TTUHSC IT Policies
TTUHSC IT Policies
9.5. INFORMATION SERVICES CODING STANDARDS, SECURITY, AND AUDIT CONTROLS
1. All application development including web applications will have audit capabilities
that will allow the construction of a transaction record of activities.
2. All developers will be familiar with and follow the standards and practices outlined
in the following Microsoft Developers Network Resources:
Note: Although Microsoft has released their new .NET framework and list this content
as "retired", the concepts and practices are still applicable.
3. All developers will periodically review the materials at the following sites as
part of their training and skills development.
4. All developers will periodically participate in Microsoft Security Training Events
as part of the on-going training and skills development. Available events can be located
5. Typical Development Phases and Steps to follow (SDLC):
- Meet with department
- Gather requirements
- Content gathering by department
- Content organization
- Navigation Organization
- Application design (User interface, etc.)
- Database design
- Create content pages
- Content graphics
- Navigation implementation
- Application programming
- Database development
- IS testing
- Department testing
- IS approval
- Department approval
- Other applicable approvals (HIPAA Privacy Officer, Security Officer, etc.)
- Compliance Review (TAC, accessibility, etc.)
- Security Code Review
- Move to production
- Content pages
- Database schema
- Data migration/creation
- Application pages
- Implement SSL (if applicable)
- Implement authentication (if applicable)
- Post implementation testing/review
- Post implementation edits/modifcations
- Final testing/review
- Final IS approval
- Final department approval
6. All developers will utilize the following tools:
- Test Environment -
Visual Studio and HSC Application Publisher for web application development/maintenance.
It is recommended that all application developers utilize a source code repository
and versioning tool. Information Services utilizes Team Foundation Server (TFS) for
this purpose. Outside departments may utilize TFS by purchasing the applicable license
for use with Visual Studio. For TFS licensing information, please contact Information
For static content, the content management system is typically used. However, there
are instances where it is acceptable to develop/maintain static content with other
tools such as Dreamweaver.
For simple applications and web sites not in the content management system, alternative
tools that were developed by Information Services will be used for publishing to the
test and production servers.
- Production Environment -
All developers will publish to the production environment using the HSC Application
- Content Management System -
All content contributors and managers will use this system to develop, maintain, and
publish static content to the TTUHSC web sites.
Note: For simple applications and web sites not in the content management system,
alternative tools that were developed by Information Services will be used publishing
to the test and production servers.
7. Prior to writing any code or purchasing any software/system at TTUHSC, all developers
- Document the requirements and functionality of a development project.
- Review the documented requirements and functionality with the individual(s) or department
requesting the development project.
- Insure that they have a thorough understanding of the development project requirements
- Obtain central IS administrative approval to begin the coding process and determine
Project Management needs.
8. All developers will thoroughly test all code prior to implementation.
9. All developers will require the requesting individual(s) or department to perform
extensive testing of all code prior to implementation.
10. Developed projects or purchased software/systems will not be moved into the production
- All code has been thoroughly reviewed and tested. This includes conducting compliance
and security code reviews.
- Approval has been obtained from the requesting individual(s) or department and a time
frame for production implementation has been agreed upon.
- Production implementation procedures and requirements have been outlined. These include,
but are not limited to:
- Changes to IIS
- Database structure and data migration
- Access privileges
- Approved by central IS Management and if applicable HIPAA Privacy and Institutional
11. Web publishing from Test to production
- The HSC Application Publisher will be used to publish content from Test to Production
for web applications.
- The content management system will be used to publish static content from Test to
- Simple applications and web sites not in the content management system will utilize
alternative tools that were developed by Information Services for publishing to the
test and production servers.
- Training on the use of these systems will be provided by Information Services.