SA-8 Security and Privacy Engineering Principles
Description
It is crucial for the university to follow a common set of principles for software development that prioritize security and privacy. By doing so, we can ensure that security is a top priority throughout the development process, from initial design to final deployment.
Applicability
- The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.
Implementation
-
1 - Information resource owners shall apply the following security and privacy engineering principles in the specification, design, development, implementation, and modification of university information resources:
-
1.1 - Prioritize automation and integration.
- 1.1.1 - Automation of security, build, infrastructure, and deployment processes.
- 1.1.2 - Manual processes should be identified and automated when possible.
-
1.2 - Developer autonomy
- 1.2.1 - Tools and processes should provide instantaneous feedback and empower developers to fix problems independently.
- 1.2.2 - Processes should be language and framework agnostic with tools selected based on their effectiveness in addressing security risks.
-
1.3 - Continuous improvement
- 1.3.1 - Favor fast time to value over comprehensive solutions.
- 1.3.2 - Use iterative processes to improve over time.
-
1.4 - Shared responsibility
- 1.4.1 - Security is everyone’s job. Developers, operations, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.
- 1.4.2 - Sharing responsibility means that communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.
-
1.5 - Learning as part of the job
- 1.5.1 - Continuing education is important to encourage growth and improve institutional competency.
- 1.5.2 - The freedom to fail without assigning blame empowers individuals and teams to innovate and learn.
-