Application Security Standard_RequirementsChecklist

Department of Environmental Protection

STD-09061813.1.0 of 15

Application Security Requirements

Purpose

This document provides developers, security managers and product evaluators the minimum security requirements that all applications deployed in the DEP enterprise environment must comply with.

Scope

An application is defined as a “System or network-level routines and programs designed by (and for) system users and customers that support specific business-oriented processes, jobs, or functions. An application can be general in nature or specifically tailored to a single or limited number of functions.”

This standard applies to all applications deployed in the DEP enterprise environment, whether developed internally or by external vendors. This standard also applies to commercial “off-the-shelf” software products.

The security requirements contained in this standard relate directly or indirectly to Application Development and/or Deployment. They originate from the DEP Directive 390: Information Resources Security Policies and Standards (FL Dept. of Environmental Protection, 2008)and best security practices.

Standard

Before being deployed in the DEP enterprise application environment, project teams must complete the security checklist requirements included in the Appendix of this standard. Project teams must submit the completed checklist to the DEP Information Security Manager for review and approval before deploying any application in the DEP enterprise environment.

For DEP internally-developed Java software applications, existing standards for Java development enforce compliance with this standard. Therefore, it is not necessary to complete the required security checklist required by this standard.

Deviation from UseAny deviation from this standard shall be documented in associated project and contract documentation. For contracts, deviation from standard shall be documented and approved by the DEP contract manager. For non-contract work, deviation from use shall be documented in the project plan/scope of work and approved by the project manager.

AppendixChecklist: Security Requirements for Applications

BibliographyFL Dept. of Environmental Protection. (2008). DEP Directive 390: Information Resources Security Policies and Standards. Tallahassee: FL DEP.

Approved by R. John Willmott, CIO __________6/18/09_____________Approval Date

of 15

AppendixChecklist: Security Requirements for Applications

Instructions: Complete the following checklist and submit to the DEP Information Security Manager for review and approval before deploying any application in the DEP enterprise application environment. Indicate if the application under evaluation meets, performs or complies with the intent of the given policy by stating “Yes”, “No”, or “NA” for each listed policy or statement. Attach comments to clarify statements as needed.

Vendor Product or DEP application name: _______________________________________________________

Policy Source

Security Category

Policy Statement Specific Requirements Question to Pose Developer Yes/No/NA

DEP 390 Access Control Access to data files and programs will be limited to those individuals authorized to view, process, or maintain particular systems. The principles of least access, separation of functions, and need to know will be applied in the determination of user authorizations.

A user will be allowed to manipulate data only in constrained ways, which are designed to preserve or ensure the integrity of the data and the

Each user of an information resource that can be accessed by multiple users will be assigned a unique user identification code or username and password.

Exceptions are authorized for:Public users of information resources or group users where such access is authorized;Situations where risk analysis demonstrates no need for individual accountability of users.

Are unique identification codes and passwords provided by the multi-user application or system, such that only authorized users have access?

For financial or other applications that may be susceptible to fraudulent activities, is there adequate separation of functions to ensure controlled execution?Are audit logs created by the application or system to ensure transactions are

AppendixSecurity Requirements Checklist

of 15

Policy Source

Security Category


process.

For tasks that are susceptible to fraudulent activities or other unauthorized activity, owners will ensure adequate separation of functions for controlled execution.

Evidence, such as signatures, will be required to show individual accountability for transaction origination, authorization, and approval for financial, critical or sensitive information.

date/time stamped along with who made the transaction?

DEP 390 Access Control User identification will be authenticated before the system grants the user access to information available through that system.

Are users IDs and passwords used to authenticate authorized users before access to the appropriate level of access?

DEP 390 Transaction Controls

If transaction controls are required, the user identification code will be traceable to the user for the lifetime of the records and reports in which they appear.

For financial or other applications that may be susceptible to fraudulent activities, is there adequate separation of functions to ensure controlled execution?

Are audit logs created by the application or system to


of 15

Policy Source

Security Category


ensure transactions are date/time stamped along with who made the transaction?

DEP390 Software and Proprietary Code Control

Contracts for programming work by outside personnel will indicate ownership of all rights to the software and associated documentation.

Contracts with vendors of licensed or proprietary software will clearly define the limits of use of the software.

During the initial application needs phase, has it been determined who will own the finished application? Is it documented?

DEP 390 Confidentiality Information exempted from Government-in-the-Sunshine or Public Records Laws should be kept confidential using appropriate security measures including in part:

Passwords, permissions, access/user IDs, transaction controls, firewalls, and encryption;

Avoiding the transmission of confidential information via IT Resources, unless encrypted

Data which is exempted from disclosure under the Freedom of Information ActPublic Law 93-502) or whose disclosure is forbidden by the Privacy Act (PublicLaw 93-579) will not be transmitted over the Internet unless encrypted (Florida Statutes 815 and 119.07). Note: Logon IDs and passwords are classified as sensitive information as per the Data Security Policy (STO-2002-85-9).

