Standard Operating Procedure (SOP): Information Security Standard Requirements for Software as a Service

Transcription

1 Page 1 of 5 Standard Operating Procedure (SOP): Information Security Standard Requirements for Software as a Service Metropolitan Washington Airports Authority 1 Aviation Circle Washington, DC July 17, 2015

2 Page 2 of 5 Metropolitan Washington Airports Authority Office of Technology Standard Operating Procedure Information Security Standard Requirements for Software as a Service Title ID Number Effective Date End-of-Life Date SEC-DOC-SS TBD TBD Related Documents: Office of Technology Standards Policy Office of Technology Standards Attachment A Technology Purchase Exception Policy TABLE OF CONTENTS 1.0 Introduction Point(s) of Contact Purpose Objectives Scope Areas Impacted Standards Infrastructure Physical Security Administrative Security Logical Security Other Exceptions Non-Compliance Document Control Supporting Documentation... 5

3 1.0 Introduction 1.1 Point(s) of Contact Goutam Kundu, Chief Information Officer, (703) Kevin James, Director Information Security, (703) Alourdes Bornelus, MA600 Technical Writer, (703) Technology Service Desk, (703) 417-TECH (8324). Document: SEC DOC SS Page 3 of Purpose The Airports Authority relies on Software as a Service (SaaS) solutions for much of its information technology processing. These Information Security Standard Requirements ensure the continuous and secure delivery of Airports Authority webbased applications. 1.3 Objectives Set minimum Infrastructure Security Requirements for all SaaS Solution Providers. Set minimum Physical Security Requirements for all SaaS Solution Providers. Set minimum Administrative Security Requirements for all SaaS Solution Providers. Set minimum Logical Security Requirements for all SaaS Solution Providers. Set other minimum SaaS Security Requirements as required by the Airports Authority. 1.4 Scope The scope of this Information Security Standard covers all of Airports Authority employee/contractor users and computers running on the Airports Authority networks. This document will serve as the standard to the Airports Authority, its projects, and its vendors. 1.5 Areas Impacted Units within MA-600 and its vendors shall apply these prescribed standards to manage all SaaS data, application, and system development, testing, and implementation, where possible. All exceptions to this Information Security Standard must be approved in writing by the Airports Authority Chief Information Officer. 2.0 Standards The Office of Technology has established these Information Security Standard Requirements for all SaaS applications that operate for the Airports Authority.

4 Page 4 of 5 The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues a Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (SOC) certification. SaaS Solution Providers who can provide proof of current SSAE 16 (SOC2) certification may substitute the Infrastructure, Physical, Administrative, and Logistical controls required by this standard. SSAE 16 (SOC2) certification means that a SaaS Solution Provider meets or exceeds the Airports Authority Information Security Standard Requirements. 2.1 Infrastructure All SaaS Solution Providers must maintain a technology Infrastructure using layered security measures that include, but are not limited to, the following: Maintain firewalls. Implement an intrusion prevention system (IPS) and an intrusion detection system (IDS). Log all security events and alerts. Implement industry standard security configuration for servers (i.e. DISA Stigs). 2.2 Physical Security All SaaS Solution Providers must adhere to the following Airports Authority Physical Security requirements: Guarantee controlled physical access to all data centers. Maintain working security cameras inside all data centers. Lock all server racks. 2.3 Administrative Security All SaaS Solution Providers must adhere to the following Airports Authority Administrative Security requirements: Conduct security awareness training for all staff. Develop a comprehensive Information Security policy and distribute to all staff. Develop, test, and implement incident response procedures. Develop, test, and implement a disaster recovery plan. Develop and implement change/configuration management processes. Ensure that all SaaS data is backed-up or replicated off-site.

5 Page 5 of Logical Security All SaaS Solution Providers must adhere to the following Airports Authority Logical Security requirements: Provide role-based access controls. Log all application/database change events. Provide two-factor authentication for remote access/remote desktop protocol (RDP) access by the Solution Provider s administrative staff. 2.5 Other All Airports Authority SaaS applications shall support single sign on (SSO) via the use of SAML 2.0, WS-federation, or similar industry standard authentication so that all Airports Authority users may access the SaaS solution using their MWAA IDs and passwords. 3.0 Exceptions Exceptions to this standards document must be approved by the Airports Authority Chief Information Officer. 4.0 Non-Compliance Violations of this standards document shall be treated like other evidence of wrongdoing at the Airports Authority. Poor performance or misconduct shall be adjudicated according to established Airports Authority procedures and the Office of Technology Policy Library. 5.0 Document Control The most recent version of this document available in the Official Document Library shall be the only official controlled copy. Any duplication of this document shall be considered an uncontrolled version. 6.0 Supporting Documentation All supporting documentation and related/required frameworks associated with this procedure document are listed on the MA-600 (Office of Technology) Livelink homepage.