Maine State Government
Dept. of Administrative & Financial
Office of Information Technology
Remote Hosting Policy
This Policy establishes the requirements and
responsibilities for hosting Maine State
computer applications by external hosting vendors.
As Maine State
computer applications continue to be hosted by external vendors, it is
important that the citizens and partners of Maine State Government receive a
uniformly high level of service from such external vendors. Should the quality
of service provided by external vendors fall below par, it will not only cause customer
hardship, but it will also tarnish the electronic branding of the State of Maine.
Moreover, should there be a security breach in a Maine
State application hosted by an
external vendor, there may also be additional legal and statutory
ramifications, as well as adverse media coverage. It is for all these reasons
that the Chief Information Officer has adopted this Remote Hosting Policy.
This policy applies to any and all Maine
State computer applications hosted
by any party other than the Maine State Government. More specifically, it
covers remotely hosted applications containing data owned by the Executive
Branch and semi-autonomous State agencies, as well as remotely hosted
applications from other Maine State Government branches that traverse the
State’s wide area network.
HOSTING VENDORS: A Hosting Vendor shall
In the event of a security breach incident, notify the Contract
Administrator within three hours of first knowledge.
Comply with the Maine
Public Law 10 MRSA §1347 (Notice
of Risk to Personal Data Act).
Ensure the following:
A secure hosting infrastructure of the utmost Confidentiality
(No unauthorized access), Integrity (No tampering), and Authenticity (No
Data in its custody should never be used, under any
circumstances, for any purposes other than those agreed to in the hosting
All hosts, servers and devices should have currently-supported
and hardened operating systems, the latest anti-viral, anti-hacker, anti-spam, anti-spyware,
and anti-malware utilities. The environment, as a whole, should have the most
aggressive intrusion-detection and firewall protection.
At a minimum, 99% scheduled uptime, excluding planned downtime
Adequate capacity to ensure prompt response to both data
inquiry/lookup and data modification transactions, at all times.
All hardware and software components of the hosting
infrastructure should be fully supported by their respective manufacturers at
A conservative sunset and migration schedule for all hardware
and software components, as recommended by their respective manufacturers, at
Periodic backups. The minimum acceptable frequency is
differential backup daily, and complete backup weekly.
An aggressive regimen of patch management. All critical
patches for operating systems, databases, web services, etc, should be applied
within three working days of release by their respective manufacturers.
Complete backup-restore and disaster recovery tests from the
appropriate media, once per annum.
Comply with the Records Retention Schedule of the Contracting
Agency, as relevant to the data being hosted remotely.
Agree to transfer the data in its custody to another Hosting
Vendor at the end of the hosting contract.
Submission to scheduled and random security audits, including
vulnerability assessments, of the hosting infrastructure and/or the
application, to be conducted under the auspices of the Enterprise Information
Complete cooperation with the Enterprise Information Security
Director in the detection of any security vulnerability of the hosting
infrastructure and/or the application.
Expeditious remediation of any verifiable, infrastructural
Complete compliance with all Federal and Maine
laws, regulations, statutes, policies, standards, and best practices relevant
to internet-based hosting.
Submit the following detailed reports. All reports should be
submitted to the Contract Administrator. Unless otherwise stated, these reports
should be filed initially at the inception of the contract, and subsequently,
once per annum, as well as corresponding to every substantive change in the
subject matter of the relevant report.
Uptime and Unplanned Outage Report. This report should be
submitted once per quarter.
Planned Downtime Notice. This notice should be submitted at
least one week prior to the event.
Physical access controls for the hosting site.
Internal security awareness training curriculum and schedule.
Should include the syllabus, the class schedule for new employees, annual
refresher training, and any emergency, ad-hoc training.
Self-audit on software and hardware modifications, patches
applied, etc. This report should be submitted at least twice per annum.
Backup-restore and disaster recovery procedures, and the
results of the annual tests.
Security Breach Incident Reporting mechanism.
Production Change Management procedure.
Event Logging & Auditing practices for Networks, Operating
Systems, Applications, and Databases.
Installation/Configuration and Maintenance documentation.
Any other relevant, internal security-related standards,
policies, procedures, best practices, etc, that govern the hosting infrastructure
and/or the application, including, the results of any third-party audits.
ENTERPRISE INFORMATION SECURITY DIRECTOR: The
Enterprise Information Security Director shall
Direct scheduled and random security audits, including
vulnerability assessments, to the hosting infrastructure and/or the
Coordinate the security auditing with the Agency Information
Technology Director (AITD) of the Contracting Agency and the Hosting Vendor, in
case of scheduled audits.
Alert the AITD of the Contracting Agency should an information
security deficiency be discovered, and subsequently recommend a remediation
strategy. At her/his discretion, the Enterprise Information Security Director
may recommend the shutdown, or reduced operation, of the hosting infrastructure
and/or the application, indefinitely.
