Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

GoA IMT Standards Template

advertisement 
Government of Alberta
[GoA Standards Group/Committee]
GoA IMT Standards
________________________________________________________________
IMT Standards
IMT Standards Oversight Committee
Government of Alberta
Effective Date: 2016-02-16
Scheduled Review: 2017-02-16
Last Reviewed:
Type: Technical
Standard number - A000061
Web Application Security Standard
Category: Security
Keywords: Web Application
Description of Standard
This standard identifies the minimum security requirements for web applications
within the Government of Alberta (GoA). This standard is to be used when
developing or updating web applications.
Information Security Management Directive (ISMD) #7: Information Technology
Systems Acquisition, Development and Maintenance requires that security
requirements are identified, implemented, analyzed, evaluated and monitored
throughout the lifecycle of all information technology.
Standard Specification
Web applications must be designed in accordance with industry accepted
standards, regulations and best practices while fulfilling the security obligations
required for any software developed for use in the GoA. These obligations are
defined in Information Security Management Directive (ISMD) #7, Systems
Acquisition, Development and Maintenance.

Web applications must be designed to address the most critical web application
security risks and vulnerabilities as recommended by the Open Web Application
Security Project (OWASP) Top 10 - 2013. This OWASP document can be found
in the Supporting Documentation section of this standard in reference #7.

All web applications must be built to a minimum level 1 of the OWASP
Application Security Verification Standard. This OWASP document can be found
in the Supporting Documentation section of this standard in reference #8.

All web applications must have audit logs retained for forensic analysis.
Retention period is defined by business requirements. Events logged include
(but is not limited to) successful and unsuccessful login attempts, application
errors (defined by business requirements), and additional error messages as
identified by business requirements.
INFORMATION SENSITIVITY: Protected
Page 1 of 4
Government of Alberta
[GoA Standards Group/Committee]
GoA IMT Standards
________________________________________________________________

External facing web applications must support a multi-tier architecture that
complies with the standardized zonal security structure of GoA IT systems. The
data tier must be hosted in a highly secure zone.

Server system hardening must be performed before applications are
deployed. All environments including Production, User Acceptance, System
Test, Training, and Development servers must be hardened

All active web server certificates must support SHA-2 or greater.

External facing web applications must undergo application level vulnerability
assessments every 6 months or more frequently as identified by business
requirements.

Discovered vulnerabilities must be resolved and documented within the timeline
specified below.
Criticality
High
Resolution Timeline
30 days
14 days for Critical Applications
Medium
45 days
Low
90 days
Acceptable Resolutions
Fixed
Mitigated
False Positive
Fixed
Mitigated
False Positive
Accepted
Where to Apply this Standard
This standard applies to all web applications.
Authority and Exceptions
Internal Use Only
Supporting Documentation
References
1. ISM Directive #1: Organization of Information Security
http://www.servicelink.gov.ab.ca/security/docs/1_Organization_of_Information_Security_Directive_20131021.pdf
2. ISM Directive #5: Communications and Operations Management:
http://www.servicelink.gov.ab.ca/security/docs/5_Communications_and_Operations_Management_Security_Directive_201302
05.pdf
3. ISM Directive #6: Access Control
http://www.servicelink.gov.ab.ca/security/docs/6_Access_Control_Directive_20131021.pdf
INFORMATION SENSITIVITY: Protected
Page 2 of 4
Government of Alberta
[GoA Standards Group/Committee]
GoA IMT Standards
________________________________________________________________
4. ISM Directive #7: Systems Acquisition, Development and Maintenance
http://www.servicelink.gov.ab.ca/security/docs/7_SAD_and_MSecurity_Directi
ve_20130205.pdf
5. Shared ICT Infrastructure Specifications. Windows Domain Environment
(Network Zone Diagram)
https://www.sharp.gov.ab.ca/secure/docDisplay.cfm?DocID=6247&nh=1
6. Administrative Records Disposition Authority (ARDA)
www.im.gov.ab.ca/documents/publications/ARDA.pdf
7. Open Web Application Security Project (OWASP) Top Ten
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
8. OWASP Application Security Verification Standard (ASVS) Project Version 2.0
https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
9. CWE/SANS Top 25 Most Dangerous Software Errors
http://www.sans.org/top25-software-errors/
10. NIST Special Publication 800-95: Guide to Secure Web Services
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
11. NIST Special Publication 800-44 version 2: Guidelines on Securing Public
Web Servers
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
12. Web Application Security Consortium
http://www.webappsec.org/
13. Government of Alberta Cryptographic Algorithms Standard
https://imtdocs.internal.alberta.ca/common/filesstandardsinternal/Cryptographic_
Algorithms_Standard_2014-04-14.pdf
14. Glossary of Terms
http://www.servicelink.gov.ab.ca/security/docs/Glossary_of_Terms_20130205.pd
f
Owner
Service Alberta, Service Modernization, Corporate Information Security Office
(CISO)
Contact
GoA IMT Standards at imt.standards@gov.ab.ca
INFORMATION SENSITIVITY: Protected
Page 3 of 4
Government of Alberta
[GoA Standards Group/Committee]
GoA IMT Standards
________________________________________________________________
Additional Information
Audience
Government of Alberta Information and Communications
Technology (ICT) environment
Source
Service Alberta, Service Modernization, Corporate Information
Security Office (CISO)
Sensitivity
GoA – Public
Proposed Date
2015-05-06
Proposed By
Kenneth Lummis
Manager, Security Policy
Corporate Information Security Office
Service Alberta
kenneth.lummis@gov.ab.ca
ciso@gov.ab.ca
(780) 427-3822
Glossary
Terms
web
applications
Definition / Description
A software application, executed by a web server, which responds
to dynamic web page requests over HTTP.
(http://www.webappsec.org/projects/glossary/#WebApplication)
INFORMATION SENSITIVITY: Protected
Page 4 of 4
Related documents
2015 Q1 Wind Data Request
2015 Q1 Wind Data Request
PHYSICS 30 COURSE OUTLINE
PHYSICS 30 COURSE OUTLINE
Stephansson House
Stephansson House
Alberta, University of
Alberta, University of
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
eTips: Busting Myths about the Electronic
eTips: Busting Myths about the Electronic
Download
advertisement