• Campuses
  • Abilene
  • Amarillo
  • Dallas
  • El Paso
  • Highland Lakes
  • Lubbock
  • Permian Basin
• Info For
  • Prospective Students
  • Current Students
  • Residents
  • Faculty & Staff
  • Alumni & Friends
  • Patients & Healthcare
  • Visitors & Community
  • Giving to TTUHSC
• Schools
  • Allied Health Sciences
  • Biomedical Sciences
  • Medicine
    • HSC School of Medicine
    • Foster School of Medicine
  • Nursing
  • Pharmacy
• Contact Info
  • HSC Directory
  • HSC Contacts
  • IT Contacts
• Site Maps
  • HSC Site Map
  • IT Site Map

Quick Search

IT Resources

• Information Technology
• Quick Links
  • Available Services
  • Help Desk
  • Security
  • IT Policies
  • Download Software

IT Policies

• Policies
• TTUS Board Of Regents Policies And Procedures
• Security
  • I.T. Resource Management And Responsibilities
  • Managing Physical Security
  • Disaster Recovery
  • Security Safeguards
    • Acceptable Use
    • Account Management And User Responsibilities
    • Administrator/Special Access
    • Backup/Recovery
    • Change Management
    • Email
    • Incident Management
    • Internet And Intranet Connectivity
    • Intrusion Detection
    • Network Access
    • Network Configuration
    • Password/Authentication
    • Asset Management
    • Portable Computing
    • Privacy
    • Monitoring Of I.T. Assets
    • Security Awareness And Training
    • Server Hardening
    • Authorized Software
    • Application System Development, Acquisition, And Lifecycle
    • Vendor Access
    • Viruses And Other Malicious Code
    • Wireless Access
    • Vulnerability Assessment
• Institutional Videoconferencing Systems
• Institutional Computer Naming Convention Standards
• Hardware And Software Standards
• Technology Replacement Schedule
• I.T. Procurement Review
• Intellectual Property Rights
• Copyright
  • Copyright And Computer Software
  • Infringement Of Copyrights On Computing Software
• Web Standards
  • Student Web Publishing Standards
  • TTUHSC Web Publishing Standards
  • Web Site Visual Elements Standards
  • Change Management Procedures For Official TTUHSC Web Pages/Sites
  • Information Services Coding Standards, Security, And Audit Controls
  • E-Commerce Applications
  • Web Use And Copyright Standards
  • State Of Texas Web Publishing Standards
• Disciplinary Process
• Definitions
• Guidelines For Operating Systems Security
• Federal and State Statutes
• Notice of Disclaimer of Liability

HSC Resources

• HSC Home
• Welcome to the HSC
  • Welcome to the HSC
  • TTUHSC Strategic Plan
  • News & Events
  • Fact Books
• Office of the President
• Campuses
  • Abilene
  • Amarillo
  • Dallas
  • El Paso
  • Highland Lakes
  • Lubbock
  • Permian Basin
• Schools
  • Allied Health Sciences
  • Biomedical Sciences
  • Medicine
    • HSC School of Medicine
    • Foster School of Medicine
  • Nursing
  • Pharmacy
• Centers & Institutes
• Research
• Administration
  • President's Office
  • Administrative Officers
  • Communications
  • Departments
  • Center for International and Multicultural Affairs
  • Rural & Community Health
  • Finance & Administration
  • Information Technology
  • Policies, Manuals and State Reporting
  • Institutional Compliance
• Human Resources
  • Prospective Employees
  • New Employees
  • Current Employees
  • HR Offices
  • Job Opportunities
  • More...
• Libraries
  • Library Catalog
  • Databases
  • Online Books
  • Online Journals
  • Online Reserves
  • More...
• Accreditation
• News & Events
• Emergency Preparedness
• Compliance Hotline

TTUHSC IT Policies

1.4.20   APPLICATION SYSTEM DEVELOPMENT, ACQUISITION, AND LIFECYCLE

The central Data Center at TTUHSC employs a three-tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment.  All server or web-based applications residing in the central Data Center must be hosted in this type of environment to ensure separation of test and production code/data.  Within this section, applications are defined as programs, software, systems, or web pages that are available to and interact with multiple users.  These applications and associated data usually have a medium to high risk associated with them, as defined in Section 1.1.  (See also TAC 202.72.)

Access to the production environment must be strictly controlled.  Web development and quality assurance practices are described in Section 9.4 - Change Management Procedures for Official TTUHSC Web Pages/Sites.  The quality assurance process for developing, maintaining and changing applications at TTUHSC is described in this section.

