Skip to main content

SA-8 Security and Privacy Engineering Principles

Description

It is crucial for the university to follow a common set of principles for software development that prioritize security and privacy. By doing so, we can ensure that security is a top priority throughout the development process, from initial design to final deployment.

Applicability

  • The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented.

Implementation

  • 1 - Information resource owners shall apply the following security and privacy engineering principles in the specification, design, development, implementation, and modification of university information resources:

    • 1.1 - Prioritize automation and integration.

      • 1.1.1 - Automation of security, build, infrastructure, and deployment processes.
      • 1.1.2 - Manual processes should be identified and automated when possible.
    • 1.2 - Developer autonomy

      • 1.2.1 - Tools and processes should provide instantaneous feedback and empower developers to fix problems independently.
      • 1.2.2 - Processes should be language and framework agnostic with tools selected based on their effectiveness in addressing security risks.
    • 1.3 - Continuous improvement

      • 1.3.1 - Favor fast time to value over comprehensive solutions.
      • 1.3.2 - Use iterative processes to improve over time.
    • 1.4 - Shared responsibility

      • 1.4.1 - Security is everyone’s job. Developers, operations, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.
      • 1.4.2 - Sharing responsibility means that communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.
    • 1.5 - Learning as part of the job

      • 1.5.1 - Continuing education is important to encourage growth and improve institutional competency.
      • 1.5.2 - The freedom to fail without assigning blame empowers individuals and teams to innovate and learn.