IT Requirements for Student-Led Application Development Projects

Purpose

This webpage establishes the conditions under which the OIT will partner with departments to enable student-led application development projects conducted in partnership with faculty or staff sponsors. The intent of this practice is to enable experiential learning and innovation while ensuring that applications hosted or supported by the University meet institutional standards for security, accessibility, compliance, branding, and operational sustainability.

Scope

This guideline applies to any software application, service, or system that:

  • Is developed primarily by students, and
  • Is intended for use beyond a single course assignment or semester, or
  • Is hosted on University-managed infrastructure, including Microsoft Azure, or
  • Processes, stores, or transmits University data.

Sponsorship and Approval Requirements

Every student-led development project must have an identified faculty or staff sponsor who is accountable for the project’s academic or business purpose. This faculty or staff member is responsible for billing, maintenance, support, and upkeep of the application throughout the entire application lifecycle. An approved DocuSign Student Project Facilitation form, signed by the relevant Dean or Vice President, is required prior to OIT engagement. This approval confirms alignment with departmental goals, acceptance of long-term institutional ownership expectations, and acknowledgement of ongoing operational costs. Student-developed projects without an approved sponsor and sign-off will not be hosted, supported, or connected to production University systems.

Development

Student-run projects must be developed in a portable container environment within their Student Azure subscription. Once the project has reached a production-ready state and has been subject to OIT examination, verification, and approval, the project can be migrated to an OIT production environment.

Hosting and Platform Standards

The preferred hosting environment for student-led projects is University-managed Microsoft Azure. Non-Azure hosting requires explicit approval by OIT and must demonstrate equivalent security, compliance, and operational controls.

Ownership, Maintenance, and Financial Responsibility

Once approved for production hosting, the sponsoring department, via the designated faculty or staff member, assumes ownership of the production application environment, including maintenance, patching, monitoring, and lifecycle management. A written plan for this ongoing maintenance is required prior to project approval.

Costs

All cloud hosting, licensing, and operational costs must be funded by the sponsoring department. Departmental charge-back agreements and mechanisms will be established as the project scope is defined.

For Azure hosting, charges are dependent on usage. Microsoft’s pricing calculator will provide estimated costs: Pricing Calculator | Microsoft Azure. The faculty sponsor and their respective department will be responsible for coordinating their budget allotment and tracking the billing cost for this service.

Timeline & Validation

OIT requires 4 weeks of notice to configure an environment for a dedicated application and verify the application meets OIT requirements prior to migrating the application from development to production. OIT will subject the application to security and accessibility checks. If the application fails either of those checks, the developer will be given feedback and provided an opportunity to address any issues. The application will need to be resubmitted for evaluation. If the application fails security or accessibility checks an additional time, it will be rejected without further eligibility for review.

Security Incidents

Applications are treated as institutional systems. The sponsoring department is responsible for incident response and breach handling with assistance from OIT Security. All projects are subject to code review and/or penetration testing as determined by OIT Security. Applications storing, processing, or transmitting sensitive information may require an external penetration test paid for by the sponsoring department. Applications must meet institutional security standards including authentication, logging, least privilege, vulnerability management, and change management.

Accessibility Requirements

All applications must meet University of Alabama digital accessibility standards, aligned with WCAG requirements. Accessibility must be validated prior to production deployment.

Branding and User Experience Requirements

Applications intended for campus or public use must comply with University branding and visual identity requirements. Web-facing projects should be housed on the subdomain of the sponsoring college or division. Departmental IT will need to approve the request prior to OIT creating a URL on the college or department site. Exceptions for use of the main ua.edu domain require prior approval from both OIT and from Strategic Communications.

Starting the Process

Work with your student development team contact to estimate costs and secure funding approval and funding information, then submit the Student Project Facilitation form, via DocuSign. The form must be signed by the project initiator, the Dean/VP, and the advisor for the student development team. Once the form is complete, work with the student development team to create the application. Once the application is developed and ready for evaluation prior to moving to production, submit a ticket to the IT Service Desk (itservicedesk@ua.edu) and include the completed DocuSign form as an attachment.