Developing Applications/Systems/Web Pages

All applications/systems, acquisition, development, and maintenance will be required to undergo a security audit before being put into production and must follow Section 9.5 - Coding Standards, Security, and Audit Controls.

Migrating Applications/Systems/Web Pages From Test To Production

Within the Information Technology Division at all campuses, all developers must adhere to the following quality assurance procedures:

• All developers and the requesting department are required to thoroughly review and test the application/system/web pages in the testing environment prior to it being moved to production.  In many cases, this will require the development of testing documentation that includes test cases and scenarios.  If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also be involved in the review and testing.  This testing must be completed before the security code review can be conducted.
• All applications/systems/web pages are required to undergo a security code review by Information Services prior to production implementation.  A project request for a code review should be submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/.  IS staff will perform a security code review for the project prior to it being moved into production.  The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
• Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web pages be moved into production.  The request to move to production will be approved by the Assistant Vice President for Information Services or the Manager of Web Programming AND the Institutional Information Security Officer.  If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
• Designated personnel will migrate the application/system/web page and any applicable data sources from test into production using a documented process.  This process should include:
  • Implementation procedures and requirements, and
  • Making and documenting any changes to IIS, access privileges, etc. necessary to the proper functioning of the application.
• For applications/systems/web pages residing in the central Data Center, Information Services Project Leaders migrate the code and any applicable databases into production.  The migration of code from the test environment to the production environment is handled by a process developed in-house called the HSC Version Control System.  The HSC Version Control System is a program designed to control the publishing of applications to the production environment.  The application provides access to a source code repository and allows users to check in/out source code files and publish new versions of applications from the test environment to production.
• After it is moved into production, the developer and the requesting department are required to do a final review and test of the application/system/web page developed.  Once this is completed, the requesting department and the application/data owner are also required to submit a final approval for the project to the developer.

Outside of the Information Technology Division at all campuses, all developers should adhere to the same quality assurance procedures listed above.  However, all applications/systems/web pages are required to undergo a:

• Security code review by Information Services prior to production implementation.  A project request for a code review must be submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/ prior to procurement.  IS staff will perform a security code review for the project prior to it being moved into production.  The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
• Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web page be moved into production.  The request to move to production will be approved by the Assistant Vice President for Information Services or the Manager of Web Programming AND the Institutional Information Security Officer.  If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.

All applications/systems/web pages residing outside of the central Data Center will be hosted using a three tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment.

All coding will be consistent with the practices outlined in Section 9.5.

Submitting A Project Request For Information Services Resources

• A project request must be submitted to Information Services for:
  • Any modification or enhancement to an existing web site, web application, or other system,
  • The development of new web sites, web applications, or systems,
  • The implementation or upgrading of database or storage systems,
  • The implementation or upgrading of acquired software or systems,
  • The development or modification of e-Commerce applications, and
  • Security reviews for developed or newly acquired web sites, applications, or systems.  All requests for security reviews for new software, applications, or systems should be made at the beginning of the procurement process to allow sufficient time to conduct the security review before procurement.

All project requests are reviewed on a bi-weekly basis.  The purpose of this review is to determine whether resources exist to accomplish the objectives of the request and to prioritize approved requests.  Before any project can be scheduled and resources allocated, it must be approved by the Assistant Vice President for Information Services or the Manager of Web Programming and the applicable Campus I.T. Director prior to any allocation of resources.

Also, if a request is submitted and the request was not made by the application/data owner, then the application/data owner must approve the request prior to any work starting on the project.

Project requests are submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/.

• Once a request is received, it is reviewed.  If the resources are available and the request is approved, it is assigned to an Information Services staff member(s). 
• The assigned staff member(s) will:
  • Contact the requestor for additional information and further define the request,
  • Begin work on the maintenance or application development project in the test environment,
  • Work with the requestor so that the maintenance change or developed application can be reviewed and tested, and
  • Make any changes or corrections discovered during the review and testing then review and test again.

Texas Tech University Health Sciences Center, 3601 4th Street, Lubbock, TX 79430
806.743.1000
it.webmaster@ttuhsc.edu

Campus Webmasters | Recommended Web Site Viewing Requirements | General Policy Information

State of Texas Web Site | SAO Fraud Reporting | DMCA Compliance | Texas Homeland Security | TTUHSC Energy Conservation Report

TTUHSC Home | Texas Tech University System | Texas Tech University

©2009 Texas Tech University Health Sciences Center | All Rights Reserved