As we continue to develop and deploy custom-built applications that serve our university community, it is crucial that we prioritize the security of our information assets, particularly those applications that handle personally identifiable information (PII). To ensure the highest level of security, please take note of the following IT Security Policy:
- Application security must be factored into every custom-built application project plan
HoD planning to invest in a custom-built application, whether leveraging in-house resources or outsourcing development to an external service provider, should reach out to the IT security team (via email at it.security@polyu.edu.hk) before commencing application design & build tasks.
Based on the risk profile of the custom application to be developed, the IT security team will share relevant security requirements with the project team or provide standard security requirements to be included in the outsourced development tender document.
- Application security standards
1. Principle of Least Privilege:
- Ensure that all in-house or outsourced custom-built applications are designed and configured to grant the minimum level of access necessary for users to perform their roles. Role-based and data type-based access controls are mandatory.
- The system owner of the custom-built application must regularly review, and update granted users access permissions to reflect changes in roles or responsibilities.
2. Role-Based and Data Type-Based Access Control:
- Implement role-based access control (RBAC) to restrict system access to authorized users based on their roles within the PolyU community or as external users of public-facing applications.
- Use data type-based access control to ensure that sensitive information, such as personally identifiable information (PII), is only accessible to those who require it for legitimate purposes.
All in-house developers or outsourced developers of custom-built applications must follow the web application security standards published on the ITS website under “Useful Information”.
- Pre-Go live security tests and remediation of identified vulnerabilities
1. Pre-Go Live Security Tests:
- Conduct thorough security testing before any custom-built application is released to the Internet for public access. This includes:
- Static Code Analysis: Analyze the source code for vulnerabilities without executing the program. This helps identify potential security flaws early in the development process.
- System security scan: Identify vulnerabilities in system software, network-connected devices and configurations to facilitate the provision of known security patches and security hardening.
- Web security scan: Enable web application owners to identify and address vulnerabilities that could compromise the web application, enhancing defense against web-based attacks.
- Penetration Testing: Simulate cyber-attacks to identify and address security weaknesses in the application.
2. Remediation of Vulnerabilities:
- Address any identified vulnerabilities promptly and effectively before the application goes live. This is essential to protect our systems and data from potential threats.
The system owner for in-house or outsourced custom-built applications must follow the Guide to release applications to public access and complete all relevant security tests before being granted permission to release the application to public access.
By adhering to these security practices, we can significantly enhance the security of our applications and protect the sensitive information entrusted to us.
The cooperation and commitment of the system sponsor and owner of custom-built applications to these security measures are vital for maintaining the integrity and reputation of our university.
If you need further information or assistance, please contact the IT HelpCentre (Tel: 2766 5900, WhatsApp / WeChat: 6577 9669) or reach out to us via the IT Online ServiceDesk.
