{"id":69480,"date":"2026-02-02T14:23:29","date_gmt":"2026-02-02T22:23:29","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=69480"},"modified":"2026-02-20T16:23:45","modified_gmt":"2026-02-21T00:23:45","slug":"bppm-87-32","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-32\/","title":{"rendered":"87.32 Business Applications Security"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Business Applications Security<\/strong><\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.32<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements<\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact Applications<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 \u00a0\u00a0 High-Impact Applications<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0\u00a0\u00a0\u00a0\u00a0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1\u00a0\u00a0\u00a0\u00a0\u00a0 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Specific Policy Overview and Purpose<\/h4>\n<p>Establishing comprehensive security and privacy requirements for business applications used by WSU protects WSU\u2019s critical administrative, research, and academic systems. This policy ensures controlled access, secure development, proper data handling, and technical safeguards. Additionally, this policy mandates proper documentation, role accountability, vendor compliance, and user training to protect institutional data and maintain system integrity.<\/p>\n<h3 id=\"Two_0\">2.0\u00a0\u00a0\u00a0\u00a0 Applicability<\/h3>\n<p>This policy applies to all individuals, organizations, businesses, and groups, internal and external to WSU, that develop, maintain, and\/or monitor business applications used for WSU business. This policy also applies to procurement of all WSU business applications.<\/p>\n<p>This policy also applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a> for policy exception management and processes.<\/p>\n<h3 id=\"Three_0\">3.0\u00a0\u00a0\u00a0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0\u00a0\u00a0\u00a0\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2\u00a0\u00a0\u00a0\u00a0 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h3 id=\"Three_3\">3.3\u00a0\u00a0\u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/h3>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/business-application-and-security-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/business-application-security-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0\u00a0\u00a0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1\u00a0\u00a0\u00a0\u00a0 General Requirements<\/h4>\n<p>WSU business applications are to be developed and maintained in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">87.30<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-65\/\">87.65<\/a>.<\/p>\n<p>Information security and privacy requirements for business applications are to be allocated during mission and business process planning. The resources required to protect the application must be documented and include funding for sustainment.<strong>\u00a0<\/strong>\u00a0<\/p>\n<p>Individuals having information security and privacy roles must be identified with their responsibilities defined and documented.<strong>\u00a0<\/strong>\u00a0<\/p>\n<p>WSU business applications may only store data necessary to support WSU business objectives. Information Owners, or their delegates, must approve the storage of any WSU institutional information in a business application. Once the data is no longer necessary for the application&#8217;s use, it must be removed according to <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<p>During development or acquisition, the contract or agreement language must include security and privacy requirements, descriptions, and criteria.\u00a0\u00a0<\/p>\n<p>WSU business applications are to be acquired, developed, and managed using system development life cycle (SDLC) processes. The information security and privacy risk management process must be integrated into SDLC activities.<strong>\u00a0<\/strong>\u00a0<\/p>\n<p>Developers must use security and privacy engineering concepts and principles to design, develop, and implement WSU business applications.\u00a0<\/p>\n<p>Developers of WSU business applications must develop and implement a plan for ongoing security and privacy assessments to ensure required controls are implemented correctly and operating as intended. Assessment results and flaw remediation are to be included in the assessment.\u00a0\u00a0<\/p>\n<p>WSU business applications are to be configured to provide event logging in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>.\u00a0<\/p>\n<p>Access to WSU business applications must be approved by the WSU Information System Owner, or their delegate, and include the business purpose for the access in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-03\/\">87.03<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">87.05<\/a>.<\/p>\n<p>User and administrator system documentation is to be obtained or developed to support the implementation and operation of controls. Documentation is to be distributed to personnel or roles as needed.\u00a0<\/p>\n<p>Vulnerability scans are to be performed on WSU business applications in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.\u00a0<\/p>\n<p>Unsupported system components and business applications are to be replaced, within a defined period, when support for software patches, firmware updates, replacement parts, and\/or maintenance is no longer available.\u00a0\u00a0\u00a0<\/p>\n<p>Once an application&#8217;s data owner, or their delegate, has determined that the application is no longer necessary to meet WSU&#8217;s business goals, it must be decommissioned in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.<\/p>\n<h4 id=\"Four_2\">4.2\u00a0\u00a0\u00a0\u00a0 Moderate- and High-Impact Applications<\/h4>\n<p>In addition to the above, the following requirements apply to all moderate- and high-impact business applications.<\/p>\n<p>Developers of moderate- and high-impact business applications must describe the functional properties, design, and implementation information for applied controls. The functions, ports, protocols, and services are to be identified when technically feasible.\u00a0\u00a0<\/p>\n<p>Moderate- and high-impact business applications must encrypt data at rest and in transit in accordance <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>.\u00a0<\/p>\n<p>Developers of moderate- and high-impact business applications must document and control changes. Configuration management must involve implementing only approved changes, documenting changes to the system, and tracking security flaws and flaw resolution.\u00a0<\/p>\n<p>Developers of moderate- and high-impact business applications must follow a documented development process that explicitly addresses security and privacy requirements and identifies the standards and tools used in the development process.\u00a0A criticality analysis is to be performed at key decision points in the system development life cycle.\u00a0\u00a0<\/p>\n<p>Developers of moderate- and high-impact business applications must provide key stakeholders training on the correct use and operation of the implemented security and privacy functions, controls, and mechanisms.\u00a0\u00a0<\/p>\n<p>Moderate- and high-impact business applications must encrypt data at rest and in transit in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>.<\/p>\n<p>Moderate- and high-impact business applications must require additional access authorizations and personnel screening for developers.\u00a0\u00a0<\/p>\n<h4 id=\"Four_3\">4.3\u00a0\u00a0\u00a0\u00a0 High-Impact Applications<\/h4>\n<p>In addition to the above, the following requirements apply to all high-impact business applications.<\/p>\n<p>Developers of high-impact business applications must produce a design specification and security and privacy architecture that is consistent with the WSU enterprise architecture.\u00a0\u00a0<\/p>\n<h4 id=\"Four_4\">4.4\u00a0\u00a0\u00a0External Providers<\/h4>\n<p>External providers of WSU business applications must comply with all WSU security and privacy requirements. Information System Owners are required to create processes to monitor external service provider compliance on an ongoing basis.\u00a0<\/p>\n<p>External providers of moderate- and high-impact business applications must identify the functions, ports, protocols, and other services required to use the application.\u00a0\u00a0<\/p>\n<h3 id=\"Five_0\">5.0\u00a0\u00a0\u00a0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong> Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a> &#8211; NEW).<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Business Applications Security<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69480"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=69480"}],"version-history":[{"count":9,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69480\/revisions"}],"predecessor-version":[{"id":69988,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69480\/revisions\/69988"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=69480"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=69480"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=69480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}