Software Application Security

Information Security Checklist

1. Introduction

  • 1.1 Complete this checklist for all new or substantially modified Software Applications that store or access Medium, High or Very High Risk Information, prior to storing or accessing UBC Electronic Information.
  • 1.2 This checklist has been issued by the Chief Information Officer to supplement the Development and Modification of Software Applications standard. Questions about this guideline may be referred to information.security@ubc.ca.

2. Security Requirements Checklist

  • 2.1 A data-flow map must be constructed to clearly identify UBC Electronic Information at rest and in transit:
  • 2.2 Where possible, applications must authenticate Users through central authentication systems such as UBC’s Enterprise Active Directory (EAD) or CWL. If authentication will not be done through CWL or EAD then user account passwords must not be stored in clear text (see the User Account Management standard for more information).
  • 2.3 University IT Support Staff must implement access controls to Servers as follows:
    • 2.3.1 Users must be given the minimum access privileges required to perform their job function following the Principle of Least Privilege, and procedures must be enforced to authorize, add, remove, and modify user access, in accordance with the Securing User Accounts standard;
    • 2.3.2 Passphrases must be required for all accounts and must meet the requirements of the Passphrase and Password Protection standard; and
    • 2.3.3 wherever possible, access to Servers should be logged in accordance with the Logging and Monitoring of UBC Systems standard.
  • 2.4 Applications resident on UBC Systems that are Client-facing must be setup in compliance with the Security Architecture and Firewalls standard.
  • 2.5 To avoid data loss and ensure the availability and integrity of UBC Electronic Information stored on UBC Systems, the Administrative Head of Unit must ensure that this information is backed up regularly (typically daily or weekly) in accordance with the Backup guideline. These backups must be stored in a secure location with appropriate user access and any required Encryption controls, as described in the Encryption Requirements standard.
  • 2.6 If the application will be outsourced and make use of Service Providers then the Administrative Head of Unit must ensure that the application will be compliant with the Outsourcing and Service Provider Management standard prior to going into production.
  • 2.7 The application must be hardened and pass vulnerability assessments as described in the Vulnerability Management standard.

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

Development and Modification of Software Applications standard

Checklist Last Revised: 2026-02

Page last updated on February 27, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.