Application Development and Deployment


Administration & Finance


Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 /

Effective Date: 

Wednesday, September 1, 2010


ISO Domain 14: System Acquisition, Development and Maintenance Policy


This Business Policy defines requirements for applications developed and/or deployed for SF State.


Purpose and Scope

This Policy defines requirements for applications (including software on appliances) developed or deployed (whether on or off-campus) for San Francisco State. This applies to technology purchased, obtained at no cost or custom developed (in-house or by third-parties). 


It is the responsibility of unit managers to ensure that this and other University Policies and Campus Technology Policies are followed. Exceptions to the requirements of this or any other Policies must be documented and approved.

Use of sensitive data

  • Applications will not store or transmit sensitive data unless absolutely necessary
  • Need for sensitive data will be verified and approved by the data owner (e.g. HR for HRMS, Fiscal Affairs for FMS)
  • Sensitive data must be encrypted in transit
  • Use of Level 1 Confidential data must be approved by the Information Security Officer
  • Level 1 Confidential data must be encrypted in storage and backups


  • Security testing criteria, including testing for common vulnerabilities, will be documented, maintained and followed prior to custom-developed applications being moved into production
  • Updates to custom-developed applications will be regression tested and verified before deployment


  • Default configurations for servers, applications and code libraries (e.g., default admin accounts with blank or published password) will be evaluated prior to installation
  • Server administration, logging and debugging information will not be publicly accessible in production systems
  • Principles of separation of duties will be followed regarding access to production source code and systems