Will the application create, store, transmit, or present confidential or sensitive data? If so, what means will be used to prevent unauthorized access? How will it be transmitted securely?

How will it be stored securely?


of 15

Policy Source

Security Category


No state computer or subnet that is accessible via the Internet shall store private or sensitive information without the use of firewalls or some other means to protect the information.

DEP 390 Confidentiality A sufficient history of transactions will be maintained for each session involving access to critical or confidential information to permit an audit of the system by tracing the activities of individuals through the system.

In addition to system start-up and shutdown times, transaction history journals for critical or confidential information should log the following at a minimum:

Update transactions,Date, time of activity,User identification,Sign-on and sign-off activity, and Confidential display transactions.

How will application transactions be recorded/logged to permit auditing?

When will these transactions be made available or readable by authorized staff?

DEP 390 Password Control

Passwords must never be encrypted when electronically stored or if e-mailed; never clear text.

Does the application generate passwords or otherwise store them in a database or file? If so, are they encrypted? Are


of 15

Policy Source

Security Category


they transmitted encrypted?DEP 390 Password

ControlStrong passwords will be used and shall have these minimum characteristics:

Have a length of 7 or more alphanumeric characters for Windows based systems, 8 or more for Unix based systems

Contain both upper and lower case characters (e.g. a-z, A-Z)

Have digits and punctuation characters as well as letters (e.g. 0-9,!@#$%^&*(){}[] :”;’<>?,./)

Are not words in any language, slang, dialect, or jargon

Does the application requiring a password use a system or method that ensures a minimum strong password is required by the user?


All user-level passwords (e.g., email, desktop computer, etc.) must be changed at least every 90 days.

*may only apply at user level, not application level.

Does the application expire passwords within 90 days or uses a system whereby users must changes passwords within this period?


Passwords shall be treated as sensitive confidential information and shall not be shared with

Are passwords handled as sensitive confidential by encrypting during collection,


of 15

Policy Source

Security Category


anyone. storage, or transmission?DEP 390 Password

ControlPasswords must not be stored in readable format on any system.

Are passwords stored encrypted?


Application developers must ensure their programs contain the following security precautions:

1) Should support authentication of individual users, not groups

2) Should not store passwords in clear text or in any easily reversible form

3) Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password

Does the application allow role management to ensure authorized staff can obtain access without knowing the other’s password for the purpose of data recovery or system maintenance?

Does the application ensure that authentication is at the user level, not group level, to ensure accountability by user?

DEP 390 Data Integrity Controls will be established to ensure the accuracy and completeness of data. User management will ensure data comes from the appropriate source for the intended use.

The owner will establish controls commensurate with the value of

Examples of controls are:

parity checks,control totals,selected field verification,time stamps and sequence numbering,reconcile data submitted against data processed and returned,

Are controls established to ensure the integrity of data entered by authorized users is obtained, transmitted, and stored?


of 15

Policy Source

Security Category


information being maintained in the system.

batch log of data submitted for processing, andencryption of stored data.

DEP390 Transaction Controls

Owners will establish transaction controls commensurate with the value of information being maintained in the system.

Examples of controls are:

design, implementation, operation, maintenance and use of system acting as a check upon each other;

access rights to data and programs based on specific job requirements of users as well as data processing organizations;

separation of responsibilities to prevent a single individual from violating the protection mechanisms of the system;

not allowing information processing personnel to originate or authenticate transactions;

separate responsibilities of development, testing, and maintenance; and

What transaction controls are in place to ensure information is controlled commensurate with its value?

If related to financial data, are transactions recorded, along with the user identification, in order to track responsibility of each transaction?


of 15

Policy Source

Security Category


restrict programmers and analysts from having unlimited access to programs and data files used for production runs.

DEP390 Testing The test environment will be kept either physically or logically separate from the production environment. Copies of production data will not be used for testing unless the data has been desensitized or unless all personnel involved in testing is otherwise authorized access to the data.

Are the application development, testing, and production environments separated?

DEP390 Testing Controls

All program changes will be approved before implementation to determine whether they have been authorized, tested, and documented

Are change management processes established to ensure program changes are tested and approved before production?

DEP390 General Application Security

Network access to an application containing critical or confidential data, and data sharing between applications, will be as authorized by the application owners and will require user authentication validation.

Are only authorized users allowed access through proper validation, to the application containing critical or confidential data?


of 15

Policy Source

Security Category


The owner of applications containing non-critical or non-confidential data will likewise establish criteria for access and user validation, particularly on systems authorized for public use.

