The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.

Information resource owners shall apply the following security and privacy engineering principles in the specification, design, development, implementation, and modification of university information resources:

• 1.1

  Prioritize automation and integration.

  • 1.1.1

    Automation of security, build, infrastructure, and deployment processes.

  • 1.1.2

    Manual processes should be identified and automated when possible.

• 1.2

  Developer autonomy

  • 1.2.1

    Tools and processes should provide instantaneous feedback and empower developers to fix problems independently.

  • 1.2.2

    Processes should be language and framework agnostic with tools selected based on their effectiveness in addressing security risks.

• 1.3

  Continuous improvement

  • 1.3.1

    Favor fast time to value over comprehensive solutions.

  • 1.3.2

    Use iterative processes to improve over time.

• 1.4

  Shared responsibility

  • 1.4.1

    Security is everyone’s job. Developers, operations, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.

  • 1.4.2

    Sharing responsibility means that communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.

• 1.5

  Learning as part of the job

  • 1.5.1

    Continuing education is important to encourage growth and improve institutional competency.

  • 1.5.2

    The freedom to fail without assigning blame empowers individuals and teams to innovate and learn.