University Policy 3J.04 is entitled System Requirements Analysis and Specification and exists to ensure information security and compliance are considered for all new technology solutions purchased and implemented. Retrofitting a process or system to meet university adopted information security policies is an expensive endeavor. When information security is considered early in the development cycle of a technology system or process, ESU’s information assets will be secured from the onset and any controls can be funded or managed accordingly. Security specifications will be identified at the requirements phase of all technology projects; justified, agreed upon, and documented as part of the overall business case for the project. In addition, annually, a risk analysis will be performed to verify security controls are still necessary or need to be improved.
When considering the purchase of a technology solution, contact Cheryl O’Dell at extension 5969, or via email at firstname.lastname@example.org. Information Security staff will do a security assessment to make sure the solution being proposed can meet university information security policies, procedures, and standards.