Standards What to do
Low Risk System
Moderate Risk System
High Risk System

Product Selection

Follow the Georgetown Cloud Services Requirements workflow

check-mark check-mark check-mark

Pre-implementation Planning

Follow the SaaS considerations checklist

Follow the PaaS considerations checklist

Follow the Cloud Services Security checklist

 

check-mark check-mark check-mark

Inventory and Asset Classification

1) List the product in the department's Snipe-IT.

2) Ensure the inventory is updated quarterly and reflects accurate data classification and service ownership.

check-mark check-mark check-mark

Credential and Key Management

1) Integrate with Georgetown's SSO services, preferably SAML.

2) Review administrative accounts and privileges quarterly.

3) Adhere to the Georgetown password complexity rules if not integrated with a Stanford SSO service.

4) API keys:
a. Minimize their generation.
b. Grant minimum necessary privileges.
c. Rotate at least annually.
d. Do not hardcode.

5) Do not share credentials.

check-mark check-mark check-mark

Encryption

Enable transport layer encryption TLS 1.1 or higher.

check-mark check-mark check-mark

Logging and Auditing

1) Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or UIS guidance as needed.

2) All logs must be sent to Splunk. If logs cannot be sent to Splunk contractually ensure that the provider can export logs at the request of Georgetown within five calender days.

check-mark check-mark check-mark

Data Management

Contractually ensure that Georgetown data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations.

  check-mark check-mark

Privileged Access Workstation (PAW)

Administration consoles should only be accessed through a PAW when logging in with an administrative account.

Administrative accounts are defined as:

1) Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.

2) Accounts with the ability to override or change security controls.

  check-mark check-mark

Backups

Back up application data at least weekly. Encrypt backup data in transit and at rest.

  check-mark check-mark

Multi-Factor Authentication

Require Duo multi-factor authentication for all interactive user and administrator logins.

check-mark check-mark check-mark

Security, Privacy, and Legal Review

Prior to implementation, follow the Georgetown Data Risk Assessment process.

check-mark check-mark check-mark

Regulated Data Security Controls

1) Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.).

2) For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.

    check-mark