Introduction
The Application Administration Standard specifies when the role of an application administrator is required and defines the responsibilities and skills of individuals acting as application administrators on behalf of departments who build, procure, or manage applications, as defined below.
Purpose and Applicability
The purpose of the Application Administration Standard is to ensure secure, sustainable, and accessible administration of cloud and server-hosted technology applications throughout Portland State University (PSU). This standard applies to all departments at PSU that build, procure, inherit, or manage applications requiring ongoing maintenance and support.
Applications that require an administrator role include those that may necessitate configuration, user creation or administration, software updates, integrations, or customization. Applications that do not require an administrator include desktop programs for personal use or single-user applications.
For OIT enterprise applications associated with services in the OIT Service Catalog, OIT personnel serve as both the Application Owners and Application Administrators for the purposes of this standard.
Definitions
Term | Definition |
| Application | Cloud or server-hosted software operated on behalf of PSU or PSU’s partners that fulfills a business, exploratory, or research need for one or more PSU departments. |
| Application Owner | The department or organization responsible for building, procuring, or managing an application. |
| Application Administrator | An individual tasked with the management and/or maintenance of a cloud or server application. This person is generally the technical point of contact for the end users of the application and/or a vendor. |
| Application Lifecycle | All stages of application adoption from procurement and deployment to ongoing access management, system maintenance, and eventual retirement. |
| End Users | Individuals who use the application but who are not responsible for administration. End users may have varying levels of access in the application depending on business needs. |
Standards and Procedures
Application Owner Responsibilities
Application owners are responsible for:
- Maintaining an inventory of the applications they administer.
- Hiring or identifying administrator(s) for the full application lifecycle of any applications they build, procure, or manage and likewise determining the level of FTE required to fulfill the application administrator role.
- Application owners are responsible for ensuring the application administrator and end users of the application adhere to applicable laws and regulations and PSU and OIT Policies, Standards, and Guidelines.
Application Administrator Responsibilities
The following list represents the general responsibilities of an application administrator. Specific responsibilities may differ by application.
- Serve as the primary point of contact.
- Manage and audit application accounts, licensing, permissions structures, and all relevant access controls.
- Provide advice and training to end users.
- Plan, coordinate, test, and communicate changes, upgrades/maintenance schedules, and new services with customers and end users, ensuring business operations will continue correctly in current and future environments.
- Develop test plans to verify logic of new or modified applications.
Monitor the application, and document and analyze problems. - Work closely with vendors to tune and troubleshoot problems, engaging OIT when associated enterprise systems are involved.
- Maintain system documentation.
- Maintain current knowledge of relevant technologies and business processes.
- Facilitate and respond to data requests, records requests, data erasure, or legal discovery requests.
- Facilitate and respond to requests from OIT related to the use of and vulnerability remediation of the application.
- Ensure proper logging is in place relative to the system and data criticality. OIT will assist with logging assessment and functionality when requested or when a need arises.
- If the application administrator is also a user of the application, whenever possible, segregate administrative and regular user activities through usage of a separate user account delegated for administrative activities only. For example, an individual would log in using a high account for application administration activities where they are making configuration changes or could otherwise influence the activity of another user, and the same individual would log in using a regular Odin account for operational application usage activities confined to their own identity.
- Ensure applications and their environments are on supported versions that actively receive security patches.
- Ensure that applications used to conduct university business will adhere to the Patching Schedule, which is based on the National Vulnerability Database (NVD) ratings and the Common Vulnerability Scoring System (CVSS).
Vulnerability Management Schedule
| Severity Rating | CVSS Base Score | Evaluated Within | Mitigated Within |
|---|
| Presence in CISA KEV list, or other credible intelligence | Any | 24 hours | ASAP, no more than 7 days |
| Critical | 9-10 | 24 hours | ASAP, no more than 7 days |
| High | 7-8.9 | 7 days | 14 days |
| Medium | 4.0-6.9 | 14 days | 28 days |
| Low | 0.1-3.9 | 28 days | 45 days |
Application Administrator Skills
The following qualifications may be useful in selecting an application administrator:
- Meet the minimum qualifications as outlined in the ITC job classification.
- An understanding of the workflow and process requirements of business units related to the application.
- Demonstrated ability to be the subject matter expert in supporting, maintaining, and administering applications.
Related Policies, Procedures, and Information
Point of Contact
Contact the Information Security Team at help-security@pdx.edu for questions about this standard.
Change Log
- 2/17/2025: Initial version
- 3/26/2025: Update link to ITC job classification