I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. Information and the activities that depend on information are among our most valuable university assets and must be safeguarded against software security vulnerabilities. This Standard ensures that applications developed or administered by FSU reflect secure coding practices that reduce the likelihood of unauthorized disclosure or theft of sensitive institutional information and ensure the ongoing availability of critical university resources.
Insecure software coding and web application design can leave data and IT systems vulnerable to exploitation. This Standard’s primary purpose is to reduce:
- the number of vulnerabilities in released software
- the potential impact of the exploitation of undetected or unaddressed vulnerabilities
- the root causes of vulnerabilities to prevent recurrences
- the likelihood that malicious code will be inserted into software or successfully executed against a running application
- the impact of malicious code or vulnerabilities already present in deployed software, mobile or web applications
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Service Level Agreement (SLA) - A service contract that represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.
Software Development Life Cycle (SDLC) - A formal or informal methodology for designing, creating, and maintaining software (including code built into hardware).
Full IT Glossary
III. Standard
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
| Function | Category | Desired Outcome (Subcategory) |
| Identify (ID) |
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy | ID.AM-2: Software platforms and applications within the organization are inventoried |
| Protect (PR) |
||
| Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information | ||
| PR.DS-7: The development and testing environment(s) are separate from the production environment | ||
| PR.IP-2: A System Development Life Cycle to manage systems is implemented | ||
| Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets | ||
| PR.IP-3: Configuration change control processes are in place |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
Application Custodian
The Dean, Director, Department Head or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
For more information, see IT Roles and Responsibilities.
Application Requirements
Education, research, clinical, administration and other core services often require providing access to university applications and data across multiple systems. This Standard identifies application security requirements for enterprise applications and applications based on the classification of the data being processed, stored, and transmitted as defined by the 4-OP-H-25.01 Data Security Standard.
Application Custodians are responsible for ensuring security and privacy safeguards for:
- Applications, data, workstations, and devices with access to High Risk and Moderate Risk data and applications.
- Security of account credentials issued that provide access or APIs to enterprise applications or systems.
- Security of data, applications and APIs that access or accept transferred High Risk or Moderate Risk data as a result of enterprise integration requests.
Application Custodians may delegate functions to authorized users, but accountability remains with the Custodian.
Software and application developers and administrators must ensure that secure coding practices are incorporated into each phase of the software development life cycle and extend to connected systems, such as database servers used to store application data. A risk-based approach to determine what practices are relevant, appropriate, and effective to mitigate the threats to their software development must be adopted that meet the use cases that are applicable to system requirements - for more information on secure software development, see Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (nist.gov). Developers and administrators responsible for reviewing the code and implementing appropriate application security controls for systems under their management and supervision. An automated code review tool such as Semgrep be used for this purpose.
This Standard applies to FSU staff as well as third-party vendors contracted by FSU to perform application services.
Requirements for application security and secure coding include:
- Application Development:
- Application security must be fully integrated throughout the Software Development Lifecycle (SDLC), as defined by formalized software implementation guidelines. Guideline requirements include periodic security training for developers, formal attestation of compliance by developers, periodic review of guidelines for compliance with regulatory requirements, default baseline configuration for applicable applications, monitoring of formal Service Level Agreements (SLAs) for third parties, and a process to incorporate best practices and lessons learned into the SDLC guidelines.
- Application Custodians and Data Custodians are responsible for defining security-related business requirements (e.g., identification of protected data, specifications of groups or users who will be authorized access, etc.). Based on these requirements, the application development team will implement appropriate controls to minimize risk to the IT infrastructure and other university resources.
- Applications that house or interface with High Risk or Moderate Risk data must have processes for tracking access and modification of the data.
- Detailed application security documentation shall be maintained and be available upon request to ISPO. For example, screen and data mapping.
- Secure coding principles must be incorporated into the security architecture and development lifecycle. This includes defining detailed security requirements early in the software development life cycle and then evaluating for compliance with those requirements.
