Purchase and Development of Information Systems

The purpose of this policy is to ensure the information security integration throughout the lifecycle of purchasing and developing information systems at UTAS-Sur. 

This policy applies to all members of UTAS-Sur, whether on a temporary or permanent basis as well as any third parties working with or contracted by the university, it covers all environments where the university’s information systems are operated.  

Information Systems and Educational Technologies Center.

‏Assistant Vice Chancellor for UTAS – Sur.

Any violation of this policy by all members or third parties (suppliers, contractors, business partners, etc.) will be subject to disciplinary and legal actions in accordance with the laws of the Sultanate of Oman, including regulations related to cybersecurity, university’s policies, labor laws, and electronic transactions.

 Information Security Requirements based on Information Security Risk Planning: 

• The university should develop and maintain a comprehensive document for managing the system development lifecycle for all system development and maintenance processes. The system development lifecycle document should include, at a minimum, the following: 

– Project initiation (planning) 

– Requirements definition (analysis) 

– System design 

– System development 

– Testing 

– Implementation and support 

• The information security requirements for the university’s information systems must be clearly identified as part of the planning and requirements analysis phase in the system development/purchase lifecycle. 

• The security requirements must be justified, approved, and documented as part of the comprehensive feasibility study for each information system. 

• The university must plan information security requirements based on risks level foe each information system. 

• Information Systems and Educational Technologies Center must identify the information security requirements for the university’s information systems. 

 

 Security in the Development/Implementation of Information Systems: 

• The Information Technology Department must ensure the proper application of the specified information security requirements during the development/purchase lifecycle of the information system. 

• The university’s information systems are subject to security evaluation/testing during the implementation phase. Security evaluation/testing is conducted according to the risk classification of the information system, the specified security standards for the system in question, and the best practices applied by the university in this regard. 

 

 Baseline Configurations: 

• The university must develop, document, and maintain up-to-date baseline configurations for new information systems. 

• The university must update the baseline configurations of information systems as an integral part of the system installation process. 

• Default usernames and passwords for all information systems should be changed when setting up purchased systems before going to production 

• The results of security testing data should be monitored and protected from unauthorized access. 

 

System Documentation Security: 

• Access to system design and development process documentation must be restricted to authorized personnel only who perform official duties. 

 

 Security Considerations When Making Changes to Information Systems: 

• The Information Technology Department must identify and address the information security implications of any fundamental changes to the university’s systems before implementation. 

 

 Additional Security Considerations When Purchasing Systems Developed in Foreign Countries: 

• Before acquiring/purchasing any information system, the university must ensure compliance with the laws, regulations, and procedures related to this matter, as well as adherence to the government procurement procedures followed in the Sultanate regarding the acquisition, purchase, development, or manufacturing of information systems from foreign countries. 

• The university may not acquire/purchase any information system developed/manufactured in a non-friendly country in accordance with the government policies and procedures of the Sultanate. 

• The development/implementation of sensitive and high-risk information systems by a third party requires the following: 

– Subjecting the information system to rigorous security testing (including source code review where applicable) before acceptance. 

– Ensuring that the design/implementation personnel of the third party involved in the system have security clearances to work on government projects in the Sultanate. 

This policy shall take effect from the approval date.