TTUHSC IT Policies
1.4.20 APPLICATION SYSTEM DEVELOPMENT, ACQUISITION, AND LIFECYCLE
The central Data Center at TTUHSC employs a three-tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment. All server or web-based applications residing in the central Data Center must be hosted in this type of environment to ensure separation of test and production code/data. PHI data and the services that manage that data must reside on servers located in the central data center with limited access and additional security controls. Within this section, applications are defined as programs, software, systems, or web pages that are available to and interact with multiple users. These applications and associated data usually have a medium to high risk associated with them, as defined in Policy 1.1, I.T. Resource Management and Responsibilities. (See also TAC 202.72)
Access to the production environment must be strictly controlled. Web development and quality assurance practices are described in Policy 9.4, Change Management, Procedures for Official TTUHSC Web Pages/Sites. The quality assurance process for developing, maintaining and changing applications at TTUHSC is described in this section.
Developing Applications/Systems/Web Pages
All applications/systems, acquisition, development, and maintenance will be required to undergo a security audit before being put into production and must follow Policy 9.5, Coding Standards, Security, and Audit Controls.
Migrating Applications/Systems/Web Pages From Test To Production
Within the Information Technology Division at all campuses, all developers must adhere to the following quality assurance procedures:
- All developers and the requesting department are required to thoroughly review and test the application/system/web pages in the testing environment prior to it being moved to production. In many cases, this will require the development of testing documentation that includes test cases and scenarios. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also be involved in the review and testing. This testing must be completed before the security code review can be conducted.
- All applications/systems/web pages are required to undergo a security code review by Information Services prior to production implementation. A work order for a code review should be submitted via STARS. IS staff will perform a security code review for the project prior to it being moved into production. When requesting a security code review, please allow for adequate time (24-72 hours). The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
- Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web pages be moved into production. The request to move to production will be approved by the Associate Vice President for Information Services or the Managing Director of Information Services. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
- Designated personnel will migrate the application/system/web page and any applicable data sources from test into production using a documented process. This process should include:
- Implementation procedures and requirements, and
- Making and documenting any changes to IIS, access privileges, etc. necessary to the proper functioning of the application.
- For applications/systems/web pages residing in the central Data Center, Information Services Project Leaders migrate the code and Information Services DBA's migrate any applicable databases into production. The migration of code from the test environment to the production environment is handled by a process developed in-house called the HSC Application Publisher. The HSC Application Publisher is a program designed to control the publishing of applications to the production environment. The application allows users to publish new versions of applications from a specified share to the production environment while giving the user the ability to save a copy of the version they are replacing. The application also does not allow any user to publish to production unless their code has undergone an initial security code review.
- After it is moved into production, the developer and the requesting department are required to do a final review and test of the application/system/web page developed. Once this is completed, the requesting department and the application/data owner are also required to submit a final approval for the project to the developer.
Outside of the Information Technology Division at all campuses, all developers should adhere to the same quality assurance procedures listed above. However, all applications/systems/web pages are required to undergo a:
- Security code review by Information Services prior to production implementation. A work order for a code review must be submitted via STARS IS staff will perform a security code review for the project prior to it being moved into production. When requesting a security code review, please allow for adequate time (24-72 hours). The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
- Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web page be moved into production. The request to move to production will be approved by the Associate Vice President for Information Services or the Managing Director of Information Services. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
All applications/systems/web pages residing on servers outside of the central Data Center will be hosted using a three tiered architecture and must follow the below approval process. The Architecture must consist of separate testing, staging, and production servers that isolate the testing environment from production environment and utilizes the quality assurance procedures listed above for the Information Technology Division.
All coding will be consistent with the practices outlined in Policy 9.5, Information Services Coding Standards, Security, and Audit Controls.
Submitting A Project Request For Information Services Resources
- A project request must be submitted to Information Services for:
- Any modification or enhancement to an existing web site, web application, or other system,
- The development of new web sites, web applications, or systems,
- The implementation or upgrading of database or storage systems,
- The implementation or upgrading of acquired software or systems,
- The development or modification of e-Commerce applications,
- Security reviews for developed or newly acquired web sites, applications, or systems. All requests for security reviews for new software, applications, or systems should be made at the beginning of the procurement process to allow sufficient time to conduct the security review before procurement, and
- An appropriate Project Management review to be completed.
All project requests are reviewed on a bi-weekly basis. The purpose of this review is to determine whether resources exist to accomplish the objectives of the request and to prioritize approved requests. Before any project can be scheduled and resources allocated, it must be approved by the Associate Vice President for Information Services or the Managing Director of Information Services and the applicable Campus I.T. Director prior to any allocation of resources.
Also, if a request is submitted and the request was not made by the application/data owner, then the application/data owner must approve the request prior to any work starting on the project.
Projects are requested by submitting a work order via STARS.
- Once a request is received, it is reviewed for both resource availability and Project Management needs. If the resources are available and the request is approved, it is assigned to an Information Services staff member(s).
- The assigned staff member(s) will:
- Contact the requestor for additional information and further define the request,
- Gather the scope requirements of the request,
- Prepare the necessary project documentation
- Obtain agreement on the scope and requirements of the project and obtain sign-off to begin work,
- Begin work on the maintenance or application development project in the test environment,
- Work with the requestor so that the maintenance change or developed application can be reviewed and tested, and
- Make any changes or corrections discovered during the review and testing,
- Request a security code review and make any necessary adjustments
- Conduct a final round of review and testing,
- Obtain sign-off from the appropriate parties for production implementation,
- Wrap up the project.