Standard: Application Service Provider Security Requirements



Similar documents
The Importance of Organizing Your SJSU Information Assets

Standard: Network Security

Standard: Retention

Standard: Web Application Development

Standard: Data Center Security

Standard: Vulnerability Management and Assessment

Standard: Information Security Awareness Training

Standard: and Campus Communication

Standard: Event Monitoring

Standard: Information Security Incident Management

Standard: Patching and Malicious Code Management

INFORMATION SECURITY California Maritime Academy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Newcastle University Information Security Procedures Version 3

Supervisory Policy Manual

An Introduction to HIPAA and how it relates to docstar

Specific observations and recommendations that were discussed with campus management are presented in detail below.

IT - General Controls Questionnaire

INFORMATION SECURITY Humboldt State University

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Supplier Security Assessment Questionnaire

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

Draft Information Technology Policy

A Vendor s Journey to SaaS & the Cloud

Lots of clouds: a stormy weather for information privacy?

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Third Party Risk Management 12 April 2012

HIPAA Privacy Overview

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

OIG Security Audit: What You Need To Know

Wellesley College Written Information Security Program

Critical Issues in Software Licensing. William A. Tanenbaum Chair, Technology, Intellectual Property & Outsourcing Group

Refresher on cloud computing

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

New Relic EU Data Protection Whitepaper

HIPAA Security Alert

Cloudy Privacy Computing

PAYMENT CARD PROCESSING

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Ethical Considerations for Lawyers Using the Cloud

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

ISO 27002:2013 Version Change Summary

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Hosted Testing and Grading

Internet Banking Internal Control Questionnaire

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

System Acquisition Security Risk Survey for Service Providers

Information Security Plan effective March 1, 2010

Service Children s Education

PRIVACY POLICY The type of web browser and operating system you have used:

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Cloud security with Sage Construction Anywhere

Securing Personal Information: A Self-Assessment Tool for Organizations

OIG Security Audits of EHR Incentive Program Participants

PCI DSS COMPLIANCE DATA

WHY CLOUD COMPUTING MAKES SENSE FOR NONPROFITS

HIPAA Security COMPLIANCE Checklist For Employers

Data Protection Act Guidance on the use of cloud computing

HIPAA: In Plain English

Standard: Airwave

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Estate Agents Authority

CCBE GUIDELINES ON THE USE OF CLOUD COMPUTING SERVICES BY LAWYERS

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Validating Cloud. June 2012 Merry Danley

Isaac Willett April 5, 2011

IT OUTSOURCING SECURITY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

THE BLUENOSE SECURITY FRAMEWORK

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Cloud Computing: Legal Risks and Best Practices

Information Technology Internal Audit Report #

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

POSTAL REGULATORY COMMISSION

White Paper on Financial Institution Vendor Management

Intel Enhanced Data Security Assessment Form

HIPAA Compliance and the Protection of Patient Health Information

ISO Controls and Objectives

ADDENDUM #1 REQUEST FOR PROPOSALS

Network Security: Policies and Guidelines for Effective Network Management

SJSU Electronic Data Disposition Standard

Electronic Payment Schemes Guidelines

8.1.6 POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES. Policy Statement COLLEGE OF CHARLESTON POLICY ON

HIPAA Risk Assessments for Physician Practices

UF IT Risk Assessment Standard

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

ELECTRONIC INFORMATION SECURITY A.R.

Office 365 Data Processing Agreement with Model Clauses

Transcription:

Standard: Application Service Provider Security Requirements Page 1

Executive Summary SJSU has the option to select and contract with approved 3 rd parties, application service providers, services and software vendors. SJSU must take appropriate measures to ensure that these arrangements do not place its data at risk or weaken its information security to unauthorized disclosure. Application Service Provider Security Requirements standard defines the security requirements for application service providers for all SJSU computer and communication system information, with the goal of safeguarding the confidentiality, integrity, and availability of information stored, processed, and transmitted by SJSU. Page 2

Information Security Standards Application Service Provider Security Requirements Standard # IS-ASPSR Effective Date 11/10/2015 Email security@sjsu.edu Version 2.0 Contact Mike Cook Phone 408-924-1705 Revision History Date Action 5/31/2014 Draft sent to Mike 7/11/2014 QA Review 12/1/2014 Reviewed. Content suggestions. Added comments. Hien Huynh 3/2/2015 Reviewed. Constraints surround foreign entities removed. Mike Cook 11/10/2015 Incorporated changes from campus constituents Distributed to Campus. Page 3

