Information and Technology

Authority

This policy is approved by the Chief Information Officer.

Summary

Every business computing system at Bowdoin College must have a designated Business System Owner who ensures that the system meets the business needs of the College and is appropriately available, secure and sustainable.  This policy establishes business system ownership and ensures that each system meets its functional requirements, is appropriately documented, is secure and controlled, has been adequately tested, and is maintainable.

Applicability

This policy applies to all computerized systems at Bowdoin College involved with the creation, updating, processing, outputting, distribution, and other uses of business information at Bowdoin College. This policy applies to the Business System Owner of any business computing system at Bowdoin College and to all persons who develop, implement, maintain and use any College business computing systems.

1. Scope

The specifications in this policy are independent of system architecture and delivery platforms (i.e. it make no difference whether an application resides in mainframe, web, client/server, peer-to-peer, or other present or future environments). This policy applies to applications developed at Bowdoin College, acquired from external vendors, built from open-source components, as well as those extended from existing or purchased applications. This policy applies to all business applications that deal with financial, administrative, or other business information that is an integral part of running the business of the College. This policy applies to any application that affects more than one person’s job responsibilities.

2. Definitions

Business Computing System

A Business Computing System is any application that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the College.

Business System Owner

The Business System Owner of a Business Computing System is usually the owner of the primary business functions served by the application, the application’s largest stakeholder. When the business application affects several different functional business areas of the College, the Chief Information Officer will designate the Business System Owner.

System Developer/Integrator

A System or Software Developer is a person who designs and writes software for commercial use. Systems Integrators are individuals or organizations that build systems from a variety of diverse components. With increasing complexity of technology, and organizations’ desire for complete solutions to information problems, requiring hardware, software and networking expertise in a multi-vendor environment, Systems Developers / Integrators are often key in the implementation of administrative systems.

System Administrator

The System Administrator manages the day-to-day operation of the computer system(s) within a department that support the business computing system. These support functions may include any or all of the following functions: database management, software distribution and upgrading, user profile management, version control, backup & recovery, virus protection and performance and capacity planning. The System Administrator typically reports within the Chief Information Officer’s organization

System User

A System User is any individual who interacts with the computer at an application level. Developers, Integrators, Administrators and other technical personnel are not considered users when working in a professional capacity on the computer system.

3. Roles and Responsibilities

General:

• Implementation of the strategic objectives of the application
• The definition of the scope of the administrative system
• Development of a project plan, assignment of responsibilities, and management of the project
• The ongoing care and maintenance of the application

A Business System Owner who does not use the services of the Chief Information Officer’s organization for design, development, or maintenance of a business computing system must assume both Business System Owner and System Developer / Integrator responsibilities.

Development Phase:

Working with the System Developer / Integrator:

• Define the functions, procedures and audit requirements of the business computing system
• Ensure that the appropriate hardware and software environment is selected for development and operation of the system
• Ensure the design meets the system requirements
• Ensure adequate controls, audit trails, security, backup, recovery and restart procedures are included in the design
• Ensure an adequate test plan is prepared and monitor the testing and review of the system during development
  • Define and ensure compliance with system acceptance criteria
  • Formally accept the system as complete and ready for production
• Ensure the design and development of the system meets all appropriate business standards
• Ensure the design and development of the system meets the applicable Information Security Policies
• Define and ensure compliance with the system installation procedures
• Define and monitor procedures for modifying the system
• Authorize all program changes
• Define and manage data sharing procedures to ensure the integrity of interfacing systems
• Provide for the completeness and accuracy of all required user and system documentation for the system
• Ensure the implementation of an adequate campus readiness plan, which includes system roll-out plans, adequate user communications, the quality of user training and the related training documents and preparedness of help desk support

Production Phase:

• Ensure the availability, reliability and security of the application
• Develop the system’s upgrade and enhancements plans to integrate the functionality mandated by business requirements and vendor upgrades into the production application
• Ensure adequate backup and recovery procedures are implemented, and existence of a tested business continuity plan
• Manage, control and review application security
• Maintain and review data security, reliability and integrity
• Designate a System Administrator responsible for day-to-day decisions regarding the operation of the system
• Ensure the availability and quality of user training and related materials, reliability and the preparedness of help desk and other technical support processes and personnel

• Develop and / or integrate the application to the satisfaction of the Business System Owner, translating the system requirements into design requirements
• Create a design that provides for functionality and ease of use, or select a product that meets Business System Owner requirements
• Design, code, install, test and deploy the application in compliance with all appropriate standards
• Implement the most effective methods of satisfying the control and audit requirements established by the Business System Owner, or resulting from design decisions
• Implement the most appropriate methods of meeting the system security standards, following applicable IT Security Policies

• Create and maintain a stable operating platform that supports the application and any related databases and system integrations
• Create a secure operating environment that promotes efficient use, including appropriate procedures to protect and recover data and a secure physical environment
• Protect against, monitor for, and detect unauthorized access to the system or data files and report to the appropriate security officer

System administrators of distributed computing systems, remote network servers, or small stand alone systems may perform the roles, and have the responsibilities of, Business System Owner, Developer, User and System Administrators in succession, and on an ongoing basis.

• Use the application in the manner and for the business purpose it was designed
• Comply with all control requirements specified by the Business System Owner
• Comply with security requirements