Minimum Security Standards:
Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS)
- Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but used to access a High Risk application is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard SaaS and PaaS.
Standards | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|
Product Selection |
Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Pre-implementation Planning |
Follow the SaaS Considerations checklist. Follow the PaaS Considerations checklist. Follow the Security When Using a Cloud Product guidelines. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Inventory and Asset Classification |
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Credential and Key Management |
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Encryption |
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Two-Step Authentication |
If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution. |
Required for Moderate Risk Data | Required for High Risk Data | |
Logging and Auditing |
|
Required for Moderate Risk Data | Required for High Risk Data | |
Data Management |
Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations. |
Required for Moderate Risk Data | Required for High Risk Data | |
Privileged Access Workstation (PAW) |
Administration consoles should only be accessed through a PAW when logging in with an administrative account. Administrative accounts are defined as:
|
Required for High Risk Data | ||
Security, Privacy and Legal Review |
Prior to implementation, follow the Stanford Data Risk Assessment process. |
Required for High Risk Data | ||
Regulated Data Security Controls |
|
Required for High Risk Data |