Guideline for Security of Applications

I. Purpose

The purpose of this guideline is to establish baseline security controls for University applications.

II. Scope

The scope of this guideline includes all applications running on a University system. Each department and college is expected to implement the security controls listed in this document.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

For this guideline, an application is defined as software that provides a service and is running on a University system. Application owners should identify the risk level of the application and apply the appropriate security controls outlined below. Application owners should also maintain a documented inventory of their applications and include the owner contact information, list of administrative users, application risk level, and a data flow diagram. Privileged accounts within the application should be audited at least annually and documentation of the audit should be maintained.

A. Low Risk Applications

A Low Risk application is defined by all of the following characteristics:

1. is not public facing
2. does not store or process Level 3 data
3. would not affect business operations if compromised or down for a significant period of time.

The following security controls should be applied.

Patching

Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.

Vulnerability Management

Utilize University-supported tools for authenticated vulnerability scans to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.

User Access Management

Follow the University Standard and Guideline for User Access Management.

Secure Application Development

Include security as a design requirement. Multi-tier application design and code review are recommended. Web applications should utilize strong ciphers and best practice level of encryption and the recommended cipher set.

Firewall

Permit only the minimum necessary services through the network firewall. Web applications are required to utilize TLS encryption.

B. Moderate Risk Applications

A Moderate Risk application is defined by all of the following characteristics:

1. is not public facing
2. does not store or process Level 3 data
3. would moderately affect business operations if compromised or down for a significant period of time.

In addition to the controls applicable to low risk applications, the following security controls should also be applied to these applications.

Centralized Authentication Services

Per the Standard for Security Requirements of Information Systems, information systems that store or process level 2 or level 3 University data must utilize multi-factor authentication via the University’s centrally managed authentication services. See this FAQ for detailed information. In cases where this isn’t feasible, use of the third-party’s multi-factor authentication is allowed. Exceptions to this standard must be approved by OneIT. For information systems that store or process level 1 or level 0 University data, multi-factor authentication should be utilized, if available.

Centralized Logging

Forward logs to the University-supported Security, Incident and Event Management (SIEM) solution. See this FAQ for detailed information regarding the University’s SIEM tool.

Backups

The schedule for backups of application data should be aligned with the area’s Business Continuity Plan; at a minimum, application data should be backed up weekly and stored on a separate system. Encrypt backup data in transit and at rest.

Encryption

Enable NIST SP 800-175B approved encryption for data at rest and in transit.

C. High Risk Applications

A High Risk application is defined by any of the following characteristics:

1. is public facing
2. stores or processes Level 3 data
3. would critically affect business operations if compromised or down for a significant period of time.

In addition to the controls applicable to low and moderate risk applications, the following security controls should also be applied to these applications.

Data Center

On campus systems hosting publicly accessible applications must be located in OneIT’s primary Data Center.

Application Security Assessment

Contact the OneIT Service Desk to request an application security assessment prior to deployment and implement recommendations. Annually, request a security assessment review of the application.

Regulated Data Security Controls

Implement HIPAA, PCI-DSS, FERPA, etc. controls as applicable. Consult with OneIT prior to deployment.

D. Cloud Services

Applications hosted by cloud services may require additional specialized security controls to ensure appropriate protection levels and access to enterprise services in the cloud environment. Consult with OneIT prior to deployment.

V. Exceptions

Requests for exceptions to this guideline may be submitted to the Office of OneIT. See this FAQ for more information regarding the exception process.

Related Resources

• University Policy 311 Information Security
• Standard for Operations Security
• Standard for Security Requirements of Information Systems
• Standard for User Access Management
• Guideline for User Access Management
• Guideline for Privileged Account Management
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 2/10/20
Updated 9/28/22