• No results found

Third party Web hosting services security Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Third party Web hosting services security Policy"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Office of the Prime Minister

Policy document

CIMU P 0013:2003

Version: 2.0

Effective date: 09.04.2003

Third party Web hosting services security Policy

1.

Policy statement

i) General

The Government of Malta (Government) requires the secure provision of third party Web hosting services to Government Entities.

Web hosting services security requires that a third party Web hosting services provider maintains the integrity of a Government Entity’s Web site through physical and logical security at the Data Centre and on the technology deployed. Should the third party Web hosting services provider use the Agent as intermediary, then the third party Web hosting services provider shall access data through the Agent’s Demilitarised Zone (DMZ).

Web hosting services security requires that a third party Web hosting services provider establishes and maintains its own DMZ.

ii) Web hosting server technology

Web hosting server technology for third party Web hosting services to a Government Entity shall be subject to the following : (i) the Web hosting server technology shall operate from a Data Centre that is physically located in Malta, that is secure and that guarantees logical information security, based on European recognised standards as specified in the Supporting Documents section of this Policy (ii) the Web hosting server technology shall be equipped for business continuity purposes, and (iii) the administration of the Web hosting

(2)

server technology shall require documented security procedures that shall be available for audits.

iii) Network

The network between the third party Web hosting services provider and the Government Entity shall be secure from unauthorised access.

iv) Implementation

The target population are : (i) Government Entities and (ii) third party Web hosting services providers.

Implementation from a security point of view shall be backed by :

(i) A Service Level Agreement, between the third party Web hosting services provider and the Government Entity, that shall comply with this Policy.

(ii) A Declaration of Security Conformance, issued by the third party Web hosting services provider to the Government Entity, copied to CIMU. This Declaration shall be used as another reference for the selection of a third party Web hosting services provider. It shall be the responsibility of the third party Web hosting services provider to ensure, on an on-going basis, that services provided via an Internet services provider are subject to the Declaration of Security Conformance. (iii) Internal security audits, by the third party Web hosting services provider on its

operations, for Security Conformance purposes. Records shall be maintained in the process. The third party Web hosting services provider shall carry out timely and effective follow-up action to satisfactorily close items arising in the internal security audits. The third party Web hosting services provider shall maintain records of the actions taken.

(iv) Security Compliance checks, by CIMU on the third party Web hosting services provider. CIMU shall maintain records in the process. The third party Web hosting services provider shall carry out timely and effective follow-up action to satisfactorily close items arising in the external security audits. The third party Web hosting services provider shall maintain records of the actions taken. Implementation shall be within the context of: (i) CIMU P 0012:2003 Third party Web hosting services Policy (ii) MSA BS 7799 Part 2:2003 (Information security management. Specification with guidance for use), (iii) CIMU P 0016:2003 Information Security Policy (iv) Convention on Cyber Crime ETS No. 185 (signed by Government on 17.01.2002, but still to be ratified) and (v) Laws of Malta and regulations by statutory bodies.

v) Policy violations

Abuse or misuse of third party Web hosting services by the Government Entity and/or the third party Web hosting services provider in terms of the Telecommunications (Regulation) Act, Electronic Commerce Act, the Data Protection Act and the Computer misuse provisions of the Criminal Code shall be treated as an offence.

(3)

2.

Purpose

The objective of this Policy is to ensure that third party Web hosting service providers provide secure third party Web hosting services to Government Entities.

3.

Who should know this Policy

Knowledge of this Policy should extend up and down the organisations concerned and be wide spread within them.

• Chief Information Management Officer

(CIMO) • Head of Government Entity

• CIMU Communications Executive • Head of Third party Web hosting services provider

• Head of Agent • Head of Internet services provider

• Ministry of Justice and Local

Government • Head of MCA

• Information Management Officers (IMOs)

4.

Scope of applicability

The provisions of this document apply to the security of third party Web hosting services provided to Government Entities by third party Web hosting services providers that (i) operate the services through the Agent or independently and (ii) host Web sites published under the

gov.mt domain.

5.

Definitions

Agent - a trusted organisation that has the mandate by Government to provide Information

and Communications services .

Computer network - a network of data processing nodes that are interconnected for the

purposes of data communication.

Data Centre - a facility that includes personnel, hardware and software organised to provide

information processing services.

Declaration of Security Conformance - a documented statement issued by the third party

Web hosting service provider to the Government Entity; by which the third party Web hosting service provider declares, under its sole responsibility, conformance to this Policy. In the event that the third party Web hosting services provider does not act as an Internet services provider, the Declaration of Security Conformance shall also cover the Internet services provider that provides services to the third party Web hosting services provider. The

(4)

Declaration shall also include the reference number of registration with the MCA. This Declaration shall be considered as separate from the Declaration of Conformance.

