MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data



Similar documents
Supplier IT Security Guide

How To Ensure Your Supplier Is Secure

Intel Enhanced Data Security Assessment Form

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Data Management Policies. Sage ERP Online

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Did you know your security solution can help with PCI compliance too?

Information security controls. Briefing for clients on Experian information security controls

SUPPLIER SECURITY STANDARD

Network & Information Security Policy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Secondary DMZ: DMZ (2)

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Supplier Security Assessment Questionnaire

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

IBM Connections Cloud Security

Best Practices for PCI DSS V3.0 Network Security Compliance

KeyLock Solutions Security and Privacy Protection Practices

Supplier Information Security Addendum for GE Restricted Data

Network Security Policy

Information Resources Security Guidelines

A Decision Maker s Guide to Securing an IT Infrastructure

IBX Business Network Platform Information Security Controls Document Classification [Public]

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Responsible Access and Use of Information Technology Resources and Services Policy

STATE OF NEW JERSEY Security Controls Assessment Checklist

Information Shield Solution Matrix for CIP Security Standards

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

March

Vendor Questionnaire

74% 96 Action Items. Compliance

External Supplier Control Requirements

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

Newcastle University Information Security Procedures Version 3

Information Security Policy

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Procedure Title: TennDent HIPAA Security Awareness and Training

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Security Controls for the Autodesk 360 Managed Services

Summary of CIP Version 5 Standards

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

LogRhythm and NERC CIP Compliance

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

PCI Compliance for Cloud Applications

Estate Agents Authority

System Security Plan University of Texas Health Science Center School of Public Health

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Apollo Education Group Information Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

INFORMATION TECHNOLOGY SECURITY STANDARDS

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Guideline on Auditing and Log Management

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information Security Program Management Standard

Global Partner Management Notice

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Draft Information Technology Policy

Data Security Incident Response Plan. [Insert Organization Name]

External Supplier Control Requirements

Introduction p. 2. Introduction to Information Security p. 1. Introduction

IT Security Standard: Computing Devices

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Achieving PCI-Compliance through Cyberoam

How To Protect Your School From A Breach Of Security

A Rackspace White Paper Spring 2010

Cisco Advanced Services for Network Security

Virtual Private Networks (VPN) Connectivity and Management Policy

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Autodesk PLM 360 Security Whitepaper

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

U06 IT Infrastructure Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

DHHS Information Technology (IT) Access Control Standard

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

FormFire Application and IT Security. White Paper

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Technical Standards for Information Security Measures for the Central Government Computer Systems

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

How To Protect Decd Information From Harm

Central Agency for Information Technology

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Transcription:

Supplier Security Requirements & Expectations for Web Applications: Externally Facing Data Modified Date: August 2013 Copyright 2013, Inc., All Rights Reserved. MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data Global Security Services August 2013

Security Standard Copyright 2013, Inc., All Rights Reserved. Contents 1 Supplier Instructions... 4 2 Data Classification Definitions... 5 2.1 Security Measures... 5 3 Security Management... 5 3.1 Security Policy... 5 3.2 Legal and Regulatory Requirements... 5 4 Operational Security... 5 4.1 Supplier Management of Systems... 5 4.2 Security Processes... 5 4.3 Separation of Duties... 6 4.4 Training and Awareness... 6 4.5 Incident Reporting... 6 5 Physical Security... 6 5.1 Access Control... 6 5.2 Telecommunications Security... 6 6 System Security... 6 6.1 Logging of Security Events... 6 6.2 System Access Control... 6 6.2.1 Password and Password Reset Processes... 7 7 Server Security... 7 7.1 Intrusion Detection... 7 7.2 Virtualized System... 7 7.3 Cloud Services and Systems... 7 8 Network & Client Security... 7 8.1 Remote Access... 7 8.2 Client Security... 7 9 Firewall Setup... 8 10 Data Security... 8 10.1 Data Classification and Handling... 8 10.2 Privacy Management... 8 10.3 Data Protection Security... 8 10.3.1 Data on Portable Systems and Devices... 8 10.4 Data Backup, Retention and Disposal... 8 2 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. 11 General Requirements... 8 11.1 Application Development... 8 11.2 Security of System Files... 9 11.3 Application Availability... 9 11.4 Vulnerability Management... 9 11.4.1 Input Moderation of User Generated Content (UGC)... 9 11.4.2 Removal of Search Engine Archival Flag... 10 12 Extranet Requirements... 10 13 Business Continuity and Disaster Recovery... 10 14 Terms and Definitions... 11 3 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Supplier Security Requirements & Expectations for Web Applications: Externally Facing Data Modified Date: August 2013 Copyright 2013, Inc., All Rights Reserved. 1 Supplier Instructions The Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) data document is a definition of s minimum security standards for data protection of information classified as Externally Facing or Public. To achieve security compliance Suppliers and their subcontractors are wholly responsible for implementing all of the security controls defined herein to protect the data they manage, host or process for any function or activity implemented on behalf of. The SSRE is a minimum set of security requirements for all externally developed and/or hosted solutions provided to. The SSRE document is not intended to be an all-inclusive list of security requirements. Each solution may generate unique or specific requirements that must be addressed with the appropriate security controls and defined in the Statement of Work. This SSRE should be reviewed by the Supplier s Chief Information Officer (CIO) or Security Officer responsible for contracted services. It is the responsibility of the primary Supplier to review the SSRE document with its subsidiaries and subcontractors responsible for service delivery to or on behalf of and insure subcontractor s compliance herewith. The Supplier is responsible for conformance to the security requirements of the SSRE when performed by itself, its subsidiaries or its subcontractors that provide services to. This version of the SSRE covers data classified up to External Facing (Public). The business owner is responsible for classifying the data of their web application and communicating it to the Supplier. At a minimum, Suppliers must be capable of implementing security controls required to protect data classified as External Facing (Public). Higher data classification requires compliance to a the SSRE Standard specific to that data classification.. The Supplier shall review all security controls cited in this document. The Supplier may request clarification. The Supplier shall notify the appropriate business owner of full compliance in writing authorized by a company official. Existing Suppliers that complied with a previous version of the SSRE must review and adhere to instructions in this document as may have included important updates / changes from previous versions. If a Supplier, their subsidiaries, or sub-contractors are not fully compliant to all minimum security requirements, the Supplier shall provide in writing the extent of non-compliance and committed plan of action detailing when the requirements will be fully met. s Global Security team shall evaluate a Suppliers security capability. If approved, the Supplier plans will be documented in the contract. During a contract review, a Suppliers performance to the SSRE security requirements, the completion of non-compliant security controls plus the Suppliers track record for prompt remediation of vulnerabilities will be evaluated. Suppliers with industry standard accreditation should submit a copy. Examples include: ISO17799, ISO27001, BS7799 PCI DSS 1.x or a SAS 70 Type 2 Audit performed by an independent auditor in the last year. Suppliers are expected to provide annual updates of the accreditation for the term of the contract. Supplier shall agree to fully comply with the Code of Conduct and Electronic Industries Code of Conduct as set forth athttp://www.mcafee.com/us/partners/supplierethics.aspx. Additionally, while performing services in owned or operated facilities, Supplier shall agree to abide by all Corporate Policy and all Security Policy while performing services within owned or operated facilities including, but not limited to, safety, health and hazardous material management rules, and rules prohibiting misconduct on premises including, but not limited to, use of physical aggression against persons or property, harassment, and theft. Supplier will perform only those Services identified on Statement of Work Addendum and will work only in areas designated for such Services. Supplier shall take all reasonable precautions to ensure safe working procedures and conditions for performance on premises and shall keep s site neat and free from debris.

Security Standard Copyright 2013, Inc., All Rights Reserved. 2 Data Classification Definitions 2.1 Security Measures The business owner is responsible for identifying the data classification for the solution implemented. For solutions identified as Public, the Supplier must comply with security requirements for External Facing (Public) requirements. All exceptions must be approved in advance and submitted by the supplier to the appropriate business owner.. 1. External Facing (Public) available without approval or authentication. Security requirements marked as REQUIRED for External Facing (Public) apply to data classified as External Facing (Public). The Supplier and any of their subsidiaries / sub-contractors responsible for contracted services will implement these security requirements as a minimum. 3 Security Management 3.1 Security Policy 1. The Supplier must have a security policy in place, which is subject to confirmation by under a NDA. 3.2 Legal and Regulatory Requirements 1. Supplier must ensure their subsidiaries and sub-contractors are compliant with all regulatory and local governing laws for the services under contract to. Examples include but not limited to Privacy and CAN SPAM compliance. customers are responsible for compliance with any laws and regulatory requirements applicable to their use of the system. 4 Operational Security 4.1 Supplier Management of Systems 1. Supplier has a specific resource assigned that is accountable for security management. 2. All systems have Malware management which includes up to date signature files running on all production systems. 3. If administration of any systems or applications is performed outside the Suppliers secured intranet, it must be done through a secure channel (VPN or SSL). 4.2 Security Processes 1. A security incident management process that includes escalations to management, the customer contact and service suspension notices. (refer to section 4.5 Incident Reporting for incidents involving ). 2. Account management processes are in place to support requests, setup, issuing and closing user and administrator accounts. 3. Supplier and their hosting provider must have a process to monitor published system vulnerabilities, and to remediate them within the manufacturer s guidelines for the threat level. 4. Supplier and hosting provider must have a process and resources assigned to remediate system vulnerabilities identified by the vulnerability management scan in the response time specified in Section 11.4 Vulnerability Management. 5. Suppliers that use subcontracted services are required to have the SSRE reviewed by all subcontractors. Any security measures that are non-conforming by any subsidiary or subcontractor are the responsibility of the Supplier. 5 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. 4.3 Separation of Duties 1. Supplier must have a separation of duties process to prevent one individual from controlling all key aspects of a critical transaction or business process. 4.4 Training and Awareness 1. Supplier personnel must be trained in Supplier security policies and be required to know changes or updates to these policies. 2. Security training, including new threats and vulnerabilities, is required for all developers and system administration staff. 3. All development staff should be trained on secure coding principles and best practices. Training materials are updated on an ongoing basis to include new threats and vulnerabilities. 4.5 Incident Reporting 1. Any security event involving or impacting and/or a website must be reported to. Notification must be within 48 hours from detection if data, the brand, logo or trademarks are involved or compromised. (Also refer to Section 6.1 Logging of Security Events regarding cooperative security investigations and the preservation of system logs). 5 Physical Security 5.1 Access Control 1. Every entrance into the Supplier s data center requires access control (e.g. Security guard, badge reader, electronic lock, a monitored CCTV). Logs should be recorded and maintained for 90 days. 2. Physical access should be restricted to those with a business need and employee access is restricted to the minimum necessary to perform the job. Access lists should be reviewed and scrubbed at least once per quarter. 3. Supplier facility should have 24x7 intrusion detection. 4. All controlled area emergency exit doors should sound an alarm when opened. All doors should have automatic closing devices. 5. Termination of any employee with access to system data must have their accounts disabled immediately. 5.2 Telecommunications Security 1. All telecommunications equipment must be located in a secure room with managed access control. 2. All equipment must have the installation or default passwords removed. 6 System Security 6.1 Logging of Security Events 1. Any security event where a website had unauthorized access or was compromised must be reported to. See section 4.5 Incident Reporting. 2. All systems and applications must be designed to log, monitor and report all security events. Logs must be tamper proof and / or off system write only log files. 3. In the event of an incident, audit trails must be available to assist investigations. may request to cooperatively work with the Supplier on security forensics for some incidents. 6.2 System Access Control 1. System Administrators should have a separate admin account for performing administration tasks. 6 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. 2. Only authorized users are permitted to gain access, via secure authentication processes. Access controls must limit access based on business need, following the principle of least privilege and ensuring individual accountability. 3. System account sharing is prohibited. 6.2.1 Password and Password Reset Processes 1. For External Facing (Public) data which is access controlled, (i.e. Webinar applications for example) passwords must be at least eight characters long and be composed of letters and numbers. 2. Access controlled applications that only contain External Facing (Public), such as Webinars or virtual tradeshows, may exceed the user lock out after 5 consecutive failed login attempts. (Suppliers of these applications must document this security exception as a Supplier response to the SSRE) 7 Server Security 1. All production servers must be located in a secure, access controlled location. 2. All systems must be hardened prior to production use including patching of known vulnerabilities. Disable all generic, guest, maintenance and default accounts. 3. Patching of security vulnerabilities to the operating system and software must meet or exceed the service level interval defined by the vendor for the threat level of the vulnerability. 4. Test accounts and user accounts are removed /revoked when no longer required. 5. Development and test systems are isolated from production environment and network. 6. Disable all non-required ports and/or services on server operating systems and firewalls. 7. Consoles with keyboards have password protected screen savers that logoff unattended. 7.1 Intrusion Detection 1. All Intrusion Detection Systems in place should be configured to provide data on demand, to identify sources of a potential attack / intrusion at the network perimeter. 2. Systems should have the ability to detect a potential hostile attack. Examples include but are not limited to: Network Intrusion Detection or Host Intrusion Detection / Prevention. 7.2 Virtualized System 1. Virtualized systems may contain data classified as External Facing (Public). 7.3 Cloud Services and Systems 1. Cloud based systems may contain External Facing (Public). 8 Network & Client Security 8.1 Remote Access 1. There should be no dial-in modems on the network without secondary authentication. (Dial back is not authentication). 2. Outbound modems (such as for paging) must have inbound calls disabled. 8.2 Client Security 1. Patching of security vulnerabilities to the operating system and software must meet or exceed the service level interval defined by the vendor for the threat level of the vulnerability. 7 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. 2. Clients must have Malware protection with automatic signature updates. 9 Firewall Setup 1. Network segments connected to the Internet must be protected by a firewall and configured to secure all devices behind it. 2. All system security and event logs are reviewed regularly for anomalies, and available to in the event of an incident. 3. Unused ports and protocols must be disabled. 4. Firewalls must be configured to prevent address spoofing. 5. Only TCP ports should be used for web applications. 6. Supplier firewalls must be configured to allow scanning of Web applications. scanning source IP addresses will be provided to Suppliers. 10 Data Security 10.1 Data Classification and Handling 1. Appropriate security measures must be in place to address data handling, access requirements, data storage and communications (in transit). 10.2 Privacy Management 1. Not applicable for Public data. 10.3 Data Protection Security REQUIRED for External Facing (Public) 1. Not applicable for Public data. 10.3.1 Data on Portable Systems and Devices 1. Not applicable for Public data. 10.4 Data Backup, Retention and Disposal 1. Web sites and applications must be backed up in accordance with Business Continuity and Disaster Recovery requirements specified in section 13 Business Continuity and Disaster Recovery. 2. Supplier should maintain system and application backups that support a total system restore for a 30 day period as a minimum. Backup media must be on separate media from the system. 11 General Requirements 11.1 Application Development General Best Practices: 1. The application and associated databases must validate all input. 2. Implement safeguards against attacks (e.g. sniffing, password cracking, defacing, backdoor exploits) 3. Protect the data by using a least privilege and a defense-in-depth layered strategy to compartmentalize the data. 4. Handle errors and faults by always failing securely without providing non-essential information during error handling. 5. Log data to support general troubleshooting, audit trail investigative requirements, and regulatory requirements, with support for centralized monitoring where appropriate. 6. Built-in security controls built-in access controls, security auditing features, fail-over features, etc. 7. Prevent buffer overflows. 8. Avoid arithmetic errors. 9. Implement an error handling scheme. Error messages should not provide information 8 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. that could be used to gain unauthorized access. 10. Test data used during development must be non-production simulated data. 11. Implement protocols (TCP/IP, HTTP, etc) without deviation from standards. Security Reviews: 12. Web application vulnerability assessments must be performed during the application development and the deployment lifecycle. (Refer to section11.4 Vulnerability Management.) 11.2 Security of System Files 1. Access to source code must be limited and controlled. 2. During and after development, all applications must ensure the security of system files, plus access to source code and test data. 3. All back door maintenance hooks must be removed from the application before production use. 11.3 Application Availability 1. All applications should be designed to minimize the risk from denial of service attacks. 11.4 Vulnerability Management 1. requires daily vulnerability scans performed on all internet facing web sites where has branded content and is the primary site owner or is part of the URL. uses the Secure vulnerability scanning solution. Vulnerabilities will be reported to the Supplier for remediation. The Supplier can request information for: vulnerability reports, demonstration of the vulnerabilities (when available) and remediation support. does not charge the Supplier for the Secure scanning service. 2. requires daily access to the reports. 3. Upon identification of security vulnerabilities in a production application, the Supplier must remediate within the following time lines: a. Urgent or Critical, threat rating [5] or [4] must be remediated in 1 to 5 calendar days. b. High, threat rating [3] must be remediated within 10 calendar days. c. Medium, threat rating [2] must be remediated within 30 calendar days. 4. If the security vulnerabilities identified by the vulnerability scanning process have not been addressed in the above timelines, may shut down the web site until the vulnerabilities are remediated. Returning the site to production status requires the site to pass a scan for compliance. (See 5) 5. considers a web site compliant when security standards are met. Security will notify Suppliers of each of the security standards not met. 11.4.1 Input Moderation of User Generated Content (UGC) 1. All sites that allow input or display of user generated content (file uploads, rich media or text input) and content that is rebroadcast to mailing lists of other users, must be moderated. Moderation of rich media must be by personnel or contracted service agents who are trained for the task. Moderation of text can be via automated tools. Automated moderation tools should include the word porn in the search. 2. All site users inputting UGC are required to be registered and authenticated by a password. Anonymous posting of UGC is not allowed without full moderation. This 9 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. includes site registration by use of e-mail address without confirmation since there is no validation of the user. 3. All UGC must be logged to the user and time stamped. 4. All sites accepting UGC must contain links to: a. s Terms of Use b. s Terms of Service with proactive acceptance of terms (this occurs during user registration) c. s Digital Millennium Content Act (DMCA) Notice and Procedure 5. Under certain circumstances community monitoring may take the place of moderation. This must be reviewed and approved by s Global Security Services team as an exception to these requirements. If this exception is approved, the following minimum controls will be required: a. Only text comments (no anonymous blogging, rich media, or embedded links allowed). b. Must have automated validation to block inappropriate, Bot created or malicious text from being posted. c. Web forms must have input validation to ensure input is encoded as text only. d. Must have flagging capability so other users can escalate inappropriate comments. e. Must have a monitoring process (after the fact) performed by or representatives with the appropriate training. 6. Virus scans are required on all uploaded files. 7. All URL s & JAVA Script, RSS, Twitter feeds and widget content input to a web site is scanned for viruses and moderated by automated tools. 11.4.2 Removal of Search Engine Archival Flag 1. No search engine archiving of new, revised or updated Web sites containing user generated content. 2. All new Web applications that allow the input or display of user generated content (including site Search parameters) must turn off the Archival flag used by search engines. This prevents the long term archival of web pages that have been compromised or defaced. 3. To prevent all search engines from showing a "Cached" link for sites place the following tag in the <HEAD> section of every page: <meta name="robots" content="noarchive"> 12 Extranet Requirements 1. All extranet connectivity into must be through secure communications. 2. All data exchanged with for mission or business critical functions, (B2B), require secure intercompany communications (ICC) implemented by IT Operations services. The program manager is responsible for communications funding and will arrange for Suppliers to engage with the IT Operations services. 3. Supplier is responsible for implementing the secure protocols at their sites. 13 Business Continuity and Disaster Recovery 1. Supplier must have a disaster recovery plan in place in the event that a major disruptive incident impacts their ability to provide service. 10 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. 2. Mission or business critical functions must have a recovery or continuity plan in place per the mutually agreed upon Service Level Agreement. 3. Supplier personnel responsible to support business and disaster recovery functions must be identified to upon request. 14 Terms and Definitions Application Security The controls in place within applications to protect data processed by the application and to protect the integrity and availability of services provided by the application.. Business Critical Loss that indirectly impacts a Mission Critical function, or directly impacts a business unit s primary function is considered Business Critical. Cloud Computing Computing resources, software and data delivered as a hosted service over the Internet. The computing resources are dynamically scalable and often virtualized. The services are accessible anywhere that provides access to networking infrastructure. Content Moderation A business process where content is reviewed and approved by or an representative with the appropriate training before it is viewable by others. Content Monitoring A business process where content is reviewed (and removed if necessary) by or a representative with the appropriate training after it is viewable by others. Externally Facing or External Facing (Public) Information available without approval or authentication. Confidential data Information with restricted access limited to those individuals with a need to know. Mission Critical Loss that directly impacts s ability to Book, Build, Ship, Order, Pay, Close or Communicate is considered Mission Critical. Moderation A business process where personnel or a contracted agent reviews and either approves or rejects user generated content (UGC) based on the business situation. Automated moderation is when computerized searches are performed on UGC to screen the input for unwanted or malicious input. Community moderation for appropriateness of content is reporting by the user community of violations of content after it is posted. Physical Security Measures taken to protect systems, buildings and related support infrastructure against threats from the physical environment. Personal Information (PI) Any information that can be used to identify, contact or locate someone, plus any other information associated with it. Privacy An individual s right to have a private life, to be left alone and to be able to decide when their personal information is collected, used or disclosed. User Generated Content (UGC) Content input into a web application either by text input or rich media such as pictures, audio and videos via file uploads or widgets. Unsecured Area Areas that are not controlled by physical access security measures. Some examples are: the lobby of an access controlled building or a warehouse delivery dock with PC access to corporate systems. Virtualized System The use of the term virtualized system includes any of the following: A virtual machine (VM) is a software implementation of a computer that executes programs like a real machine. The virtual machine monitor (VMM) or hypervisor is the software layer providing the virtualization. Platform virtualization and /or 11 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

Security Standard Copyright 2013, Inc., All Rights Reserved. hardware virtual machines that allow the sharing of the underlying physical machine resources between different virtual machines, each running its own operating system. Also included are other "virtual environments" (also called "virtual clients and virtual servers") that provide some form of encapsulation of processes within an operating system. (Not included in this definition: Load balancers and utility firewalls). 12 MSSTAN 1504 : Supplier Security Requirements and Expectations (SSRE) for Externally Facing (Public) Data This Document is Uncontrolled when Printed. Users must comply with Acceptable Use Policy.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information