Reference #: ITD-SEC-TECH-18.1
Issue Date: March 6, 2014
Issue #: 1
Table of Contents
Security Standards for Acquisition of IT Applications
1. Design / Development
2. Test and Acceptance
This Enterprise Information Technology Acquisition Security/Application Standards (Standards), issued by the Executive Office of Technology Services and Security (EOTSS) provides requirements and evaluation guidelines for entities making “IT Application Acquisitions.” The Commonwealth has the responsibility to ensure that information technology solutions are procured in alignment with the Enterprise IT Security goals. Therefore, both prepackaged and developed IT Solutions must be evaluated throughout their lifecycle. Up front evaluation of IT Security compliance must be a key factor in determining the viability of a pre-packaged solution while incremental testing and final validation and verification is critical during any project that relies on development by third party vendors.
These standards apply to:
- Executive Department Agencies; and
- Non-Executive Department Entities when such entities are using Commonwealth Information Technology Capital Funds administered by EOTSS to acquire the Information Technology commodities and/or services.
Other Commonwealth entities are encouraged to adopt, at a minimum, standards and requirements in accordance with these Standards or more stringent standards that address the entity’s specific business-related directives, laws, and regulations.
These standards articulate specific areas that must be addressed throughout the process of acquiring (building or buying) IT solutions by applicable Commonwealth Entities on behalf of the Commonwealth. As such it is important to understand that these standards will require both procedural and contractual actions to be successfully carried out in order to effectively achieve compliance.
SECURITY STANDARDS FOR ACQUISITION OF IT APPLICATIONS
1. Design / Development
Design and development must include the following measures:
1.1. All IT solutions, regardless of solution owner or hosting location, must include provisions for the secure storage, archiving and disposal (in conformance with the records retention rules issued by the Secretary of the Commonwealth, Federal and state law regarding records retention, and the requirements of third party contracts) of data records and documents that contain data that must be protected per the Enterprise Data Classification Standards.
1.2. IT solutions must be developed in a manner that will accept only explicitly allowed data and reject everything else.
1.2.1. Each user’s data input, as well as data from any un-trusted/uncontrolled network, must be checked for improper data type for admission to any Commonwealth systems.
1.2.2. The length of the data must not exceed the length of input field.
1.2.3. Data from type-specific input fields must be validated for data type.
1.2.4. Checking must be done immediately after receiving the data and before using the data in any way.
1.4. IT solutions must be designed in a way to prevent exposure to end users of any unnecessary information relative to the underlying environment including operating system, server, security certificates, source code and comments, etc.
1.5. IT solutions must provide specific user privilege (role based access) to access application system resources, including files, databases, etc.
1.5.1. Operations on these resources must be set at minimum levels and at the least privilege sufficient for the action(s) required by each type of user.
1.5.2. The appropriate level of authentication and authorization depends on the sensitivity classification of the data or access provided by the application/system.
1.5.3. Application developers must deploy effective and reliable methods for maintaining secure access.
1.6. User input must not be allowed to contain any programming code and/or commands to the underlying operating system.
1.6.1. All code and/or commands in question must reside on the server within the application, application data access frameworks, or special files.
1.6.2. Code and/or system commands must be initiated and executed within the application as part of user request processing
1.7. Application system code must never run with the maximum level of privileges for the underlying operating system (for example “root” for Linux/Unix operating system).
1.8. Application code must never operate out of the same storage location (directory/file volume) as the underlying operating system.
1.9. The application and the client systems must not be used as temporary storage for sensitive data. Such data must be stored in secure data storage as required by its data classification designation (for example in a database with the sufficient security level).
1.10. Application systems must provide event logs (i.e., operations with files, entering of logon ID/passwords, etc.) in a secure location, available only to the system administrator.
1.10.1. The application itself must not be able to alter previously logged events.
1.10.2. Any application system that is subject to compliance/audits from outside entities which require auditability must have a mechanism (e.g., event logging to both the application code and platform) enabling performance of such audits in place.
1.11. All sessions must have a mandatory timeout.
1.11.1. The timeout must be as short as is practical.
1.11.2. The timeout must be consistent with the classification of the data being accessed and the environment in which the access to the data occurs.
1.12. Production application systems must be security-hardened, including but not limited to the removal of all unnecessary hardware and programs from the public-facing environment.
1.12.2. Source code must not be directly executable through unauthorized channels.
1.12.3. Application artifacts (test scripts, unneeded configuration files, archives, etc.), and compilers must not reside on public-facing systems such as web servers or first tier application servers.
1.13. A written plan for security patch maintenance must be developed and implemented as part of the design and development phase of an IT Solution. The plan must satisfy all requirements of the test and acceptance phase. This requirement applies to all software used to develop, distribute, or house the public-facing application system.
