Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Remote Hosting Policy

 

I. Statement

This Policy establishes the requirements and responsibilities for hosting Maine State computer applications by external hosting vendors.

 

II. Purpose

As Maine State computer applications continue to be hosted by external vendors, it is important that the citizens and partners of Maine State Government receive a uniformly high level of service from such external vendors. Should the quality of service provided by external vendors fall below par, it will not only cause customer hardship, but it will also tarnish the electronic branding of the State of Maine. Moreover, should there be a security breach in a Maine State application hosted by an external vendor, there may also be additional legal and statutory ramifications, as well as adverse media coverage. It is for all these reasons that the Chief Information Officer has adopted this Remote Hosting Policy.

 

III. Applicability

This policy applies to any and all Maine State computer applications hosted by any party other than the Maine State Government. More specifically, it covers remotely hosted applications containing data owned by the Executive Branch and semi-autonomous State agencies, as well as remotely hosted applications from other Maine State Government branches that traverse the State’s wide area network.

 

IV. Responsibilities

A. HOSTING VENDORS: A Hosting Vendor shall

1. In the event of a security breach incident, notify the Contract Administrator within three hours of first knowledge.

 

2. Comply with the Maine Public Law 10 MRSA §1347 (Notice of Risk to Personal Data Act).

3. Ensure the following:

a. A secure hosting infrastructure of the utmost Confidentiality (No unauthorized access), Integrity (No tampering), and Authenticity (No impersonation).
b. Data in its custody should never be used, under any circumstances, for any purposes other than those agreed to in the hosting contract.
c. All hosts, servers and devices should have currently-supported and hardened operating systems, the latest anti-viral, anti-hacker, anti-spam, anti-spyware, and anti-malware utilities. The environment, as a whole, should have the most aggressive intrusion-detection and firewall protection.
d. At a minimum, 99% scheduled uptime, excluding planned downtime for maintenance.
e. Adequate capacity to ensure prompt response to both data inquiry/lookup and data modification transactions, at all times.
f. All hardware and software components of the hosting infrastructure should be fully supported by their respective manufacturers at all times.
g. A conservative sunset and migration schedule for all hardware and software components, as recommended by their respective manufacturers, at all times.
h. Periodic backups. The minimum acceptable frequency is differential backup daily, and complete backup weekly.
i. An aggressive regimen of patch management. All critical patches for operating systems, databases, web services, etc, should be applied within three working days of release by their respective manufacturers.
j. Complete backup-restore and disaster recovery tests from the appropriate media, once per annum.
k. Comply with the Records Retention Schedule of the Contracting Agency, as relevant to the data being hosted remotely.
l. Agree to transfer the data in its custody to another Hosting Vendor at the end of the hosting contract.
m. Submission to scheduled and random security audits, including vulnerability assessments, of the hosting infrastructure and/or the application, to be conducted under the auspices of the Enterprise Information Security Director.
n. Complete cooperation with the Enterprise Information Security Director in the detection of any security vulnerability of the hosting infrastructure and/or the application.
o. Expeditious remediation of any verifiable, infrastructural negligence.
p. Complete compliance with all Federal and Maine laws, regulations, statutes, policies, standards, and best practices relevant to internet-based hosting.

4. Submit the following detailed reports. All reports should be submitted to the Contract Administrator. Unless otherwise stated, these reports should be filed initially at the inception of the contract, and subsequently, once per annum, as well as corresponding to every substantive change in the subject matter of the relevant report.

a. Uptime and Unplanned Outage Report. This report should be submitted once per quarter.
b. Planned Downtime Notice. This notice should be submitted at least one week prior to the event.
c. Physical access controls for the hosting site.
d. Internal security awareness training curriculum and schedule. Should include the syllabus, the class schedule for new employees, annual refresher training, and any emergency, ad-hoc training.
e. Self-audit on software and hardware modifications, patches applied, etc. This report should be submitted at least twice per annum.
f. Backup-restore and disaster recovery procedures, and the results of the annual tests.
g. Security Breach Incident Reporting mechanism.
h. Production Change Management procedure.
i. Password Policy.
j. Event Logging & Auditing practices for Networks, Operating Systems, Applications, and Databases.
k. Installation/Configuration and Maintenance documentation.
l. Any other relevant, internal security-related standards, policies, procedures, best practices, etc, that govern the hosting infrastructure and/or the application, including, the results of any third-party audits.

 

B. ENTERPRISE INFORMATION SECURITY DIRECTOR: The Enterprise Information Security Director shall

1. Direct scheduled and random security audits, including vulnerability assessments, to the hosting infrastructure and/or the application.

 

2. Coordinate the security auditing with the Agency Information Technology Director (AITD) of the Contracting Agency and the Hosting Vendor, in case of scheduled audits.

3. Alert the AITD of the Contracting Agency should an information security deficiency be discovered, and subsequently recommend a remediation strategy. At her/his discretion, the Enterprise Information Security Director may recommend the shutdown, or reduced operation, of the hosting infrastructure and/or the application, indefinitely.

4. Evaluate all notifications and submissions from the Hosting Vendor, and act upon them, as appropriate, including recommending the shutdown, or reduced operation, of the hosting infrastructure and/or the application, indefinitely.

