Property of MWAA
Standard Operating Procedure (SOP):
Information Security Standard
Requirements for Software as a Service
Metropolitan Washington Airports Authority 1 Aviation Circle
Washington, DC 20001-6000
Property of MWAA
Metropolitan Washington Airports Authority – Office of Technology Standard Operating Procedure
Title ID Number Effective Date End-of-Life Date
Information Security Standard Requirements for Software as a
Service SEC-DOC-SS001.01 TBD TBD
Related Documents:
Office of Technology Standards Policy
Office of Technology Standards – Attachment A Technology Purchase Exception Policy
TABLE OF CONTENTS
1.0 Introduction ... 3 1.1 Point(s) of Contact ... 3 1.2 Purpose ... 3 1.3 Objectives ... 3 1.4 Scope ... 3 1.5 Areas Impacted ... 3 2.0 Standards ... 3 2.1 Infrastructure ... 4 2.2 Physical Security ... 4 2.3 Administrative Security ... 4 2.4 Logical Security ... 5 2.5 Other ... 5 3.0 Exceptions ... 5 4.0 Non-Compliance ... 5 5.0 Document Control ... 5 6.0 Supporting Documentation ... 5Property of MWAA
1.0 Introduction
1.1 Point(s) of Contact
Goutam Kundu, Chief Information Officer, (703) 417-8762. Kevin James, Director Information Security, (703) 417-8363. Alourdes Bornelus, MA600 Technical Writer, (703) 417-3937. Technology Service Desk, (703) 417-TECH (8324).
1.2 Purpose
The Airports Authority relies on Software as a Service (SaaS) solutions for much of its information technology processing. These Information Security Standard
Requirements ensure the continuous and secure delivery of Airports Authority web-based applications.
1.3 Objectives
Set minimum Infrastructure Security Requirements for all SaaS Solution Providers.
Set minimum Physical Security Requirements for all SaaS Solution Providers. Set minimum Administrative Security Requirements for all SaaS Solution
Providers.
Set minimum Logical Security Requirements for all SaaS Solution Providers. Set other minimum SaaS Security Requirements as required by the Airports
Authority.
1.4 Scope
The scope of this Information Security Standard covers all of Airports Authority employee/contractor users and computers running on the Airports Authority networks. This document will serve as the standard to the Airports Authority, its projects, and its vendors.
1.5 Areas Impacted
Units within MA-600 and its vendors shall apply these prescribed standards to manage all SaaS data, application, and system development, testing, and
implementation, where possible. All exceptions to this Information Security Standard must be approved in writing by the Airports Authority Chief Information Officer.
2.0 Standards
The Office of Technology has established these Information Security Standard Requirements for all SaaS applications that operate for the Airports Authority.
Property of MWAA
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues a Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (SOC) certification.
SaaS Solution Providers who can provide proof of current SSAE 16 (SOC2) certification may substitute the Infrastructure, Physical, Administrative, and Logistical controls required by this standard. SSAE 16 (SOC2) certification means that a SaaS Solution Provider meets or exceeds the Airports Authority Information Security Standard Requirements.
2.1 Infrastructure
All SaaS Solution Providers must maintain a technology Infrastructure using layered security measures that include, but are not limited to, the following:
Maintain firewalls.
Implement an intrusion prevention system (IPS) and an intrusion detection system (IDS).
Log all security events and alerts.
Implement industry standard security configuration for servers (i.e. DISA Stigs).
2.2 Physical Security
All SaaS Solution Providers must adhere to the following Airports Authority Physical Security requirements:
Guarantee controlled physical access to all data centers. Maintain working security cameras inside all data centers. Lock all server racks.
2.3 Administrative Security
All SaaS Solution Providers must adhere to the following Airports Authority Administrative Security requirements:
Conduct security awareness training for all staff.
Develop a comprehensive Information Security policy and distribute to all staff. Develop, test, and implement incident response procedures.
Develop, test, and implement a disaster recovery plan.
Develop and implement change/configuration management processes. Ensure that all SaaS data is backed-up or replicated off-site.
Property of MWAA 2.4 Logical Security
All SaaS Solution Providers must adhere to the following Airports Authority Logical Security requirements:
Provide role-based access controls.
Log all application/database change events.
Provide two-factor authentication for remote access/remote desktop protocol (RDP) access by the Solution Provider’s administrative staff.
2.5 Other
All Airports Authority SaaS applications shall support single sign on (SSO) via the use of SAML 2.0, WS-federation, or similar industry standard authentication so that all Airports Authority users may access the SaaS solution using their MWAA IDs and passwords.
3.0 Exceptions
Exceptions to this standards document must be approved by the Airports Authority Chief Information Officer.
4.0 Non-Compliance
Violations of this standards document shall be treated like other evidence of wrongdoing at the Airports Authority. Poor performance or misconduct shall be adjudicated
according to established Airports Authority procedures and the Office of Technology Policy Library.
5.0 Document
Control
The most recent version of this document available in the Official Document Library shall be the only official controlled copy. Any duplication of this document shall be considered an uncontrolled version.
6.0 Supporting
Documentation
All supporting documentation and related/required frameworks associated with this procedure document are listed on the MA-600 (Office of Technology) Livelink homepage.
