Application Security Management Control Policy

Through this Application Security Management Control Policy, NYU strives to create a control environment to protect designated University Computer Applications throughout their entire life cycle. This control environment strives to protect against unacceptable risks by requiring procedures and documentation that govern approval, access, and authorization and enhance the confidentiality, integrity, availability, and auditability of application data, use control, and segregation of duties. For the purpose of this policy the term Computer Application shall be called “application” and shall mean and encompass all of the following: the computer application itself, associated programs and databases, and the systems on which they run. Application security management controls focus on five control areas: A) Control Environment, B) Risk Management, C) Control Activities, D) Information and Communication, and E) Monitor and Review (see Operational Requirements, which follow).

It is the responsibility of the application sponsors, who oversee the management and operation of the designated University applications, and their designees, who develop, install, operate, or maintain the designated University applications to comply with this Policy. It is the responsibility of these individuals to ensure that detailed procedures, appropriate to the application’s criticality and the sensitivity of the data contained therein, are developed and maintained. These individuals are accountable for managing and overseeing the application in such a way that there is confidence in the information contained in and obtained from the application, that the application is reliable and functioning properly, and that data are protected from unauthorized access, alteration, and destruction. All application security management controls in support of designated applications shall be documented, and the documentation shall be retained and secured (see section 1.F below.)

More and more University activities are conducted using computers and electronic communications, with increased convenience and accessibility from all parts of the world, and depend upon designated applications and the sensitive data on them for University operations.  At the same time, today’s inter-connected computing and information environment intensifies the risks and threats of unauthorized access to computers, inadvertent disclosures of sensitive data, and modification or destruction of essential information, resulting in potentially serious consequences to individuals and to institutions.

The Policy Statement and its Operational Requirements define the fundamental precepts which govern the application security management control process for designated applications at New York University. This Policy is part of the IT Controls framework which, in turn, is integral to an effective internal control structure. This Policy, in conjunction with the Program Change Management Control Policy and the Policy on Responsible Use of NYU Computers and Data, provides the basis for a strong security environment for key University applications.

All members of the NYU community are affected by this Policy, especially the appropriate University leaders and the application sponsors and designees who are responsible for an application and/or who can access any application designated under this Policy at any point throughout the application’s life cycle.

In order to achieve an integrated control process, New York University’s application security management controls shall consist of the following five control areas: Control Environment, Risk Management, Control Activities, Information and Communication, and Monitor and Review.

1. Control Environment
   1. University leaders shall designate certain applications as subject to this Policy, including specifying the application sponsor who shall have the responsibility, authority, and accountability for overseeing the application security management control function for that application.
   2. A list of designated applications shall be maintained in an Appendix to this Policy.
   3. The responsible application sponsors may delegate application security management control responsibilities as they deem appropriate to specific areas.
   4. The roles of the individuals who have specific responsibilities in one or more of the areas shall be documented to include for each application for which they are responsible the following:
      1. designation of their roles;
         
      2. definition of their specific responsibilities; and
         
      3. maintenance, either electronically or on paper, of evidence of fulfillment of the specified roles.
         
   5. It is the responsibility of each individual who has access to a designated application to protect the confidentiality, integrity, availability, and auditability of the application by implementing and/or following security measures designed to reduce the risks to the sensitive data on the application to a reasonable and appropriate level. The designated applications shall be implemented in such a way as to provide reasonable assurance that they are appropriately tested and validated prior to being placed into production, that associated controls operate as intended, and that change requirements as described in the Program Change Management Control Policy are met.
   6. All documentation required by this policy shall be securely retained for a period of at least one full fiscal year.
2. Risk Management
   A risk management strategy, to include risk assessment and mitigation, shall be developed in order to reduce the risks to the confidentiality, integrity, availability, and auditability of designated applications to a reasonable and appropriate level. The results of the risk assessment and related mitigation strategy shall be documented and retained.
3. Control Activities
   Application security management control procedures shall be implemented and documented for all designated applications, including access controls (authentication, account management, role-based authorization procedures); segregation of duties; audit controls; facility access controls; and device and media controls. For all control activities, data recorded, processed, and reported shall be monitored and reviewed as specified in section E below and retained as specified in section 1.F above.   
   