5. Determine, in the event of a security vulnerability and/or an actual security breach, whether it was caused by infrastructural negligence on the part of the Hosting Vendor.

C. AGENCY INFORMATION TECHNOLOGY DIRECTOR: The AITDs shall

1. Assist the Enterprise Information Security Director in the implementation of this Policy.

2. Ensure that the hosted application complies with the Deployment Certification Policy for Major Applications and the Website Acceptance Policy prior to its deployment.

3. Evaluate the business impact of a security breach incident notification from the Hosting Vendor, and liaise with the affected business stakeholders of the Contracting Agency.

4. Evaluate the business impacts of the Uptime and Unplanned Outage Report and the Planned Downtime Notice from the Hosting Vendor, and liaise with the affected business stakeholders of the Contracting Agency.

D. CONTRACT ADMINISTRATOR: The Contract Administrator shall

1. Ensure that all pertinent Requests for Proposals, and resulting Contracts with vendors, contain language in accord with this Policy, and attendant standards, operating procedures and best practices.

2. Ensure that all pertinent Requests for Proposals, and resulting Contracts with vendors, contain language in accord with the Records Retention Schedule of the Contracting Agency, as relevant to the data being hosted remotely.

3. Act as the negotiator between the Enterprise Information Security Director and the AITD of the Contracting Agency on the one hand, and the Hosting Vendor on the other hand. Convey all communication from the Hosting Vendor to the Enterprise Information Security Director and the AITD of the Contracting Agency, and vice-versa.

4. Instruct this Hosting Vendor to transfer the data in its custody to another Hosting Vendor at the end of the hosting contract.

V. Guidelines & Procedures

A. Complete and exclusive ownership of the hosted data rests with the Contracting Agency, and is not subject to any conditions.

B. The remediation costs for any security vulnerability and/or an actual security breach, that unambiguously results from verifiable, infrastructural negligence on the part of the Hosting Vendor, shall be borne entirely by the Hosting Vendor. In addition to the contents of this Policy, current computer security industry best practices, as defined by premier computer security industry guilds and consortiums, will be used to determine as to what constitutes infrastructural negligence on the part of the Hosting Vendor. The Enterprise Information Security Director shall remain the final arbiter in this matter.

C. The remediation of a security vulnerability and/or an actual security breach in the application proper, as opposed to the underlying infrastructure, is considered an enhancement to the application, and should be pursued by the Contracting Agency outside the scope of this Policy.

D. The Maine Office of Information Technology will propose, adopt and implement standards, operating procedures and best practices in support of this Policy.

VI. Definitions

1.      APPLICATION: A subclass of computer software that produces results of direct value to its users. The Application is contrasted with system software that manages a computer's internal functions but does not deliver any result of direct value to its users.

2.      AITD: For the purpose of this Policy, the term AITD is construed to mean not just the Agency Information Technology Directors in the Executive Branch of Maine State Government, but also their analogous counterparts in the Legislative and Judicial Branches and Constitutional Officers, who provide technical leadership and customer liaison in their respective agencies and departments.

3.      INFRASTRUCTURE: Encompasses all aspects of information technology other than the Applications proper. It consists of devices, networks, servers, operating systems, databases, webservers, firewalls, intrusion detection, etc.

4.      HOSTING VENDOR: A commercial entity, external to the Maine State Government, that hosts a Maine State computer application. The Hosting Vendor is contrasted with the Application Vendor, ie, a commercial entity that creates a Maine State computer application.

5.      CONTRACT ADMINISTRATOR: The officer of the State of Maine agency or department that is the signatory to the remote hosting contract with the Hosting Vendor.

6.      CONTRACTING AGENCY: The State of Maine agency or department whose business is being served by the remote hosting contract with the Hosting Vendor.

VII. References

1.      Deployment Certification Policy for Major Application Projects

2.      Website Acceptance Policy

3.      Policy to Govern Information Security Risk Assessments and to Ensure the Prompt Remediation of Deficiencies

VIII. Document Information

 

1.  Document Reference Number: 11

 

2.  Category: Computer Environment and Platform

 

3.  Adoption Date: January 8, 2007

 

4.  Effective Date: January 8, 2007

 

5.  Review Date: January 8, 2009

 

6.  Point of Contact:  Paul Sandlin, eGovernment Services, Office of Information Technology, State House Station #138, Augusta, ME 04333, Telephone: (207) 624-9427

 

7. Approved By:  Richard B Thompson, Chief Information Officer, State House Station #138, Augusta, ME 04333, (207) 624-7568.

 

8.  Position Title(s) or Agency Responsible for Enforcement:  Mark Kemmerle, Enterprise Information Security Director, Office of Information Technology, State House Station #145, Augusta, ME 04333, (207) 624-8892.

 

9.  Legal Citation:

 

10.  Waiver Process: Contracting Agencies may sometimes have unique remote hosting requirements that may necessitate certain exception(s) to this default Policy. A written application should be made to the CIO under such circumstances, explaining the rationale for specific exception(s). Subject to the CIO’s approval, the Contracting Agencies may then fashion actual contracts containing such exception(s).