1.14. A written plan for incident monitoring and response must be developed and implemented as part of the design and development phase of an IT solution. The purpose of this plan to is to ensure that all appropriate parties are familiar with and are able to support required response activity in the event of a potential security breach against a Commonwealth IT system at any phase of the IT system’s lifecycle.
1.14.1. An IT solution system security breach or security failure must be treated as an application failure.
1.14.2. Until the failure has been analyzed and resolved, or the level of risk is accepted, the application must be made unavailable.
1.14.3. The analysis and resolution and/or acceptance of risk must be adequately documented.
1.14.4. Appropriate notification and consultation with system owners, agency and EOTSS security personnel must be performed and documented.
1.14.5. In the event of a serious incident of externally managed solutions, the vendor must contact the EOTSS security office to ensure that EOTSS' incident response process is activated.
1.14.6. A Business Continuity Plan may need to be implemented as dictated by the criticality of the solution in the event of an application security breach or failure.
2. Test and Acceptance
All information collected, used or saved within an IT system must be classified based on its sensitivity and be protected accordingly regardless of whether or not the information is being used for testing or production purposes.
2.1. Network segregation between development, test, and production environments must be established and maintained in compliance with the Enterprise Access Control Policy and Standards
2.2. IT solution testing must not violate data security and privacy policies and standards.
2.3. All IT systems are subject to EOTSS or Secretariat/Agency risk/vulnerability assessment (i.e., independent security review and security testing.)
2.3.1. Risk/vulnerability assessments are conducted prior to initial implementation.
2.3.2. Testing, which must include, among other things, testing against third party or purchased components, must be repeated as changes are made to the application and as new threats become known.
2.3.3. Testing process and extent is determined based on the sensitivity and criticality classification of the data and systems involved.
2.4. Change control management solutions, mechanisms, and disciplines must be implemented and enforced.
2.5. The test environment(s) must be functionally comparable to the production environment in order to support appropriate testing scenarios prior to updating or making any changes to the production application
2.5.1. Hardware and software platform must be functionally equivalent
2.5.2. Network topology must reflect the intended Production Environment topology
2.5.3. The ability to effectively validate against compliance and contractually imposed standards or policies for an IT System’s access, security and application functionality, administrative processes and integration points must be achievable prior to deploying an IT System into a Production Environment.
2.6. All IT Systems must undergo successful independent application review aligned with the classification of the data they contain to validate that all applicable enterprise IT standards and security policies have been met prior to implementation.
2.6.1. The review must be performed by individuals other than the vendor/staff used to develop the application. For purposes of this requirement, “independent” may include other staff of the agency provided no direct reporting relationships exist between the development and review organizations.
2.7. Test scripts and strategies must provide sufficient evidence that controls adequately address security and operational objectives. The use of automated tools to perform comprehensive, rigorous, and consistent application functionality testing is required whenever possible.
2.8. Testing must not be performed with personally identifiable or sensitive data. Further, to the greatest extent possible, third party vendors and or their sub-contractors should not be able to access or view actual data which contains PII or other sensitive data. Test data may be scrambled/scrubbed/masked for such purposes.
2.9. Relevant off-site test locations must have a level of physical/access security control that is commensurate with the classification of the data and in accordance with the Secretariat/Agency and Enterprise policies, standards and compliance requirements.
2.10. Senior management must sign-off on the test results and final acceptance of any public-facing IT solution.
2.11. Changes to any element of the application environment must satisfy all requirements of the test and acceptance phase.
- Enterprise IT Acquisitions Security Policy
- Enterprise Access Control Security Policies and Standards
- Enterprise Technical Reference Model
- IT Acquisition Accessibility Compliance Program
- Enterprise Information Technology Accessibility Standards
- Enterprise Web Accessibility Standards
- Enterprise Security Policy and Standards
- Executive Orders 504 and 532
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Information Technology Division’s web site where a full glossary of Commonwealth Specific Terms is maintained.
Applicable Entities: Those entities identified under the “Applicability” section of these Standards.
IT Acquisition: Acquisitions that include but are not limited to: information technology and telecommunications-related commodities and/or services, such as hardware and software, software as a service or cloud commodities and/or services; software license and hardware maintenance, including renewals; and related installation, integration or other consulting services.
Personally identifiable information PII: Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Next Review Date
Accessibility remediation – no content changes
 The Executive Department is comprised of the Executive Branch minus the Constitutional Offices, i.e., the State Auditor, State Treasurer, the Attorney General, the Secretary of the Commonwealth, and the Governor’s Office.