The developer of university information systems, system components, or information system services, whether by information technology staff or independent contractor, shall perform configuration management and consider the impact on information security.


  • The intended audience includes developers, custodians and/or owners of an information resource.


  • 1

    The developers of information systems, system components, or information service shall:

    • 1.1

      perform configuration management during design, development, implementation, or operation;

    • 1.2

      document, manage, and control the integrity of changes;

    • 1.3

      implement only university or unit-approved changes;

    • 1.4

      document approved changes and the potential security impacts of such changes; and

    • 1.5

      track security flaws and flaw resolution and report findings to information owner or designee.