/policies/,/policies/administrative/,/policies/administrative/uwhc/,/policies/administrative/uwhc/department-specific/,/policies/administrative/uwhc/department-specific/information-services/,

/policies/administrative/uwhc/department-specific/information-services/se-pol-007.policy

20180109

page

100

UWHC,UWMF,

Policies,Administrative,UWHC,Department Specific,Information Services

Software Development Life Cycle Policy for Cardholder Data Environment (SE-POL-007)

Software Development Life Cycle Policy for Cardholder Data Environment (SE-POL-007) - Policies, Administrative, UWHC, Department Specific, Information Services

SE-POL-007

Page 1 of 3




Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals
and Clinics Authority (UWHCA) as integrated effective July 1, 2015, including the legacy operations and
staff of University of Wisconsin Hospital and Clinics (UWHC) and University of Wisconsin Medical
Foundation (UWMF).


Policy Title: UW Health Software Development Life Cycle Policy for Cardholder Data Environment
Policy Number: SE-POL-007
Effective Date: December 20, 2017
Chapter: Security
Version: Original

I. PURPOSE
The purpose of this document is to establish a consistent set of security procedures and practices
for software development life cycle (SDLC) management within UW Health’s card holder data
environment.

II. SCOPE
This policy applies to software development and configuration activities within UW Health’s
card holder data environment regardless of the development methodology (Agile, Waterfall
etc) used.

III. POLICY
A. Security considerations should be noted and addressed throughout the software
development life cycle.

B. The UW Health “Change Review and Management Policy” or a substantially similar process
must be followed as part of the SDLC process.

C. All developers will complete an annual SDLC security training based on current OWASP Top
10 application security risks.

D. All public facing Web applications must undergo vulnerability testing using an industry
standard scanning tool.

E. All high and critical vulnerabilities (Qualys score of 4 or 5) remediated prior to going to
production.

F. Each team will establish documented procedures that meet the requirements of this
policy. These procedures must include the following at a minimum

i. Develop applications based on OWASP secure coding guidelines
ii. Conduct peer code reviews
iii. Perform applicable testing such as unit, integration, functional and user
acceptance testing

Page 2 of 3


iv. Documentation must be kept and updated
v. Development/Test environments will be separate from production
environments

IV. RELATED POLICIES
Change Review and Management Policy

V. COORDINATION
UW Health IS CTO
Author: UW Health IS Director – Systems Security
Reviewers: UW Health IS Directors, UWHC Internal Auditor
Approval committee(s): UW Health IS Directors

SIGNED BY

Paul VanAmerongen
UW Health Chief Administrative Information Security Officer

Revision Detail:

Effective Date Next Review Summary of Changes Change Authors
12/20/2017 12/20/2020 Original release. Elaine Gerke