Evaluate all notifications and submissions from the Hosting
Vendor, and act upon them, as appropriate, including recommending the shutdown,
or reduced operation, of the hosting infrastructure and/or the application, indefinitely.
Determine, in the event of a security vulnerability and/or an
actual security breach, whether it was caused by infrastructural negligence on
the part of the Hosting Vendor.
AGENCY INFORMATION TECHNOLOGY DIRECTOR: The AITDs shall
Assist the Enterprise Information Security Director in the
implementation of this Policy.
Ensure that the hosted application complies with the
Deployment Certification Policy for Major Applications and the Website
Acceptance Policy prior to its deployment.
Evaluate the business impact of a security breach incident
notification from the Hosting Vendor, and liaise with the affected business
stakeholders of the Contracting Agency.
Evaluate the business impacts of the Uptime and Unplanned
Outage Report and the Planned Downtime Notice from the Hosting Vendor, and
liaise with the affected business stakeholders of the Contracting Agency.
CONTRACT ADMINISTRATOR: The Contract Administrator
Ensure that all pertinent Requests for Proposals, and
resulting Contracts with vendors, contain language in accord with this Policy,
and attendant standards, operating procedures and best practices.
Ensure that all pertinent Requests for Proposals, and
resulting Contracts with vendors, contain language in accord with the Records
Retention Schedule of the Contracting Agency, as relevant to the data being
Act as the negotiator between the Enterprise Information
Security Director and the AITD of the Contracting Agency on the one hand, and
the Hosting Vendor on the other hand. Convey all communication from the Hosting
Vendor to the Enterprise Information Security Director and the AITD of the
Contracting Agency, and vice-versa.
Instruct this Hosting Vendor to transfer the data in its
custody to another Hosting Vendor at the end of the hosting contract.
V. Guidelines &
Complete and exclusive ownership of the hosted data
rests with the Contracting Agency, and is not subject to any conditions.
The remediation costs for any security vulnerability
and/or an actual security breach, that unambiguously results from verifiable,
infrastructural negligence on the part of the Hosting Vendor, shall be borne
entirely by the Hosting Vendor. In addition to the contents of this Policy,
current computer security industry best practices, as defined by premier
computer security industry guilds and consortiums, will be used to determine as
to what constitutes infrastructural negligence on the part of the Hosting
Vendor. The Enterprise Information Security Director shall remain the final
arbiter in this matter.
The remediation of a security vulnerability and/or an
actual security breach in the application proper, as opposed to the underlying
infrastructure, is considered an enhancement to the application, and should be
pursued by the Contracting Agency outside the scope of this Policy.
The Maine Office of Information Technology will
propose, adopt and implement standards, operating procedures and best practices
in support of this Policy.
A subclass of computer software that produces results of direct value to its
users. The Application is contrasted with system software that manages a
computer's internal functions but does not deliver any result of direct value
to its users.
AITD: For the purpose of this Policy, the term
AITD is construed to mean not just the Agency Information Technology Directors
in the Executive Branch of Maine State Government, but also their analogous
counterparts in the Legislative and Judicial Branches and Constitutional Officers,
who provide technical leadership and customer liaison in their respective
agencies and departments.
Encompasses all aspects of information technology other than the Applications
proper. It consists of devices, networks, servers, operating systems,
databases, webservers, firewalls, intrusion detection, etc.
VENDOR: A commercial entity, external to the Maine State Government, that hosts
a Maine State
computer application. The Hosting Vendor is contrasted with the Application
Vendor, ie, a commercial entity that creates a Maine
State computer application.
ADMINISTRATOR: The officer of the State of Maine
agency or department that is the signatory to the remote hosting contract with
the Hosting Vendor.
AGENCY: The State of Maine agency
or department whose business is being served by the remote hosting contract
with the Hosting Vendor.
Certification Policy for Major Application Projects
to Govern Information Security Risk Assessments and to Ensure the Prompt
Remediation of Deficiencies
1. Document Reference
2. Category: Computer
Environment and Platform
3. Adoption Date: January 8, 2007
4. Effective Date: January 8, 2007
5. Review Date: January 8, 2009
6. Point of Contact: Paul Sandlin, eGovernment Services, Office of
Information Technology, State House Station #138, Augusta, ME 04333, Telephone:
7. Approved By: Richard
B Thompson, Chief Information Officer, State House Station #138, Augusta,
8. Position Title(s)
or Agency Responsible for Enforcement: Mark
Kemmerle, Enterprise Information Security Director, Office of Information
Technology, State House Station #145, Augusta, ME
04333, (207) 624-8892.
9. Legal Citation:
10. Waiver Process:
Contracting Agencies may sometimes have unique remote hosting requirements that
may necessitate certain exception(s) to this default Policy. A written
application should be made to the CIO under such circumstances, explaining the
rationale for specific exception(s). Subject to the CIO’s approval, the
Contracting Agencies may then fashion actual contracts containing such