Table of Contents Executive Summary... 2 Introduction and Purpose... 5 Scope... 5 Standard... 5 3 rd Party Risk Assessment & Audit Requirements... 5 Cloud Security Questionnaire... 5 Risk Assessment Requirement... 5 Service delivery... 5 Independent Control Reports... 5 Application Service Provider Software Escrow... 5 Third Party Software Developers Access to Source Code... 5 Alternate Processing Provider... 6 Accessibility to Outsourced Information... 6 Access Control Decisions... 6 Outsourcing Contract Approvals... 6 Outsourced Security Must Be At Least As Robust As In-House Security... 6 Remote Alarms Indicate Equipment Area Is Being Accessed... 6 Privacy Audit on Third-Party Systems Storing Sensitive Information... 6 Managing changes to third party services... 6 Outsourcing Firm Notice of Business and Technical Changes... 6 Service Provider Contingency Plans... 6 Outsourced Production Systems Back-Out Plans... 7 Page 4

Introduction and Purpose This standard defines the security requirements for application service providers for all San Jose State University (SJSU) computer and communication system information, with the goal of safeguarding the confidentiality, integrity, and availability of information stored, processed, and transmitted by SJSU. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) computer systems and facilities, with a target audience of SJSU Information Technology employees and partners. Standard 3 rd Party Risk Assessment & Audit Requirements Cloud Security Questionnaire All 3 rd parties hosting level 1 sensitive information must complete the SJSU cloud security questionnaire. The Information Security Office will issue the cloud security questionnaire. Risk Assessment Requirement Information Owners that host sensitive level 1 information on 3 rd party service providers will be responsible for undergoing an annual risk assessment, including an inventory of all applications and servers. Assignments will be made by the Information Security Office. Service delivery It should be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party. To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. The organization should check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the third party. Independent Control Reports All agreements with information systems outsourcing organizations must stipulate that SJSU will annually receive a report expressing an independent opinion about the adequacy of the controls in use at the outsourcing organization. Application Service Provider Software Escrow Every application service provider handling SJSU production information must license the software to SJSU, periodically deposit the most recent version of the source code in an approved software escrow facility, and provide current detailed operational and procedural documentation. Third Party Software Developers Access to Source Code Third party programmers must not be granted unregulated access to SJSU source repositories. Only the modules needed for a specific programming task may be revealed to these programmers. These programmers must additionally never be given privileges to directly update SJSU production source or object code without authorization and without completion of a background check either by SJSU or by their employer (Consulting Firms). Page 5

Alternate Processing Provider In every case where critical SJSU production information systems processing is handled by an outsourcing organization, an alternate provider must be ready to immediately take-over these activities if the outsourcing organization is no longer be able or willing to deliver on its promises. Accessibility to Outsourced Information In every case where SJSU uses an outsourcing organization to process or otherwise manage its production information, the contract with the outsourcing organization must clearly stipulate either for the daily delivery to SJSU of a complete and computer-readable copy of its information, or that SJSU has the right to immediately obtain a computer-readable copy of its information at any time and without limitation. Access Control Decisions Decisions about who will be granted access to both SJSU information and SJSU information systems must be made by SJSU management and never by outsourcing organization personnel. Outsourcing Contract Approvals All information-systems-related outsourcing contracts must be reviewed and approved by the Information Security Office who is responsible for ensuring that these contracts sufficiently define information security responsibilities, how to respond to a variety of potential security problems and the right to terminate the contract for cause if it can be shown that the outsourcing organization does not abide by the informationsecurity-related contractual terms. Departments are responsible for obtain signed Confidentiality Agreements for third parties who are granted access to University data. Outsourced Security Must Be At Least As Robust As In-House Security The information security mechanisms to be used on a proposed outsourced system must be at least as strong and robust as those now found on the in-house systems used to perform these same production activities. Remote Alarms Indicate Equipment Area Is Being Accessed When outsourcing firms, such as Internet hosting firms and application service provider firms, are being employed, and where SJSU has its own equipment situated on the outsourcing firm's premises, a remote alarm system must be used. Such an alarm system must immediately report to SJSU staff when the door to a locked equipment area has been opened. Privacy Audit on Third-Party Systems Storing Sensitive Information SJSU reserves the right to perform a privacy audit on any third-party production system that stores sensitive information on customers or employees. Managing changes to third party services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. Outsourcing Firm Notice of Business and Technical Changes Arrangements with information systems outsourcing firms must be structured such that Information Technology Department and Information Security Office management both receive notices of all material changes in the outsourcing firm business and technical environment. Such notices must be received well in advance of such changes actually taking effect. Service Provider Contingency Plans All contracts with web site hosting organizations, application service providers, managed systems security providers, and other information systems outsourcing organizations must include both a documented backup plan and a periodic third-party testing schedule. Page 6

Outsourced Production Systems Back-Out Plans An effective and regularly-tested back-out plan, that permits SJSU to revert to internal processing and has been approved by the Information Security Office, must be prepared and tested before any production information system processing may be transferred to an outsourcing organization. Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information