UM Web Application Security Standard

Body

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

Web applications built or deployed by the University — from course tools to research platforms to administrative systems — are a common target for attackers. This standard sets the minimum security requirements for how those applications are designed, built, deployed, and maintained. Enterprise applications must meet the full set of requirements, while research and student-developed applications are held to standards proportionate to their risk and data exposure. Confidential or high-risk data is prohibited in web applications unless explicitly approved. Developers and application owners share responsibility for ensuring applications are built securely, tested regularly, and that vulnerabilities are addressed promptly.

1. Purpose

The purpose of this Standard is to establish minimum security requirements for the design, development, deployment, operation, and maintenance of web applications used to support University of Montana academic, research, and administrative activities. Effective web application security reduces the risk of unauthorized access, data compromise, service disruption, and reputational harm.

This Standard implements web application security requirements under the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • Web applications hosted on University-owned or University-managed infrastructure
  • Web applications hosted in approved cloud environments
  • Vendor-hosted web applications used for University business
  • Web applications developed or deployed by faculty, staff, students, or third parties on behalf of the University

This Standard applies regardless of funding source, development model, or hosting location when a web application stores, processes, or transmits University Data or integrates with University systems.

3. Web Application Categories

For purposes of this Standard, web applications are categorized as follows:

3.1 Enterprise Web Applications

Enterprise Web Applications are applications that:

  • Support core institutional functions (e.g., teaching, learning, administration, finance, HR)
  • Are centrally hosted or centrally supported
  • Integrate with enterprise identity systems or authoritative data sources
  • Are intended for broad or ongoing use by the University community

Enterprise Web Applications are subject to the full set of requirements defined in this Standard.

3.2 Research Web Applications

Research Web Applications are applications that:

  • Support research, instructional experimentation, or grant-funded activities
  • Are typically limited in scope, audience, or lifespan
  • May be developed or operated by faculty, staff, students, or research collaborators

Research Web Applications remain in scope but may apply requirements proportionate to risk, data classification, and exposure.

3.3 Student-Developed Applications

Student-Developed Applications include web applications created as part of coursework, capstone projects, or experiential learning.

  • Student-developed applications are assumed to be untrusted and potentially insecure by default
  • These applications must not process Confidential (High Risk) Data
  • Additional isolation, segmentation, or hosting restrictions may be required

4. Roles and Responsibilities

4.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to web application security requirements
  • Escalating material web application risks to executive leadership

4.2 Application Owners

Application Owners are responsible for:

  • Overall risk ownership for web applications under their authority
  • Ensuring compliance with this Standard
  • Approving access, functionality, and data use

4.3 Developers and Administrators

Developers and Administrators are responsible for:

  • Implementing secure design and development practices
  • Maintaining secure configurations and dependencies
  • Addressing identified vulnerabilities in coordination with Information Security Operations

5. Web Application Security Principles

Web applications must be designed and operated according to the following principles:

Secure by design — Security is considered throughout the application lifecycle.

Least privilege — Access is restricted to the minimum necessary.

Defense in depth — Multiple layers of controls are used.

Fail securely — Applications handle errors without exposing sensitive information.

6. Application Lifecycle Requirements

6.1 Design and Development

  • Applications must follow secure development practices
  • Input validation and output encoding must be implemented
  • Secrets and credentials must not be hard-coded
  • Use of third-party libraries must be managed and reviewed

6.2 Authentication and Authorization

  • Enterprise Web Applications must integrate with University-approved identity systems where supported
  • Role-based access controls must be implemented
  • Privileged access must require multi-factor authentication

6.3 Data Handling

  • Data use must comply with data classification requirements
  • Confidential (High Risk) Data is prohibited in web applications unless explicitly approved
  • Research and student-developed applications must not process Confidential (High Risk) Data

6.4 Deployment and Hosting

  • Applications must be hosted in approved environments
  • Network segmentation and isolation must be used based on risk
  • Student-developed and research applications may require additional isolation controls

7. Security Testing and Vulnerability Management

  • Web applications must undergo security testing commensurate with risk and data sensitivity
  • Identified vulnerabilities must be addressed through remediation or approved risk acceptance
  • Vulnerability management must align with the University Vulnerability Management Standard

Use of industry-recognized guidance such as the OWASP Top 10 is encouraged.

8. Logging and Monitoring

  • Web applications must generate logs sufficient to support security monitoring and incident investigation
  • Logs must be protected from unauthorized access or modification
  • Logging requirements must align with University logging standards

9. Incident Response

  • Security incidents involving web applications must be reported promptly
  • Applications must support investigation, containment, and recovery activities

10. Enforcement and Risk Response

When web application security requirements are not met and no approved exception exists:

  • Additional controls or restrictions may be applied
  • Application access or functionality may be limited
  • Hosting environments may be isolated as necessary to manage risk

11. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

12. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or institutional needs.

13. References

  • UM Information Security Policy
  • UM Cloud Computing Security Standard
  • UM Network Security Standard
  • UM Vulnerability Management Standard
  • UM Endpoint Management & Configuration Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • OWASP Top 10

Details

Details

Article ID: 171037
Created
Thu 3/19/26 6:47 PM
Modified
Thu 4/9/26 11:32 AM