NAU Web Application Security Policy

Revision Date:2013-07-30

Revision Number:1.0

Policy Information:


1.0 Revision History 

Document No: NAU - 720
Effective Date: 06/30/2013
Revision Date: 06/30/2013
Revision No:    1.0
Producer: Information Technology Services, Lanita Collette, University Information Security Officer

2.0 Purpose

  • 2.1  Define appropriate security measures for the design and deployment of Northern Arizona University, hereinafter referred to as University, web applications. 
  • 2.2  All web applications implemented after the effective date of this policy are expected to comply with the provisions of this policy and associated guidelines. Existing web applications must be brought into compliance as soon as practical. 

3.0 Definitions

3.1 Web application: For the purposes of this policy a web application is a web accessible program that performs a function or set of related functions. Static web pages are not covered under this policy.

4.0 Applicability 

4.1 This policy applies to all web applications developed by University staff, faculty, consultants, or vendors for University business or academic purposes whether applications are developed in- house, purchased from a vendor, or provided as a hosted service.

5.0 Policy

  • 5.1  Web applications must meet University security design guidelines. These guidelines are based on industry standards i.e., recommended by The Open Web Application Security Project (OWASP), National Institute of Standards and Technology (NIST) or other current industry standard best practice guidelines. The guidelines will be maintained and periodically updated for currency and relevance by the Information Security team. 
  • 5.2  Adherence to the established guidelines will be assessed by periodic (at least once annually) scanning of the University web application inventory by the Information Security Team. 

6.0 Roles & Responsibilities

  • 6.1  University Information Security Officer: The University Information Security Officer will recommend web application policy and guidelines to the Information Security Committee. 
  • 6.2  Information Security Committee: The Committee will review the web application security policy and guidelines and approve any changes or additions. 
  • 6.3  Web Application Developers: Any University staff or faculty member, consultant, or vendor who develops web applications for business or academic use of University students, faculty, or staff is considered a web application developer for the purposes of this policy, and must follow the policy and guidelines.

7.0 Compliance 

Persons subject to this policy are also subject to the provisions of applicable University Personnel Policies, the student employment handbook, Arizona Board of Regents policies and conditions of service documents, including provisions for discipline for violation of this policy, as well as applicable sanctions under the law. University affiliates are subject to loss of access to University resources for violation of the policy, as well as applicable sanctions under the law.

8.0 References 

The Open Web Application Security Project:
NIST Special Publication 800-95: Arizona Board of Regents: ABOR Policy Manual, Chapter 9 – Information Technology, 9-202 University Responsibilities



Policy Documents: