Standard Operating Procedure (SOP): Information Security Standard Requirements for Software as a Service



Similar documents
Client Security Risk Assessment Questionnaire

Security from a customer s perspective. Halogen s approach to security

IBX Business Network Platform Information Security Controls Document Classification [Public]

Supplier Security Assessment Questionnaire

BMC s Security Strategy for ITSM in the SaaS Environment

Small Business IT Risk Assessment

Level I - Public. Technical Portfolio. Revised: July 2015

custom hosting for how you do business

University of Pittsburgh Security Assessment Questionnaire (v1.5)

FormFire Application and IT Security. White Paper

All your apps & data in the cloud, all in one place.

CMS Operational Policy for Infrastructure Router Security

Global ediscovery Client Data Security. Managed technology for the global legal profession

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Securing the Service Desk in the Cloud

BKDconnect Security Overview

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Move your business into the Cloud with one single, easy step.

Payment Card Industry Data Security Standard

Anypoint Platform Cloud Security and Compliance. Whitepaper

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Best Practices For Department Server and Enterprise System Checklist

CHAPTER 67 INFORMATION SYSTEMS TECHNICIAN (IT) NAVPERS H CH-63

Managing internet security

How To Protect A Hampden County Hmis From Being Hacked

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Blue Jeans Network Security Features

Time to Value: Successful Cloud Software Implementation

Intel Enhanced Data Security Assessment Form

The Top 5 Federated Single Sign-On Scenarios

Network and Security Controls

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Network Security Guidelines. e-governance

THE BLUENOSE SECURITY FRAMEWORK

Tenzing Security Services and Best Practices

PRIVACY IMPACT ASSESSMENT

Digi Device Cloud: Security You Can Trust

Supplier Information Security Addendum for GE Restricted Data

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

IT SERVICE MANAGEMENT FAQ

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

SRA International Managed Information Systems Internal Audit Report

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

ProjectManager.com Security White Paper

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Salesforce & HIPAA Compliance

Qualification Guideline

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Hosted SharePoint: Questions every provider should answer

Powering the Cloud Desktop: OS33 Data Centers

PCI Requirements Coverage Summary Table

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

General IT Controls Audit Program

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Security in Space: Intelsat Information Assurance

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

SaaS Security for the Confirmit CustomerSat Software

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Software-as-a-Service: Changing How You Share Information in Today s Changing Business World. Part II

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

IT Networking and Security

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Retention & Destruction

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Internet Banking Internal Control Questionnaire

Qualified Integrators and Resellers (QIR) Implementation Statement

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Information Technology General Controls And Best Practices

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Cloud Vendor Evaluation

Transcription:

Page 1 of 5 Standard Operating Procedure (SOP): Information Security Standard Requirements for Software as a Service Metropolitan Washington Airports Authority 1 Aviation Circle Washington, DC 20001-6000 July 17, 2015

Page 2 of 5 Metropolitan Washington Airports Authority Office of Technology Standard Operating Procedure Information Security Standard Requirements for Software as a Service Title ID Number Effective Date End-of-Life Date SEC-DOC-SS001.01 TBD TBD Related Documents: Office of Technology Standards Policy Office of Technology Standards Attachment A Technology Purchase Exception Policy TABLE OF CONTENTS 1.0 Introduction... 3 1.1 Point(s) of Contact... 3 1.2 Purpose... 3 1.3 Objectives... 3 1.4 Scope... 3 1.5 Areas Impacted... 3 2.0 Standards... 3 2.1 Infrastructure... 4 2.2 Physical Security... 4 2.3 Administrative Security... 4 2.4 Logical Security... 5 2.5 Other... 5 3.0 Exceptions... 5 4.0 Non-Compliance... 5 5.0 Document Control... 5 6.0 Supporting Documentation... 5

