Policy for system acquisition, development and maintenance (A.14)

Information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. (A.14.1.1)

Information security must be included as an integral part of all acquisition and development projects.

The requisitioner must ensure that new acquisitions comply with existing requirements in the information security policy and other legislation, such as the Danish Public Procurement Act.

Acquisitions must not in any way impair Aarhus University's overall level of information security.

In connection with any new acquisitions, the data must be classified, and a risk assessment must be carried out, and possibly a business contingency plan, (including technical contingency and recovery plans) if the risk assessment so warrants.

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorised disclosure and modification. (A.14.1.2)

Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorised message alternation, unauthorised disclosure, unauthorised message duplication or replay. (A.14.1.3)

Encryption, signature and other safeguarding of information integrity, confidentiality and availability in application services must be applied in accordance with relevant risk assessments, as well as legislation and guidelines from relevant authorities such as the Danish Data Protection Agency.

In cases where AU offers applications and services for use in trade, these must at all times comply with relevant legislation and guidelines.

If systems and services offered by AU IT are used, the following are secured centrally: Re. A. 14.1.1 Analysis and specification of information security requirements: AU IT follows the common project model, where security is set up as an activity Re. the business contingency plan, see Information security aspects of emergency, contingency and reconstruction management (A17)  Re. A. 14.2.2 Procedure for managing system changes: at Aarhus University, major changes, which are run as a project are secured through the joint project model, while routine changes in connection with daily operations are secured through the change management process. This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.

Rules for the development of software and systems shall be established and applied to development within the organization. (A.14.2.1)

Information security must always be included when considering the lifecycle of the information system, including in connection with the design, testing, upgrading and implementation of new IT systems as well as in connection with system changes.

University requirements for new as well as existing systems must include security requirements on the basis of a risk assessment.

IT equipment/devices must be purchased in accordance with current procurement agreements and/or procurement rules.

Changes to systems within their development lifecycle shall be controlled by the use of formal change control procedures. (A.14.2.2)

If the associated risk assessment so dictates, changes to the university's systems must be managed in accordance with formal procedures in connection with development throughout the lifetime of the system.

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. (A.14.2.3)

AU IT operating platforms must follow the unit’s change management process to ensure the above. All other operating platforms must be secured by similar measures.

Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. (A.14.2.4)

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. (A.14.2.5)

Procurement, development/changes and implementation of systems at the university must be controlled in order to avoid unnecessary increased risk to information security. When solutions are implemented, security concerns must always be included as an integral part of the process.

Security concerns must be documented in connection with any significant acquisition of a new IT system or a significant IT system upgrade.

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. (A.14.2.6)

The organization shall supervise and monitor the activity of outsourced system development. (A.14.2.7)

Testing of security functionality shall be carried out during development. (A.14.2.8)

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. (A.14.2.9)

Units that maintain development environments must establish procedures to ensure the above.

If systems and services offered by AU IT are used, the following are secured centrally: Re. A.14.2.2 Procedures for managing system changes: Safety considerations are an element in consideration and management of changes Re. A.14.2.3 Technical review of applications after changes to operating platforms: Review follows the fixed change management process Re. A.14.2.6 - 14.2.9 Development: A ‘procedure for the safe development and use of test data' has been established. The test department makes competences available  This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   Furthermore, Procurement provides advice on the procurement, development and maintenance of systems. Re. A.14.2.5 Principles for the development of secure systems: The current guidelines are managed by Procurement, AU Finance If you have other needs based on your risk assessment, this must be ensured locally.

Test data shall be selected carefully, protected and controlled. (A.14.3.1)

Data for tests must be selected, controlled and protected carefully and in accordance with its classification.

The person responsible for the information must formally and beforehand approve any copying of data from the operating environment to a test environment.

Any copying and use of data from the operating environment for tests must be logged to ensure the audit trail.

Information security must be ensured in line with statutory and regulatory requirements across development and help processes as well as in the handling of test data.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A. 14.3.1 Securing test data: Test data must be secured in accordance with their classification and approved by the data owner  AU IT offers test capacity (AU IT’s test policy – on test-confluence) This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.