The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented. This Control applies to software and applications that are developed by university employees, or for applications where the custodian has full access to the application source code (e.g. open-source software projects).

The information resource owner, or designee shall require the developer of the information resource to document and implement a plan for ongoing security and privacy testing and evaluation.

Security and privacy testing shall be performed periodically based on risk management decisions.

The Security and privacy testing and evaluation plan shall include the following elements:

• 3.1

  Evidence of the execution of the assessment plan and the results of the testing and evaluation are documented.

• 3.2

  A verifiable flaw remediation process.

• 3.3

  A remediation plan for correcting flaws identified during testing and evaluation.