TTUHSC IT Policies
1. All application development including web applications will have audit capabilities that will allow the construction of a transaction record of activities.
2. All developers will be familiar with and follow the standards and practices outlined in the following Microsoft Developers Network Resources:
- Building secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication - Data Access Security
- Improving Web Application Security: Threats and Countermeasures
- Patterns and Practices Security Guidance for Applications Index
- An overview of Security in the .NET Framework
- Defend your Apps and Critical User Info with Defensive Coding Techniques
- .NET Security
Note: Although Microsoft has released their new .NET framework and list this content as "retired", the concepts and practices are still applicable.
3. All developers will periodically review the materials at the following sites as part of their training and skills development.
- MSDN Security Site - http://msdn.microsoft.com/security/
- TechNet Security Site - http://www.microsoft.com/technet/security/default.mspx
4. All developers will periodically participate in Microsoft Security Training Events as part of the on-going training and skills development. Available events can be located at: http://www.microsoft.com/events/security/default.mspx.
5. Typical Development Phases and Steps to follow (SDLC):
- Meet with department
- Gather requirements
- Content gathering by department
- Content organization
- Navigation Organization
- Application design (User interface, etc.)
- Database design
- Create content pages
- Content graphics
- Navigation implementation
- Application programming
- Database development
- IS testing
- Department testing
- IS approval
- Department approval
- Other applicable approvals (HIPAA Privacy Officer, Security Officer, etc.)
- Compliance Review (TAC, accessibility, etc.)
- Security Code Review
- Move to production
- Content pages
- Database schema
- Data migration/creation
- Application pages
- Implement SSL (if applicable)
- Implement authentication (if applicable)
- Post implementation testing/review
- Post implementation edits/modifcations
- Final testing/review
- Final IS approval
- Final department approval
6. All developers will utilize the following tools:
- Test Environment -
Visual Studio and HSC Application Publisher for web application development/maintenance. It is recommended that all application developers utilize a source code repository and versioning tool. Information Services utilizes Team Foundation Server (TFS) for this purpose. Outside departments may utilize TFS by purchasing the applicable license for use with Visual Studio. For TFS licensing information, please contact Information Services.
For static content, the content management system is typically used. However, there are instances where it is acceptable to develop/maintain static content with other tools such as Dreamweaver.
For simple applications and web sites not in the content management system, alternative tools that were developed by Information Services will be used for publishing to the test and production servers.
Production Environment -
All developers will publish to the production environment using the HSC Application Publisher.
- Content Management System -
All content contributors and managers will use this system to develop, maintain, and publish static content to the TTUHSC web sites.
Note: For simple applications and web sites not in the content management system, alternative tools that were developed by Information Services will be used publishing to the test and production servers.
- Content Management System -
7. Prior to writing any code or purchasing any software/system at TTUHSC, all developers will:
- Document the requirements and functionality of a development project.
- Review the documented requirements and functionality with the individual(s) or department requesting the development project.
- Insure that they have a thorough understanding of the development project requirements and functionality
- Obtain central IS administrative approval to begin the coding process and determine Project Management needs.
8. All developers will thoroughly test all code prior to implementation.
9. All developers will require the requesting individual(s) or department to perform extensive testing of all code prior to implementation.
10. Developed projects or purchased software/systems will not be moved into the production environment until:
- All code has been thoroughly reviewed and tested. This includes conducting compliance and security code reviews.
- Approval has been obtained from the requesting individual(s) or department and a time frame for production implementation has been agreed upon.
- Production implementation procedures and requirements have been outlined. These include, but are not limited to:
- Changes to IIS
- Database structure and data migration
- Access privileges
- Approved by central IS Management and if applicable HIPAA Privacy and Institutional Security Officers.
11. Web publishing from Test to production
- The HSC Application Publisher will be used to publish content from Test to Production for web applications.
- The content management system will be used to publish static content from Test to Production.
- Simple applications and web sites not in the content management system will utilize alternative tools that were developed by Information Services for publishing to the test and production servers.
- Training on the use of these systems will be provided by Information Services.