Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Hardware assets purchased, granted, gifted or otherwise acquired for use in University academic, research, operations, or other business must be authorized and approved for implementation through the designated procurement and technical review process.
Systems Development Lifecycle (SDLC) Requirements
- The system life cycle activities meet all related security requirements as defined by UIS.
- Technology system roles and responsibilities are documented and detailed throughout the SDLC.
- Integrate the university information security risk management process into SDLC activities.
- A business justification and departmental approval are required for custom system development projects. When proposing the development of custom systems, departments shall make a business case that:
- Supports the rationale for not enhancing current systems, and
- Demonstrates the inadequacies of existing systems.
- End-of-Life (EoL) and End-of-Support dates (EoS) for systems and services are required as part of the system lifecycle, ensuring that systems and services are capable of receiving security patches and updates throughout the system development lifecycle, and that the UIS is prepared to discontinue the system or service once no longer supported, or when security cannot be ensured.
- SDLC includes the following phases in developing an information system, at a minimum:
- Acquisition / Development
- Implementation / Assessment
- Operations / Maintenance
- Sunset (disposition)
- Each of these five phases should include a minimum set of tasks to incorporate security and configuration management in the system development process.
The following questions should be addressed in determining the security controls that will be required for a system:
- How critical is the system in meeting the university’s mission?
- What are the security objectives required by the system in terms of integrity, confidentiality, and availability?
- What regulations, statutes, and policies are applicable in determining what is to be protected?
- What are the threats that are applicable in the environment where the system will be operational?