Demilitarised Zone (DMZ) - the organisation’s "neutral zone" between the organisation’s

computer network and the external network to prevent outside users from getting direct access to internal computer servers that have data. Outside users can only have access to the DMZ that may typically also have Internet resources that could be served to the outside world.

Government Entity - a Government Ministry, Department, Local Government or Public

Sector entity.

Security Compliance -the process performed by CIMU or by an independent body to

check that a service provided satisfies the security criteria set in a referenced document.

Security Conformance - the correspondence by a service to the security criteria set in a

referenced document.

Third party Web hosting service - the process in which a third party services provider

furnishes a Government Entity with a Web site presence.

Third party Web hosting service provider - a local private organisation having a physical

Web hosting presence under Maltese jurisdiction and be compliant with the applicable authorisation requirements of the MCA..

6.

Roles and responsibilities

For the purpose of this Policy, the following roles and responsibilities have been identified:

Role Responsibility

1. Chief Information Management Officer (CIMO)

i. To maintain this Policy.

ii. To audit for security compliance. 2. CIMU Communications

Executive i. To publish this Policy.

ii. To liaise appropriately with the Agent with regards to the publication of this Policy on the CIMU Website.

3. Head of Agent

(5)

4. Head of Government

Entity i. To direct the Government Entity according to the provisions found in this Policy. ii. To grant access to the Government

Entity’s Web site once the appropriate controls have been implemented and the terms for connection or access have been defined and agreed upon in a contractual agreement.

5. Head of third party Web

hosting services provider i. To have a publicly declared target dates to achieve accredited certification to MSA BS 7799 Part 2:2003 for the scope of applicability of this Policy.

ii. To operate Web hosting services according to the provisions of this Policy. iii. To establish and maintain its own DMZ. iv. To audit for Security Conformance. v. To conduct timely and effective follow-up

action to satisfactorily close items arising in internal and external security audits. vi. To keep updated on vulnerabilities that

effect the Web hosting services environment and have the latest security fixes in place.

6. Head of Internet services

provider i. To operate according to the provisions of the Declaration of Security Conformance issued by the third party Web hosting services provider.

7.

Supporting Documents

In support of this Policy, the following Standard shall apply:

01. MSA BS 7799 Part 2:2003 Information security management. Specification with guidance for use.

8.

References

01. The Telecommunications (Regulations) Act – Chapter 399

http://www.justice.gov.mt

02. Data Protection Act – Chapter 440

http://www.justice.gov.mt

(6)

http://www.justice.gov.mt

04. Article 337 of the Criminal Code – Chapter 09

http://www.justice.gov.mt

05. Code of practice for Internet Service Providers

http://www.mca.org.mt

06. Convention on Cyber Crime ETS No. 185

http://conventions.coe.int

07. Third party Web hosting services Policy

http://www.cimu.gov.mt

08. Information Security Policy

http://www.cimu.gov.mt

9.

Modification history

Version

Date

Changes

1.0 19.06.2002 Initial release 2.0 09.04.2003 Updated release

10.

Maintenance and review cycle

Maintenance of this Policy shall be based on a twelve month cycle.

Signature and stamp

Joseph R. Grima

References

Download now ( PDF - 6 Page - 25.97 KB )

Related documents

sponsorship opportunities

Inclusion on Event Materials Logo/Name on Title Card During Streamed Program Melt-at-Home Kit for Two Inclusion on Event Website Verbally Thanked During Streamed Program Listing

Questions and Answers

• introduce choice by giving employers a choice of purchasing work-related personal injury insurance for their workers from either ACC or a private insurer?. For more detail of

Problem Behavior of a Child With Autism and Problem Behavior of a Typically-Developing Sibling Moderated by Maternal Parenting Stress

After outlining these foci, I posed the following research question: What is the relationship between the level of problem behavior exhibited by a child with autism and the level

AdParlor Special Report: The State Of Facebook Mobile Advertising

The targeted nature and organic in-stream placement of mobile Facebook ads make this form of advertising an attractive option for businesses to drive users to their fan page,

Public Management as Citizen Compliance: A Case Study of Income Tax Compliance Behavior in Thailand

This study offers three major contributions to academics and practitioners as follows. First, this study theoretically benefits the fields of public administration and

Application of High-Throughput DNA Sequencing Technologies in the Metagenomic Study of Marine Biofilms

Once the initial bioinformatics steps including data acquisition, organization and storage are completed, the data-driven phase of bioinformatics begins. Although there are

Establishment and confirmation of heterotic groups and genetic diversity assessment of maize inbred lines using microsatellite data

In spite of disagreements among different types of data (pedigree, combining abilities, molecular genetics data), molecular markers are valuable tool that could help

Genetic relatedness and population structure within the public Argentinean collection of maize inbred lines

For instance, in- bred line 86, which showed a high level of hetero- zygosity but carried only one minor allele (and was classified as a mixed inbred in the STRUCTURE k=3 analysis