The objective of Aarhus University's policies and rules for systems acquisition, development and maintenance is:
Information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. (A.14.1.1)
Information security must be included as an integral part of all acquisition and development projects.
The requisitioner must ensure that new acquisitions comply with existing requirements in the information security policy and other legislation, such as the Danish Public Procurement Act.
Acquisitions must not in any way impair Aarhus University's overall level of information security.
In connection with any new acquisitions, the data must be classified, and a risk assessment must be carried out, and possibly a business contingency plan, (including technical contingency and recovery plans) if the risk assessment so warrants.
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorised disclosure and modification. (A.14.1.2)
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorised message alternation, unauthorised disclosure, unauthorised message duplication or replay. (A.14.1.3)
Encryption, signature and other safeguarding of information integrity, confidentiality and availability in application services must be applied in accordance with relevant risk assessments, as well as legislation and guidelines from relevant authorities such as the Danish Data Protection Agency.
In cases where AU offers applications and services for use in trade, these must at all times comply with relevant legislation and guidelines.
If systems and services offered by AU IT are used, the following are secured centrally:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
Rules for the development of software and systems shall be established and applied to development within the organization. (A.14.2.1)
Information security must always be included when considering the lifecycle of the information system, including in connection with the design, testing, upgrading and implementation of new IT systems as well as in connection with system changes.
University requirements for new as well as existing systems must include security requirements on the basis of a risk assessment.
IT equipment/devices must be purchased in accordance with current procurement agreements and/or procurement rules.
Changes to systems within their development lifecycle shall be controlled by the use of formal change control procedures. (A.14.2.2)
If the associated risk assessment so dictates, changes to the university's systems must be managed in accordance with formal procedures in connection with development throughout the lifetime of the system.
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. (A.14.2.3)
AU IT operating platforms must follow the unit’s change management process to ensure the above. All other operating platforms must be secured by similar measures.
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. (A.14.2.4)
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. (A.14.2.5)
Procurement, development/changes and implementation of systems at the university must be controlled in order to avoid unnecessary increased risk to information security. When solutions are implemented, security concerns must always be included as an integral part of the process.
Security concerns must be documented in connection with any significant acquisition of a new IT system or a significant IT system upgrade.
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. (A.14.2.6)
The organization shall supervise and monitor the activity of outsourced system development. (A.14.2.7)
Testing of security functionality shall be carried out during development. (A.14.2.8)
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. (A.14.2.9)
Units that maintain development environments must establish procedures to ensure the above.
If systems and services offered by AU IT are used, the following are secured centrally:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. Furthermore, Procurement provides advice on the procurement, development and maintenance of systems.
If you have other needs based on your risk assessment, this must be ensured locally. |
Test data shall be selected carefully, protected and controlled. (A.14.3.1)
Data for tests must be selected, controlled and protected carefully and in accordance with its classification.
The person responsible for the information must formally and beforehand approve any copying of data from the operating environment to a test environment.
Any copying and use of data from the operating environment for tests must be logged to ensure the audit trail.
Information security must be ensured in line with statutory and regulatory requirements across development and help processes as well as in the handling of test data.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
QUESTION GUIDE
Consider the question guide as a tool to navigate the requirements of the policy: