Maine State Government
Dept. of Administrative & Financial
Office of Information Technology (OIT)
Establish requirements and
responsibilities for remote-hosted Maine State computer applications.
Maine State Government expects all
remote-hosted environments to be secure, reliable, and to utilize
fully-supported infrastructure. This is
critical due to the potential stakeholder hardship, State of Maine branding
impact, legal and statutory ramifications, and adverse media coverage resulting
from a security breach or service-quality issue. For these reasons, the Chief Information
Officer has adopted this Remote Hosting Policy.
This policy applies to all Maine
State Executive Branch remote-hosted information assets and any remote-hosted information
assets (regardless of the Branch) utilizing the State wide area network. For policy purposes, OIT-Housing is
considered Remote Hosting. Consumer-grade
mass-market applications are exempt (such as DropBox, Quickbase, etc.)
Notify Contract Administrator within three hours of first
knowledge of a security breach.
all compliance audits identified in the contract.
with data ownership as defined in the contract.
support with Freedom of Access Act (FOAA) requests
and incident investigations.
Cyber Liability of the Remote Hosting vendor is a function of the service that
is actually being consumed. More specifically, the vendor is liable for any
cyber security vulnerability in the actually consumed services. Thus, for SaaS,
the entire cyber liability is borne by the vendor. For PaaS, the vendor's cyber
liability is limited to the Development and/or Deployment framework actually
being consumed. For IaaS, the vendor's cyber liability is limited to the
computing infrastructure, such as Processor, Storage, Operating System, etc.,
actually being consumed.
Ensure the following:
a. A secure hosting infrastructure of
(i) Confidentiality (No unauthorized
(ii) Integrity (No tampering)
(iii) Authenticity (No impersonation)
b. All hosts, servers and devices have
currently-supported and hardened operating systems, the latest anti-malware utilities
and have the most aggressive intrusion-detection and firewall protection.
c. All hosting infrastructure hardware
and software components are fully supported by their respective manufacturers, at
d. An aggressive regimen of patch
management. All critical patches for operating systems, databases, web
services, commodity applications, etc., are tested prior to deployment and are applied
within two weeks of release by their respective manufacturers.
e. A sunset and migration plan for all
hardware and software, in alignment with the respective manufacturers’
published best practices.
f. A minimum of 99% scheduled uptime,
excluding planned downtime for maintenance.
g. A Disaster Recovery site with all the
capabilities of the Primary site; utilizing a completely independent
infrastructure stack and geographically separated by a minimum of one hundred
miles from the Primary site. Both sites
must be within the Continental United States.
h. A full Disaster Recovery exercise
within one year of project go-live, repeated annually thereafter, and signed
off by the Agency. This includes
complete backup-restore tests from the appropriate medium once per annum. This exercise needs to be coordinated /
scheduled with the Contract Administrator.
i. Periodic backups occur on a
regularly scheduled basis. Backup
frequency and backup retention are based on Contracting Agency needs for
ensuring business continuity and data integrity. The minimum acceptable backup frequency
is differential backup daily, and complete backup weekly.
j. Hosting infrastructure complies with the
highest industry standards of data security for any remote hosted contents that
include Personally Identifiable Information (PII). At the least, the data center must be
certified to SSAE
16 SOC 2 Type II.
It is preferred that the data center be certified to FISMA
Level 3 ATO and/or FedRAMP CSP. Any
device that stores PII or other High-Risk data must be statically encrypted to
AES-256 strength. Any transmission of PII
or other High-Risk data must be encrypted to at least TLS 1.0 strength
k. Data in its custody is never used
for any purposes other than those agreed to in the hosting contract.
l. Data residency remains in the
Continental United States at all times.
m. Adequate capacity to ensure prompt
response to both data inquiry/lookup and data modification transactions, at all
n. Compliance with Records Management
requests. Full compliance with the
Records Retention Schedule of the Contracting Agency occurs as relevant to the
data being hosted remotely. This shall
be minimally in accordance with the Maine State
Archivist Records Management General Schedule
o. Upon termination of the contract
all Agency data must be transferred to another Hosting Vendor. Compliance with audit verification that all
data has been transferred that is necessary for record retention, access
logging and investigation or FOAA and that no data is retained once the
transfer is complete and receipt and usability have been confirmed.
p. Full, timely participation in scheduled
and random security audits, including hosting infrastructure and/or the
application vulnerability assessments, conducted under the auspices of the
Office of Information Technology’s Enterprise Security Officer (ESO).
q. Complete cooperation with the ESO in
the detection and remediation of any hosting infrastructure and/or the
application security vulnerability.
r. Expeditious remediation of any
infrastructural negligence that is verifiable.
s. Complete compliance with all
Federal and Maine laws, regulations, statutes, policies, standards, and best
practices relevant to internet-based hosting.
the following detailed reports to the Contract Administrator. Unless otherwise noted
below, reports should be filed at contract inception, and subsequently, once
per annum, as well as corresponding to every substantive change in the subject
matter of the relevant report.
a. Uptime and Unplanned Outage Report: Should be submitted once per quarter.
b. Planned Downtime Notice: Should be
submitted at least two weeks prior to the event.
c. Physical access controls for the
d. Internal security awareness
training curriculum and schedule. Include the syllabus, new employee class
schedule, annual refresher training, and any emergency, ad-hoc training.
e. Self-audit on all software and
hardware, modifications, patches applied, etc. This report should be submitted
at least twice per annum.
f. Backup, restore, and disaster
recovery procedures and any associated test results. This includes results from the annual
Disaster Recovery exercise.
g. Security Breach Incident Reporting
h. Production Change Management
procedure, Password Policy, and any relevant, internal security-related
standards, policies, procedures, best practices, etc., that govern the hosting
infrastructure and/or application, including any third-party audit results.
i. Event Logging & Auditing
practices for Networks, Operating Systems, Applications, and Databases.
up-to-date third party security audit reports such as:
SSAE 16 SOC 2 Type
FISMA Level 3
Based on up-to-date third party audit
reports; the Contract Administrator may relieve
the hosting vendor from some of the reporting requirements enumerated above.
