System and Services Acquisition Policy and Procedures (SA-1)
The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the System and Services Acquisition policy and associated System and Services Acquisition controls.
Allocation of Resources (SA-2)
The University determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect information resources.
System Development Lifecycle (SA-3)
Information security should be considered throughout the life of the information system, including development, programming, configuration, or operational changes and modifications.
Acquisition Process (SA-4)
Overseeing the acquisition of information system products and services plays an important role supporting the management of technology (e.g., hardware and software) for university customers. Setting limits for security and access controls reduces the risk of liability, embarrassment, loss of revenue, loss of data, or loss of trust to the university.
Information System Documentation (SA-5)
The University obtains documentation for all acquired information resources, system components, or information system services.
Security and Privacy Engineering Principles (SA-8)
It is crucial for the university to follow a common set of principles for software development that prioritize security and privacy. By doing so, we can ensure that security is a top priority throughout the development process, from initial design to final deployment.
External Information System Services (SA-9)
The University requires that providers of external information system services employ adequate security controls, and that information resource owners monitor security control compliance on an ongoing basis.
Developer Configuration Management (SA-10)
The developer of university information systems, system components, or information system services, whether by information technology staff or independent contractor, shall perform configuration management and consider the impact on information security.
Developer Testing and Evaluation (SA-11)
Information security should be considered throughout the development, testing and evaluation of a university information resource.
Unsupported System Components (SA-22)
Availability of university information resources depend on reliable components and the prompt replacement of hardware and software components when necessary.