University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Software Development

UPPM 87.65

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

All WSU software applications must be procured, designed, developed, used, and maintained in a manner that protects institutional data, systems, and user privacy. This policy establishes requirements to ensure that information security and user privacy considerations are integrated within the entire software development lifecycle.

2.0 Applicability

This policy applies to all individuals, organizations, businesses, and groups, internal and external to WSU, that develop, maintain, and/or monitor software applications used for WSU business. This policy also applies to procurement of all WSU software applications.

This policy also applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General Requirements

Information System Owners, or their delegates, must maintain a Software Development Life Cycle (SDLC) for WSU developed applications.

During mission and business process planning, WSU Information Owners, or their delegates, must determine the high-level information security and privacy requirements for software applications.

The resources required to protect the application are to be included as part of the capital planning and investment control process.
A separate line item for information security and privacy is to be included in programming and budgeting documentation.

Information System Owners, or their delegates, must approve the use of all software applications in their Area of responsibility in accordance with UPPM 87.32.

WSU must acquire, develop, and manage software applications by employing a software development life cycle that integrates considerations for information security and privacy.

Information security and privacy roles and responsibilities are to be defined and documented throughout the SDLC.

Individuals having information security and privacy responsibilities are to be identified.
SDLC activities are to be integrated into the WSU information security and privacy risk management process.

Only applications currently supported by their developers are to be utilized in accordance with UPPM 87.32.

Internal developers that provide application development services for the university must include security and privacy requirements, descriptions, and criteria, explicitly or by reference with interconnection agreements.

Administrator documentation is to be obtained or developed for WSU applications. The documentation must describe:

Secure configuration, installation, and operation of the application;

Effective use and maintenance of security and privacy functions and mechanisms; and
Known vulnerabilities regarding configuration and use of administrative or privileged functions.

User documentation is to be obtained or developed for WSU applications. The documentation must describe:

User-accessible security and privacy functions and mechanisms and how to effectively use them;

Methods for user interaction, which enable individuals to use the application in a secure manner; and
User responsibilities in maintaining security.

Systems security and privacy engineering principles are to be applied during design, development, implementation, and modification of the system.

A flaw remediation process is to be implemented to correct identified flaws in accordance with UPPM 87.40.

When an Information System Owner, or their delegate, determines that the need for a business application is no longer necessary then the application and all associated systems are to be decommissioned in accordance with UPPM 87.72.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to moderate- and high-impact systems.

For moderate- and high-impact applications, WSU application developers must provide a description of the functional properties of security and privacy controls to be implemented.

For moderate- and high-impact applications, WSU application developers must provide design and implementation information for the security and privacy controls of the system.

For moderate- and high-impact applications, WSU application developers must identify the functions, ports, protocols, and services early in the software development life cycle.

Moderate- and high-impact applications are to be maintained in accordance with UPPM 87.30.

Moderate- and high-impact application developers must develop and implement a plan for ongoing security and privacy assessments.

The assessment results must include evidence of execution.

Moderate- and high-impact application developers must follow a documented development process that identifies the standards and tools used in the development process.

Changes to development tools are to be maintained in accordance with UPPM 87.30.
The development process, standards, tools, tool options, and tool configurations are to be reviewed regularly to determine if tool configurations selected and employed still satisfy security and privacy requirements.

Developers for moderate- and high- impact applications are to perform a criticality analysis at key decision points in the SDLC. The breadth and depth of criticality analysis is to be defined and maintained with the application documentation.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to high-impact systems.

High-impact application developers must deliver the application with the security configuration implemented. The configuration is to be used as the default for any subsequent reinstallation or upgrade.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: Feb. 2026 (Rev. 651 – NEW).