System and Services Acquisition Policy and Procedures (SA-1)

The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the System and Services Acquisition policy and associated System and Services Acquisition controls.

Allocation of Resources (SA-2)

The University determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect information resources.

System Development Lifecycle (SA-3)

Information security should be considered throughout the life of the information system, including development, programming, configuration, or operational changes and modifications.

Acquisition Process (SA-4)

Overseeing the acquisition of information system products and services plays an important role supporting the management of technology (e.g., hardware and software) for university customers. Setting limits for security and access controls reduces the risk of liability, embarrassment, loss of revenue, loss of data, or loss of trust to the university.

Information System Documentation (SA-5)

The University obtains documentation for all acquired information resources, system components, or information system services.

External Information System Services (SA-9)

The University requires that providers of external information system services employ adequate security controls, and that information resource owners monitor security control compliance on an ongoing basis.

Developer Configuration Management (SA-10)

The developer of university information systems, system components, or information system services, whether by information technology staff or independent contractor, shall perform configuration management and consider the impact on information security.