Minimum Security for SaaS/PaaS

Minimum Security for SaaS/PaaS
Standards What to do Low Risk System Moderate Risk System High Risk System
Product Selection Follow the Georgetown Cloud Services Requirements workflow X X X
Pre-implementation Planning Follow the SaaS considerations checklist
Follow the PaaS considerations checklist
Follow the Cloud Services Security checklist
 
X X X
Inventory and Asset Classification
  • List the product in the department’s Snipe-IT.
  • Ensure the inventory is updated quarterly and reflects accurate data classification and service ownership.
X X X
Credential and Key Management
  • Integrate with Georgetown’s SSO services, preferably SAML.
  • Review administrative accounts and privileges quarterly.
  • Adhere to the Georgetown password complexity rules if not integrated with a Stanford SSO service.
  • API keys:
    • Minimize their generation.
    • Grant minimum necessary privileges.
    • Rotate at least annually.
    • Do not hardcode.
    • Do not share credentials.
X X X
Encryption Enable transport layer encryption TLS 1.1 or higher. X X X
Logging and Auditing
  • Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or UIS guidance as needed.
  • All logs must be sent to Splunk. If logs cannot be sent to Splunk contractually ensure that the provider can export logs at the request of Georgetown within five calender days.
X X X
Data Management Contractually ensure that Georgetown data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations.   X X
Privileged Access Workstation (PAW) Administration consoles should only be accessed through a PAW when logging in with an administrative account.
Administrative accounts are defined as:

  • Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  • Accounts with the ability to override or change security controls.
  X X
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest.   X X
Multi-Factor Authentication Require Duo multi-factor authentication for all interactive user and administrator logins. X X X
Security, Privacy, and Legal Review Prior to implementation, follow the Georgetown Data Risk Assessment process. X X X
Regulated Data Security Controls
  • Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.).
  • For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
    X