The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the System and Services Acquisition policy and associated System and Services Acquisition controls.

The University determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect information resources.

Information security should be considered throughout the life of the information system, including development, programming, configuration, or operational changes and modifications.

Overseeing the acquisition of information system products and services plays an important role supporting the management of technology (e.g., hardware and software) for university customers. Setting limits for security and access controls reduces the risk of liability, embarrassment, loss of revenue, loss of data, or loss of trust to the university.

The University obtains documentation for all acquired information resources, system components, or information system services.

It is crucial for the university to follow a common set of principles for software development that prioritize security and privacy. By doing so, we can ensure that security is a top priority throughout the development process, from initial design to final deployment.

The University requires that providers of external information system services employ adequate security controls, and that information resource owners monitor security control compliance on an ongoing basis.

The developer of university information systems, system components, or information system services, whether by information technology staff or independent contractor, shall perform configuration management and consider the impact on information security.

Information security should be considered throughout the development, testing and evaluation of a university information resource.

Availability of university information resources depend on reliable components and the prompt replacement of hardware and software components when necessary.