Handbook of Operating Procedures > Series 700 Information Resources > 7.5.4 Online and Mobile Applications

7.5.4 Online and Mobile Applications

A. Purpose

To provide internet website and mobile application security procedures, as required by Section 2054.517, Texas Government Code.

B. Persons Affected

All individuals accessing The University of Texas at Tyler (the "University") information or information systems, including without limitation, employees, faculty, clinical residents and fellows, postdoctoral scholars, students, patients, visitors, volunteers, contractors, commercial tenants, and vendors, and to all University computers or other information resources owned, leased, administered, or otherwise in the custody and control of the University, wherever located.

C. Policy

The University's Information Security Officer (ISO) is responsible for developing and implementing policy and procedures, in conjunction with the University's Office of Legal Affairs, Privacy Officer, and other officials responsible for compliance with privacy laws (including HIPAA and FERPA) and data security laws. Policy and procedures consider business processes, such as contracting, acceptance testing, and system deployment, etc.

1. Before deploying an internet website or mobile application that processes confidential information for the University, the developer of the website or application must submit to the ISO the information required under University policies adopted to protect the privacy of individuals by preserving the confidentiality of information processed by the website or application.  At a minimum, the developer must submit information describing: 
   1. the architecture of the website or application; 
   2. the authentication mechanism for the website or application; and 
   3. the administrator level access to data included in the website or application. 
2. Before deploying an internet website or mobile application, the Data Owner must subject the website or application to a vulnerability and penetration test conducted internally or by an independent third party. The cost of the vulnerability and penetration test will be the responsibility of the Data Owner. Review and acceptance of the findings shall comply with UTS 165, Standard 10.8. 
3. The IS Office will assist the Data Owner in collecting the information required and acquiring the appropriate testing services. The Software Purchase Checklist will not be approved until the required information and testing has been completed. 
4. The University will submit a copy of this policy to the Texas Department of Information Resources for review and recommendations for appropriate changes. 

Violation of UTS 165 or other U. T. System or University Information Security policies, procedures or standards by faculty, staff, and students who have access to University information resources or data for the purpose of providing services to or on behalf of the University will subject those individuals to disciplinary action in accordance with applicable University policies. For contractors and consultants, this may include termination of the work engagement and execution of penalties contained in the work contract. For volunteers, this may include dismissal. Additionally, certain violations may result in civil action or referral for criminal prosecution.

D. Definitions

N/A

E. References

Texas Government Code, Section 2054.517 

UTS 165 

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.