1.0 Introduction 1.1 Point(s) of Contact Goutam Kundu, Chief Information Officer, (703) 417-8762. Kevin James, Director Information Security, (703) 417-8363. Alourdes Bornelus, MA600 Technical Writer, (703) 417-3937. Technology Service Desk, (703) 417-TECH (8324). Document: SEC DOC SS001.01 Page 3 of 5 1.2 Purpose The Airports Authority relies on Software as a Service (SaaS) solutions for much of its information technology processing. These Information Security Standard Requirements ensure the continuous and secure delivery of Airports Authority webbased applications. 1.3 Objectives Set minimum Infrastructure Security Requirements for all SaaS Solution Providers. Set minimum Physical Security Requirements for all SaaS Solution Providers. Set minimum Administrative Security Requirements for all SaaS Solution Providers. Set minimum Logical Security Requirements for all SaaS Solution Providers. Set other minimum SaaS Security Requirements as required by the Airports Authority. 1.4 Scope The scope of this Information Security Standard covers all of Airports Authority employee/contractor users and computers running on the Airports Authority networks. This document will serve as the standard to the Airports Authority, its projects, and its vendors. 1.5 Areas Impacted Units within MA-600 and its vendors shall apply these prescribed standards to manage all SaaS data, application, and system development, testing, and implementation, where possible. All exceptions to this Information Security Standard must be approved in writing by the Airports Authority Chief Information Officer. 2.0 Standards The Office of Technology has established these Information Security Standard Requirements for all SaaS applications that operate for the Airports Authority.

Page 4 of 5 The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues a Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (SOC) certification. SaaS Solution Providers who can provide proof of current SSAE 16 (SOC2) certification may substitute the Infrastructure, Physical, Administrative, and Logistical controls required by this standard. SSAE 16 (SOC2) certification means that a SaaS Solution Provider meets or exceeds the Airports Authority Information Security Standard Requirements. 2.1 Infrastructure All SaaS Solution Providers must maintain a technology Infrastructure using layered security measures that include, but are not limited to, the following: Maintain firewalls. Implement an intrusion prevention system (IPS) and an intrusion detection system (IDS). Log all security events and alerts. Implement industry standard security configuration for servers (i.e. DISA Stigs). 2.2 Physical Security All SaaS Solution Providers must adhere to the following Airports Authority Physical Security requirements: Guarantee controlled physical access to all data centers. Maintain working security cameras inside all data centers. Lock all server racks. 2.3 Administrative Security All SaaS Solution Providers must adhere to the following Airports Authority Administrative Security requirements: Conduct security awareness training for all staff. Develop a comprehensive Information Security policy and distribute to all staff. Develop, test, and implement incident response procedures. Develop, test, and implement a disaster recovery plan. Develop and implement change/configuration management processes. Ensure that all SaaS data is backed-up or replicated off-site.

Page 5 of 5 2.4 Logical Security All SaaS Solution Providers must adhere to the following Airports Authority Logical Security requirements: Provide role-based access controls. Log all application/database change events. Provide two-factor authentication for remote access/remote desktop protocol (RDP) access by the Solution Provider s administrative staff. 2.5 Other All Airports Authority SaaS applications shall support single sign on (SSO) via the use of SAML 2.0, WS-federation, or similar industry standard authentication so that all Airports Authority users may access the SaaS solution using their MWAA IDs and passwords. 3.0 Exceptions Exceptions to this standards document must be approved by the Airports Authority Chief Information Officer. 4.0 Non-Compliance Violations of this standards document shall be treated like other evidence of wrongdoing at the Airports Authority. Poor performance or misconduct shall be adjudicated according to established Airports Authority procedures and the Office of Technology Policy Library. 5.0 Document Control The most recent version of this document available in the Official Document Library shall be the only official controlled copy. Any duplication of this document shall be considered an uncontrolled version. 6.0 Supporting Documentation All supporting documentation and related/required frameworks associated with this procedure document are listed on the MA-600 (Office of Technology) Livelink homepage.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information