   1. Access control procedures to protect an application, its data, and the systems on which it runs shall be implemented and documented. Access controls include approval, authentication, account management, and authorization for access to specific application functions and data. Access approval and implementation shall be guided by the minimum necessary standard: reasonable and appropriate efforts shall be made to limit the availability of application functions and data to the minimum necessary to accomplish the intended purpose. Access control records shall be logged and reviewed in accordance with the Monitor and Review control area specification (section E) below. Access control elements are:
      1. Approval – a documented access request and approval process shall be implemented. Access requests must be approved by the responsible application sponsors or their designees.
         
      2. Authentication – a documented authentication process shall be implemented for verifying the identity of any person or process prior to granting access to a designated application or to a system upon which the application runs.
         
      3. Account Management – a documented account management process shall be implemented; account management encompasses account creation, initial activation, account modifications, and eventual account termination. Account access shall be reviewed, modified, and terminated on a timely basis in accordance with the business rules governing the application.
         
      4. Authorization – a documented process shall be implemented for granting appropriate role-based access within applications. Role-based authorizations shall be reviewed, modified, and terminated on a timely basis in accordance with the procedures governing the application.
         
   2. The application security management control procedures shall specify the segregation of duties and responsibilities throughout the application security management control process, so that there is appropriate oversight and checks and balances.
      
   3. Audit control procedures shall be developed, implemented, and documented to enable review of system activity records as specified in section E below.
      
   4.  Facility access controls shall be implemented and documented to protect designated systems, as well as the facilities in which they are located, from unauthorized physical access, tampering, theft, and physical damage while taking reasonable and appropriate steps to ensure that access by properly authorized individuals is granted and tracked.
      
   5. Device and media controls shall be implemented and documented for managing hardware and electronic media, including protecting, accounting for, storing, backing up, tracking and disposal.
      
   6. A program change management control procedure as delineated in the Program Change Management Control Policy shall be implemented and documented.
   7. Procedures shall be implemented and documented for response and recovery of designated applications and the systems on which they run following incidents, disruptions, and disasters and shall be reviewed and tested as appropriate.
4. Information and Communication      
   Each unit with an application designated as subject to this Policy shall develop, implement, review, and document an information and communication program to provide ongoing training to the individuals who have access to the designated application and associated systems and services in order to enable them to access and protect the sensitive data on it appropriately. 
   
5. Monitor and Review
   Periodic technical and non-technical evaluation of the application security management control process and its records shall be undertaken in order to demonstrate and document the extent of compliance with this Policy. Evidence shall be documented and retained as specified in section 1.F above and shall include the following:
   1. Verification at appropriate intervals by sponsors of designated applications that this IT Application Security Management Control Policy has been followed, that application and system procedural documentation has been reviewed and, where necessary updated, and that, to the best of their knowledge, the monitoring and review practices delineated in this Policy, including evidence of activities and tasks performed to achieve control objectives, are being conducted as specified in appropriate procedures and on a timely basis.
   2. Reviews of risk assessment results and of implementation of mitigation plans, as specified in section 2 above.
   3. Reviews of logs of application and system activity with evidence of the log reviews retained and secured either electronically or on paper.
   4. Reviews of evidence of segregation of duties.
   5. Reviews of approvals, account provisioning, modification, de-provisioning, and privilege management. 
      
   6. Reviews of facility access logs or records including a review of those persons who have access privileges to facilities housing the systems on which designated applications run.
   7. Records of device and media controls.
      
   8. Evidence that the program change management control process, as delineated in the Program Change Management Control Policy, has been followed in all phases. 
      
   9. Tests of response and recovery procedures.

1. Minimum necessary refers to the standard that reasonable and appropriate controls and procedures shall be made to limit the use, disclosure of, and requests for sensitive data to the minimum necessary to accomplish the intended purpose.
2. Program change management is the ongoing process that includes requesting, evaluating, scheduling, implementing, monitoring, reviewing, coordinating, communicating, and documenting all types of change to the information technology environment affecting designated applications and associated systems and services.

1. NYU Guidelines for compliance with the Family Educational Rights and Privacy Act (FERPA)
2. NYU Information Technology Policies
3. NYU Student’s Guide, Policies and Procedures
4. NYU HIPAA Information Security Policies
5. Guidelines on equipment disposal or redeployment: Asset Management and Standard for Destruction and Disposal of Electronic Equipment and Data
6. Email address for computer security assistance and advice: security@nyu.edu
7. Email address for policy clarifications and suggestions: cio.policies@nyu.edu
8. Email address to report policy violations: cio.policies@nyu.edu
   

Designated applications under this Policy are:

1. fame
2. PeopleSync
3. Student Information (SIS)