- Applications must be reviewed before and regularly after implementation to ensure security controls are appropriate.
- SDLC guidelines shall include a process that ensures appropriate consultation or involvement from ISPO for vulnerability scans, code reviews, and penetration test before systems are deployed.
- Development and test infrastructures shall be physically or logically separated from the production infrastructure.
- Databases and files containing critical, High Risk or Moderate Risk information shall be placed in an internal network zone segregated from the Internet-facing network segments.
- Technology managers shall restrict and tightly control the use of utility programs that may be capable of overriding system and application security controls.
- Software/Application Patching:
- FSU’s network, systems, and data must be protected from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks. This requires the timely and consistent application of vendor-supplied security patches, mitigation of reported vulnerabilities, and other practices in accordance with the 4-OP-H-25.09 IT Vulnerability Management Standard.
- Use of Production Data for Development or Testing:
- Production data must be protected.
- Development and test environments may not use production data classified as High Risk or Moderate Risk without written approval from the Data and Application Custodians. Controls must be in place to ensure protection, restricted access and auditing of the data. Production data must be removed when testing is complete.
- Use of Acceptance, Staging, or Quality Assurance Environments:
- Pre-production environments may be used to facilitate application testing prior to the production deployment of software and related systems, which may require use of production data. Therefore, these environments must be maintained using production-level infrastructure services and must have the same information security controls and operational management standards as the corresponding production environment. The benefit of such environments should be weighed against the cost and risk associated with running the functional equivalent of a secondary production environment.
Web Application Standards
Software and web applications that fall under this Standard are required to meet OWASP Secure Coding Requirements or their equivalent. Examples include:
| Ref # | Secure Coding Practices | INFORMATION CLASSIFICATION | ||
| High Risk | Moderate Risk | Low Risk | ||
| 1 | Validate input and allow only those types of input that are known to be correct to protect against cross-site scripting and injection flaws and similar vulnerabilities | Required | Required | Required |
| 2 | Execute proper error handling so that errors do not provide detailed system information, deny service, impair security mechanisms, or crash the application | Required | Required | Required |
| 3 | Authenticate end users through FSU-approved enterprise authentication systems. For example, Single Sign-On (CAS) | Required | Required | Recommended |
| 4 | Require 2-Factor Authentication (2FA) for end user access to the application. DUO is approved for this requirement. Use of any other MFA technology requires an approved exception via the 4-OP-H-25.20 Request for Exception to IT Security Policy. | Required | Required | Recommended |
| 5 | Comply with 4-OP-H-25.17 IT Enterprise Application Integration Standard | Required | Required | Recommended |
| 6 | Adhere to principle of least privilege for all application and system access; wherever feasible, provide access based on role, affiliation, or membership, rather than by individual as defined by the 4-OP-H-25.07 IT Access, Authorization and Authentication Standard | Required | Required | Recommended |
| 7 | Review access given to individuals and those given access based on roles, affiliations, or memberships on an annual basis | Required | Required | Recommended |
| 8 | Encrypt network traffic based upon the 4-OP-H-25.14 Encryption Standard and fulfill any specific regulatory mandates | Required | Required | Required |
| 9 | Implement application logging and ensure compliance with the 4-OP-H-25.10 IT Log Collection, Analysis and Retention Standard | Required | Required | Required |
| 10 | Conduct code-level security reviews with professionally trained peers for all new or significantly changed applications and any software dependencies | Required | Required | Required |
| 11 | Use quality assurance techniques, such as static code analysis and application scanning, to identify and eliminate vulnerabilities. Conduct web application vulnerability scanning prior to go-live, when major changes or revisions are implemented, and on an annual basis | Required | Required | Recommended |
| 12 | Establish a schedule to identify and remove obsolete or no longer supported or needed software or applications. Identified software and applications must be decommissioned | Required | Required | Required |
| 13 | Implement and maintain a formal production migration and change management process for production applications, including signoff validating successful completion of the Secure Coding Practices identified in this Standard | Required | Required | Recommended |
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
