Application Implementation Policy

1.0 Overview
This policy is a policy to be used to assess the security impact of new applications. When new applications are developed to provide new functionality to customers or internal groups, the impact of the new functionality must be assessed in order to keep the network stable. Starting with a data assessment process will help this process flow smoothly.

2.0 Purpose
This policy is designed to protect the organizational resources on the network by defining requirements for new applications in the organization. This policy requires a security assessment including an assessment of data security levels, media the data will travel over, a risk evaluation, and determination of system requirements which will mitigate the most serious part of additional security risks.

3.0 Process
Customers shall work together with application developers and computer security experts to assess data requirements for any new applications. Customers shall specify their requirements for the applications and application developers will work with the customer to identify and categorize data according to the Application Developement Security Assessment Process.

Once the data and application requirements are established, computer security personnel can then evaluate risk and determine methods, processes, equipment, and procedures to mitigate known risks. The computer security personnel, customers, and application developers will work together to provide required and reasonable access capability to systems and data both during development and final project implementation while providing the best computer security possible for a reasonable cost. Under no circumstances should the overall security of the network be seriously compromised for the benefit of any project.

The data assessment, risk evaluation, and system requirements should be done early in the project life cycle since without this information, the overall cost of the project cannot be accurately assessed.

The security assessment shall be conducted according to the Security Assessment Questionare and data shall be evaluated according to the Data Assessment Process document.