Application Security Policy:  I4



The purpose of the Application Security Policy is to avoid inadvertent release of confidential or sensitive information, minimize risks to users and the College, and ensure the availability of critical applications.


SPC focuses its efforts on security applications that hold or utilize data sets containing student information/records, personally identifiable information such as social security numbers or credit card numbers, and other categories of data that are protected by federal or state laws or regulations. Ultimately, to ensure application availability and reliability, all applications must be secured regardless of the type of information they utilize.



The Application Security Policy applies to applications developed by College staff as well as to those acquired from outside providers. All applications are subject to this policy regardless of whether the application is hosted on College equipment or elsewhere.



To keep risk to an acceptable level, SPC shall ensure that the proper security controls will be implemented for each application.   Data owners, custodians, system administrators, and application developers are expected to use their professional judgment in managing risks to the information, systems and applications they use and support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.


  1. SPC-IS, individual departments, and contractors shall implement application security standards to have effective controls over systems they directly manage. 
  1. If SPC-IS manages an environment or application, SPC-IS shall be responsible for implementing the application security controls.
  2. If a department manages an environment or application, that department shall be responsible for implementing the application security controls.
  3. If an outsourced contractor manages an SPC environment or application for an individual department, the department must ensure that the contractor implements the application security controls.
  4. College faculty and staff who engage any third-party hosting services (such as cloud services, SaaS, or managed hosting) for educational, research or approved purpose must:
    1. obtain prior approval from the Information Resources Manager or designee.
    2. not entrust that provider with sensitive or confidential business data as defined in IG-Data Classification Policy.
  • Availability and support agreements (eg, 24X7, 8-5, Weekdays only) must be at a level commensurate with the applications expected availability and must be communicated to SPC-IS. 
  1. Applications installed or being changed should follow the standardized application lifecycle established by the SPC-IS Project Lifecycle. 
  1. Each individual user (whether a developer, administrator, or user) should have a unique set of credentials for accessing a computer application. 
  1. Authenticated users should have access to a computer application and should only be allowed to access the information they require (principle of least privilege). 
  1. Establishing and changing access for a user or group should be approved by the application’s data owner. 
  1. Developers should follow best practices for creating secure applications with the intention being to minimize the impact of attacks. 
  1. Developers should not develop or test an application against production data sources. 
  1. Logs for the server, application and web services should be collected and maintained in a viewable format for a period of time specified by applicable state regulations. 
  1. Maintain a full inventory of all applications, to include authentication and authorization systems, the data classification and level of criticality for each application. 
  1. Document clear rules and processes for reviewing, removing, and granting authorizations. 
  1. Remove critical authorizations for access to applications for individuals who have left the College, transferred to another department, or assumed new job duties.


Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: CA-1


Approved by:  Executive Council, April 4, 2019

Next Review: October 1, 2020