System Development Lifecycle (SA-3)

Information security should be considered throughout the life of the information system, including development, programming, configuration, or operational changes and modifications.

Acquisition Process (SA-4)

Overseeing the acquisition of information system products and services plays an important role supporting the management of technology (e.g., hardware and software) for university customers. Setting limits for security and access controls reduces the risk of liability, embarrassment, loss of revenue, loss of data, or loss of trust to the university.

Developer Configuration Management (SA-10)

The developer of university information systems, system components, or information system services, whether by information technology staff or independent contractor, shall perform configuration management and consider the impact on information security.