given in parenthesis for each item:

  • Systems and programs must perform only the functions requested and may not crossover into other systems except as specified in the approved specifications.
    (Managers, Analysts, and Programmers)

  • System development resources such as terminals, microcomputers, and development software will only be used for approved projects.
    (Managers, Analysts, and Programmers)

  • Change logs will be maintained and will include information for each change that identifies: requester, action taken, by whom, date, and approval authority.
    (Managers, Analysts, and Programmers)

  • Modifications must be approved by the development management and management of the organization that "owns" the application system.
    (Managers, Analysts, and Programmers)

  • Unauthorized changes to production systems are not allowed and are considered violations of the Texas A&M University Computer Security Policy and computer security laws.
    (Managers, Analysts, and Programmers)

  • Procedures are required which include adequate testing prior to implementation, security against modification of production data, controlled access to data, production, and program libraries.
    (Managers, Analysts, and Programmers)

  • Managers will convene system review, inspection, and walk-through meetings on a periodic basis in order to insure adherence to these controls and to insure the general state of computer security.

  • Managers will solicit and/or provide effective security training for all staff engaged in application development.

  • Security procedures, work practices, programming methods, standards, production libraries, and overall data security will be subject to review by the Computer Security Officer and Internal Auditors of Texas A&M University and the Texas A&M University System.

  • Running of programs that update production databases should be done only by the Production Control staff and not programmers.
    (Managers, Analysts, and Programmers)

  • Production Control staff should only have read-only access to production program libraries and should not have access to program source code libraries.
    (Managers, Analysts, and Programmers)

  • Movement of programs into production program and source code libraries must be approved by appointed application administrators.
    (Managers, Analysts, and Programmers)

  • All change requests and problem reports must be in written form and have the approval of authorized customer representatives.
    (Managers, Analysts, and Programmers)

  • All new database structures and changes to existing data base structures must be approved by the Database System Administrator before the modified structures are put into production.

  • Managers will insure reviews are conducted on all new programs and changes to existing programs before the programs are moved into production libraries. Any exceptions must be reviewed and documented in a timely manner.