LCZ-ASP 1.1 16 May 2009 This document specifies technical and non-technical security policy for ASP implementations and applies to any ASP service regardless of technology to be used. 1.1 16 May 2009 FOD Revised for re-release 1.0 13 June 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer To specify a security policy and standards for ASP delivered solutions. To provide guidance to administators, developers and security personnel in securely implementing ASP solutions. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is an ASP security policy. Controls specific to technologies used in the service are not defined here but will be the subject of additional standards. This document should also be read in conjunction with the generic security standards and the technology specific standards, which specifies controls applicable for particular technologies. Compliance with this standard does not negate the need for an overall security review of a proposed application or service. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believes that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion. The suppliers information security service descriptions should be obtained and analysed for consistency against the supplier security organisation and against your organisation's security service requirements. Has the suppliers information security service claims been analysed for consistency with their organisational structure, resourcing level and your organisation's security service requirements. Obtain the suppliers information security service descriptions Analyse the services in view of their stated organisational structure, their service capability claims and against your organisation's security service requirements. Identify areas where the suppliers services appear to be unsupported by their structure and resourcing In the context of the service to be provided analyse the impact of the disparities Feed the results into your analysis of the proposed service Required security services may not be delivered Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that ASP contracts include a schedule detailing the security services provided and references a service level agreement for the provision of those services. Does the ASP contract define the security services to be provided and the service levels? Identify the security services required Identify the service level required for each security service Ensure that the contract for the application service provision references these services and the service level required The effectiveness of the service provision claims may be unsupportable The effectiveness of the service provision claims may be unremediable through legal means Incident management may be ineffective Legal and regulatory responsibilities may not be met Procedural security may be wholly inappropriate Personnel security may be wholly inappropriate Technical security may be wholly inappropriate Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The suppliers information security organisational structure must be obtained and analysed for consistency with the stated policies and claimed security services. Has the suppliers information security organisational structure been analysed for consistency with the stated policies and the claimed security services. Obtain the suppliers information security organisational structure Analyse the structure in view of the stated policies and security services Identify areas where the suppliers defined structure appears unable to support the claimed policy objectives and the claimed security services. In the context of the service to be provided analyse the impact of the disparities Feed the results into your analysis of the proposed service A wholly inappropriate technical security solution may be implemented A wholly inappropriate security management solution may be implemented Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Auditing provides independent management checks on the functioning of controls, therefore obtain a description of the suppliers arrangements for auditing the services that they provide and compare this to the regime that would be implemented were it in your own organisation. Does the description of the suppliers arrangements for auditing the services that they provide equate to or exceed the level of auditing that would be provided were it performed in-house? Obtain the description of the auditing provided by the supplier Ensure that the auditing to be provided equates at least to that which would be provided were the application hosted in-house The service may be operated in such a was as to be out of control Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the supplier is bound by confidentiality agreements to prevent leakage of your data to other parties who may also use the ASP service. Is the supplier bound by confidentiality agreements to prevent leakage of your data to other parties who might also use the ASP service. Ensure that the ASP contract includes supplier confidentiality clauses Determine whether further more stringent confidentiality measures are required from the risk analysis Legal and regulatory responsibilities may not be met Business information may be disclosed. The suppliers information security policy should be obtained and analysed for consistency with that of your own organisation. Has the suppliers information security policy been obtained and analysed for consistency with that of your own organisation? Obtain the suppliers information security policy Perform a comparative analysis between the suppliers policy and your own Identify areas where the suppliers policy requirements do not meet yours In the context of the service provided analyse the impact of the disparities Feed the results into your analysis of the proposed service A wholly inappropriate technical security solution may be implemented A wholly inappropriate security management solution may be implemented An inappropriate security cultural solution may be implemented Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Avoid using ASPs who are unwilling to disclose their security capabilities even under non-disclosure agreements Is the ASP willing to provide details of their security capabilities? Determine whether the supplier is willing to disclose their security capabilities Avoid those, who even under NDA will not disclose their security service capabilities The effectiveness of the service provision claims may be unsupportable Incident management may be ineffective Legal and regulatory responsibilities may not be met Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that ASP personnel who will be working on the ASP solution are subject to equivalent background checks as staff within your own organisation Are ASP personnel working on the ASP solution subject to equivalent background checks as staff within your own organisation? Determine what background checks are performed by the ASP Compare these checks to those performed by your own organisation Determine whether there are any major mismatches and thus, exposures. Legal and regulatory responsibilities may not be met Technical security controls may be undermined Procedural security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that hardening of the components of the solution takes place in line with the policies and standards that are applicable within your organisation. Is it ensured that hardening of the components of the solution takes place in line with the policies and standards that are applicable within your organisation? Obtain details of the component hardening that the ASP performs Compare the hardening process used against the steps that your organisation would take. Identify any substantive differences that would reduce the security of the solution when compared to hosting it by your own organisation Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that a regime of measuring the security services provided are in place and the ASP provides these at an agreed frequency Is there a regime for measuring the security services provided at an appropriate frequency? For each of the security services provided as part of the ASP define measures of effectiveness For each of the measures of effectiveness determine the frequency of report to be provided by the ASP. The effectiveness of the service provision claims may be unmeasured Incident management may be ineffective Legal and regulatory responsibilities may not be met Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that ASP contracts of employment place equivalent or greater emphasis on information security as that in your organisation's own contracts of employment Do the ASP contracts of employment place equivalent or greater emphasis on information security as that in your organisation's own contracts of employment? Determine the information security clauses within your organisation's contract of employment Determine the information security clauses within the ASP contracts of employment Determine whether any mismatches are significant Legal and regulatory responsibilities may not be met Technical security controls may be undermined Procedural security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the ASP management practices in relation to the components that make up the solution, do not introduce vulnerabilities Has it been ensured that the ASP management practices in relation to the components that make up the solution do not introduce vulnerabilities? Obtain the management procedures for the solution components from the ASP Compare these management procedures to those that would be applied were the solution hosted by your own organisation Identify substantive differences that may give rise to security vulnerabilities Legal and regulatory responsibilities may not be met Technical security controls may be undermined Procedural security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the ASP undertakes periodic audits Is the ASP subject to periodic audits? Obtain a description of the audit cycle for the service If one does not exist or if the cycle is too long this should be considered a deficiency The effectiveness of the service provision claims may be unmeasured Incident management may be ineffective Security responsibilities may be confused Legal and regulatory responsibilities may not be met Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. It must be ensured that the supplier provides contact names and details for each element of their security organisation that will deliver security services. Has the supplier provided contact names and details for each element of the security organisation that is to deliver security services to your organisation? Using the supplier organisation chart and the security services that are to be supplied ensure that all contact details have been supplied. Ensure that the number of services to be provided by each individual named are reasonable Ensure that the contact info is maintained in an appropriate form such that incidents and responses can be appropriately dealt with. The service provision claims may unsupportable Incident management may be unfeasible Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure the ASP has a well defined information security organisation with clearly defined responsibilities Does the ASP have a well defined information security organisation with clearly defined responsibilities? Obtain the information security organisation from the ASP Correlate the security services provided with the security organisation Identify any significant mismatches Correlate the security services provided against the security services required Identify any significant mismatches The service provision claims may be unsupportable Incident management may be unfeasible Security responsibilities may be confused Legal and regulatory responsibilities may not be met Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Where the new service is to be host by an ASP vulnerability scanning/penetration testing should be performed prior to the new service going live Will vulnerability scanning/penetration testing be performed prior to the new service going live? Identify whether the ASP provides any monitoring of the platform builds Security vulnerabilities may go undetected and lead to site compromise Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The new ASP hosted service should be protected by a firewall Is the new ASP hosted service protected by a firewall? Identify whether the ASP can supply the service with firewall protection in place Security vulnerabilities associated with non-essential services may lead to compromise of the system Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Intrusion detection systems should be deployed in order to identify attacks against the service Has an intrusion detection system been deployed in order to identify attacks? Determine from the risk analysis of the system it's importance For important systems deploy an intrusion detection solution to monitor for attempted breaches Attempts to breach the system may go undetected. Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Monitoring of the platforms of the ASP components should take place to flag when any components move out of alignment with the hardened build specification. Will the solution provide perform monitoring of the platforms of the ASP components to flag when any components move out of alignment with the hardened build specification? Identify whether the ASP provides any monitoring of the platform builds Security breaches of the platforms may go undetected Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ASP should provide monitoring of the firewall rule base Does the ASP provide monitoring of the firewall rule base? Identify whether the ASP can monitor firewall rule changes and reconcile the changes to valid, authorised changes. Unregulated rule changes may introduce security vulnerabilities that may lead to compromise of the system Legal and regulatory responsibilities may not be met Technical security controls may be undermined Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the Application Service Provider and your organisation develop and agree incident handling processes and procedures Have incident handling processes and procedures been developed and agreed with the Application Service Provider? Define security incidents that require a response Determine the responses to be taken in the event of a security incident Determine the party responsible for taking the response Capture the above in a process document Define procedures to be followed to execute the process Implement the process and procedures between your organisation and the ASP. Remedial action may fail to be taken in the event of an incident Inappropriate and potentially more damaging action may be taken in the event of an incident Legal, regulatory or contractual obligations may be breached Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that for a high availability requirement service that a fault tolerant implementation is deployed Has a fault tolerant implementation been deployed? Ensure that the service is deployed with RAID, fault tolerant power supplies, online backups, mirroring, diverse network connections Business information and applications may be unavailable. A risk analysis must be performed on the service to be hosted to ensure that appropriate controls are built into the solution Has a risk analysis been performed on the service to be hosted? Perform a risk analysis on the application to determine the control requirements A wholly inappropriate security solution may be implemented Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The security provided by the service provider should equate to a same or greater level of security that would be put in place were you to host it by your own organisation. Is the security provided by the service provider equivalent or greater than the level of security that would be put in place were it hosted by your own organisation? Determine the appropriate level of security control required using risk analysis Determine the security capability of the provider Determine whether this delivers the control required against the risk analysis Determine whether this delivers the same control as that were you to host the service yourselves. The security solution delivered may be wholly inappropriate for the service Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Incident handling processes and procedures should be tested Have incident handling processes and procedures been tested? Define and agree scenarios to be tested with the ASP Simulate the scenario and execute the incident handling procedure Measure deficiencies with the plan and its execution and re-develop the process and procedure accordingly Remedial action may fail to be effective in the event of an incident Inappropriate and potentially more damaging action may be taken in the event of an incident Legal, regulatory or contractual obligations may be breached Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.