Business Consultants (TBCs) and Application Directors (joint responsibility):
Assist the Enterprise Security Officer (ESO) in the
implementation of this Policy.
Ensure that the hosted information asset complies with relevant
deployment certification (Application Deployment Certification
prior to its deployment.
Evaluate the business impact of a security breach incident
notification from the Hosting Vendor, and liaise with the affected business
stakeholders of the Contracting Agency.
Evaluate the business impacts of the Uptime and Unplanned
Outage Report and Planned Downtime Notice Report from the Hosting Vendor, and
liaise with affected business stakeholders.
Security Officer (ESO):
Direct scheduled and random security audits, including
vulnerability assessments, to the hosting infrastructure and/or the
Coordinate security audits with the Contract Administrator, TBC,
Application Director and the Hosting Vendor.
Alert the Contract Administrator, TBC and Application Director
of any discovered security deficiency, and subsequently recommend a remediation
strategy. At her/his discretion, the ESO may recommend the shutdown, or reduced
operation, of the hosting infrastructure and/or the application, indefinitely.
Determine in the event of a security vulnerability and/or an
actual security breach, whether it was caused by infrastructural negligence on
the part of the Hosting Vendor.
Ensure pertinent Requests for Proposals (RFPs), and resulting
Contracts, contain language in accord with this Policy, and attendant standards,
operating procedures, and best practices.
Ensure pertinent RFPs, and resulting Contracts, contain
language in accord with the Records Retention Schedule of the Contracting
Agency, as relevant to the remote hosted data, and any other relevant State of
Maine Laws and Policies.
Act as the facilitator between the ESO/TBC/Application
Director and the Hosting Vendor. Convey all communication between the Hosting
Vendor and the ESO/TBC/Application Director.
Vets detailed reports from the hosting vendors with appropriate technical
Instruct this Hosting Vendor to transfer the data in its
custody to another Hosting Vendor at the end of the hosting contract.
Explicitly state the data ownership in the contract.
Explicitly provide for audits for compliance and verification
in the contract.
Explicitly provide for FOAA (Freedom of Access Act) and
investigation requirements in the contract.
This includes not only access to the data itself, but system log
information regarding the data access.
Complete and exclusive ownership of the hosted data
rests with the Contracting Agency, and is not subject to any conditions.
The Hosting Vendor shall fully bear remediation costs
for any security vulnerability and/or security breach that unambiguously
results from verifiable Hosting Vendor negligence. In addition to this Policy,
current computer security industry best practices, defined by premier computer
security industry guilds and consortiums (such as SANS.org);
will be used to determine what constitutes Hosting Vendor infrastructural
negligence. The ESO is the final arbiter in this matter.
Application Director: Provides oversight to multiple
application development/support teams.
Contract Administrator: Identified in Rider B/B-IT of
the remote hosting contract. In some
cases, the Information Technology (IT) Manager may perform the Contract
Administrator duties identified in this document.
Hosting Vendor: Commercial external entity that hosts
Maine State information assets.
Infrastructure as a Service (IaaS): Computing
infrastructure, such as Processor, Storage, Operating System, etc. consumed
from the Cloud
OIT-Housing – equipment that resides in an OIT data
center, where OIT provides only the physical security, uninterrupted
electricity, climate control, rack space, and Internet connectivity. The hosting vendor provides everything else.
Personally Identifiable Information (PII): Information that can be used on its own or
with other information to identify, contact, or locate a single person, or to
identify an individual in context. Refer
to Maine Public Law 10 MRSA § 1347 for a more detailed definition. PII includes, but is not limited to Protected
Health Information (PHI), Federal Tax Information (FTI), and Federal Education
Rights and Privacy Act (FERPA) Information.
Platform as a
Service (PaaS): Development and/or Deployment framework consumed from the Cloud
Software as a
Service (SaaS): End-user application consumed from the Cloud.
Any party potentially impacted
by the change.
Business Consultant: Agency information technology customer liaison.
VIII. Document Information
Initial Issue Date: January 8, 2007
Latest Revision Date: October 7,
Point of Contact: Henry Quintal, Architecture-Policy
Administrator, OIT, 207-624-8836.
Approved By: James R. Smith, Chief
Information Officer, OIT, 207-624-7568
Position Title(s) or Agency
Responsible for Enforcement: Enterprise
Security Officer, OIT, 207-624-7568.
Legal Citation: 5 M.R.S.A. Chapter 163 Section 1973
paragraphs (1) B and (1) D, which read in part, “The Chief Information Officer
shall:” “Set policies and standards for the implementation and use of
information and telecommunications technologies…” and “Identify and implement
information technology best business practices and project management.”
Waiver Process: See the Waiver Policy.