Secure Software Development Life Cycle Policy
For Students, Faculty, Staff, Guests, Alumni
The purpose of this policy is to describe the requirements for developing or implementing new University software and systems and to ensure that all development work is compliant as it relates to regulatory, statutory, federal, or state guidelines.
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- Fordham IT is responsible for developing, maintaining, and participating in a Secure Software Development Life Cycle (SSDLC) for all University system development projects. Therefore, all entities at the University engaged in systems or software development activities must follow the Secure Software Development Life Cycle Procedure.
- When a department chooses to seek an exemption (e.g., inability to meet specific points, tasks, or subtasks within the SSDLC policy or standards):
- Representatives from Information Security and Assurance (ISA) and Software Services and Information Architecture (SSIA), as designated by Fordham IT, review the specific merits of the exemption request(s).
- The request must adhere to the main principles behind the SDLC policy and procedures.
- All software developed in-house, which runs on production systems, must be designed according to the .
- The software must be adequately documented and tested before it is used with classified as Fordham Protected Data or Fordham Sensitive Data.
- At a minimum, a software development plan should address the areas of:
- Preliminary analysis or feasibility study,
- Risk identification and mitigation,
- Systems analysis,
- General design,
- Detail design,
- Privacy by design,
- Quality assurance and acceptance testing,
- Implementation, and
- Post-implementation maintenance and review.
- All development work must exhibit a separation between production, development, and test environments. At a minimum, have a defined separation between the development/test, and production environments unless prohibited by licensing restrictions or an exception is made.
- Where these separation distinctions in environments have been established, development and Quality Assurance/test staff must not be permitted access to production systems unless their respective job duties/descriptions are required.
- All application/program access paths utilized in development or testing, other than the formal user access paths, must be deleted or disabled before the software is moved into production.
- Documentation must be kept and updated during all phases of development from the initiation phase through implementation and ongoing maintenance phases. Additionally, security considerations should be noted and addressed through all stages.
- All software and web applications that create, manage, use, or transmit Fordham Protected data or Fordham Sensitive data, as defined by the Data Classification and Protection Policy, must be developed and maintained solely by Fordham IT or an entity that the SDLC Review Committee has approved. All other development work may be done outside of Fordham IT provided the Secure Software Development Life Cycle Procedure is followed.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
|Responsible Person:||AVP, Software Services and Information Architecture|
|Approval Date:||October 6, 2016|
|1.0||October 6, 2016||Initial document|
|1.0.1||06/25/2018||Updated disclaimer, scope, and definitions|
|1.0.2||08/13/2019||Updated policy statement|
|1.2||11/19/2021||Updated policy statement|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.