It is crucial for the university to follow a common set of principles for software development that prioritize security and privacy. By doing so, we can ensure that security is a top priority throughout the development process, from initial design to final deployment.


  • The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.


  • 1

    Information resource owners shall apply the following security and privacy engineering principles in the specification, design, development, implementation, and modification of university information resources:

    • 1.1

      Prioritize automation and integration.

      • 1.1.1

        Automation of security, build, infrastructure, and deployment processes.

      • 1.1.2

        Manual processes should be identified and automated when possible.

    • 1.2

      Developer autonomy

      • 1.2.1

        Tools and processes should provide instantaneous feedback and empower developers to fix problems independently.

      • 1.2.2

        Processes should be language and framework agnostic with tools selected based on their effectiveness in addressing security risks.

    • 1.3

      Continuous improvement

      • 1.3.1

        Favor fast time to value over comprehensive solutions.

      • 1.3.2

        Use iterative processes to improve over time.

    • 1.4

      Shared responsibility

      • 1.4.1

        Security is everyone’s job. Developers, operations, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.

      • 1.4.2

        Sharing responsibility means that communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.

    • 1.5

      Learning as part of the job

      • 1.5.1

        Continuing education is important to encourage growth and improve institutional competency.

      • 1.5.2

        The freedom to fail without assigning blame empowers individuals and teams to innovate and learn.