DEP390 Encryption While in transit, information which is confidential or information which in and of itself is sufficient to authorize disbursement of state funds will be encrypted if pending stations, receiving station, terminals, and relay points are not all under positive state control, or if any are operated by or accessible to personnel who have not been authorized access to the information, except under the following conditions:

The requirement to transfer such information has been validated and cannot be satisfied with information, which has been desensitized.

The Department Head has

Compliance with the STO Encryption Policy is mandatory for all agencies. DEP must determine if it has data which requires the protection dictated here.

Does the application involve the collection, transmission, or storage of confidential information or state fund disbursements data? If so, is the data encrypted such that only authorized users are allowed access?


of 15

Policy Source

Security Category


documented his acceptance of the risks of not encrypting the information based on evaluation of a risk analysis, which evaluates the costs of encryption against exposures.

The need for encryption will be determined based on risk analysis.

Best Practice

Encryption Activities that store or transmit sensitive information may require encryption to ensure that the information remains confidential. These activities might be part of a mainframe client/server application, sending information via the Internet, or the protection of an individual’s e-mail and personal files at the desktop.

If the application will handle confidential /sensitive information, are there provisions to ensure the information is first encrypted?

Best Practice

Encryption Encrypt information placed on an external public network (e.g. Internet) if confidential or sensitive, or required by Federal regulations on consumer privacy. The same applies for Intranets when information should not be viewed by the general computer user.

Examples of such information is HR data, health related data on individuals, audit trails/logs, security event data, passwords, etc.

If the application contains or presents confidential information, is it encrypted to ensure only authorized users can access it?


of 15

Policy Source

Security Category


Best Practice

Encryption An individual user must use approved encryption products and processes for sending encrypted mail, protection desktop files, etc.

May apply to application development?

If encryption is required, do the methods and tools used for encryption follow the established standards?

DEP390 Data Backup Data and software essential to the continued operation of critical agency functions will be backed up. The security controls over the backup resources will be as stringent as the protection required of the primary resources

The information owner will determine what information must be backed up, in what form, and how often, in consultation with BIS

Are backup procedures and schedules incorporated into the planning, based on the value of the information?

DEP390 Disaster Recovery / business resumption

All critical information resource functions crucial to the continuity of governmental operations should have written and cost-effective disaster recovery plans to provide for the prompt and effective recovery of these critical functions after a disaster has occurred.

A backup recovery plan for each application should exist as part of the agency overall COOP business recovery plan.

Are backup tapes scheduled and recovery plans drafted specific to the needs of the application such that it could be fully recovered and brought back into production?

DEP 390 Hardware System Acquisitions

The owner will establish appropriate information security controls for new hardware systems. Each phase of systems acquisition will incorporate corresponding development or assurances of security and appropriate controls relating to security, development and

If new hardware systems are bought to support the application, are all security configurations set and adequate on the system, to ensure hosted applications are not compromised?


of 15

Policy Source

Security Category


documentation. DEP 390 Application

DevelopmentComputer security needs must be addressed as part of the Information Systems Development Methodology (ISDM) when developing new or making modifications to existing applications if the system or data affected by these applications must be protected from accidental or malicious access, use, modification, destruction, or disclosure.

Is application security addressed throughout the ISDM process?

Best Practice

Data Content Ensuring the privacy, confidentiality, security, and integrity of the data to the satisfaction of the audience and legal authorities.

DEP 390 Virus Protection

Systems designed to hold applications or other services must have virus protection.

When new development requires services and other computer hardware, the owner must ensure virus protection is applied and maintained to the hosting system.

Does the application host have virus protection?

DEP 390 Security Training

Personnel responsible for information technology resources must be aware of the Information Security policies and must be

Application users must be knowledgeable of their security responsibilities, based on the level of access given, etc.

Are application users trained on their security responsibilities as it relates to the use of the application?


of 15

Policy Source

Security Category


knowledgeable about effective security practices for the technical environment under their control.

Best Practices

Audit Features Audit Features are enabled. The audit log captures the following: repeated failed login attempts, unusual processes run by users, unauthorized attempts to access restricted files, processes that are run at unexpected times, processes that terminate prematurely, unusual processes, unexpected shutdowns, and unexpected reboots.

Related to applications

Best Practices

Administrator Accounts

Administrator’s Account is locked out after 5 bad logon attempts.

An application has an administrator account. Those accounts should lock out after 5 failed logins, to prevent brute force attempts to obtain access.

Do applications limit admin accounts to five failed log ins?

Best Practices

User Accounts The user is locked out after 5 bad logon attempts.

Do applications that require access control limit a users failed attempts to 5 and lock out?


of 15

Application Security Standard_RequirementsChecklist

Documents

Transcript of Application Security Standard_RequirementsChecklist