Scribd Logo
Upload

Welcome to Scribd!

  • Security Guidelines For SaaS

    Uploaded by

    bizmoe
    9 views4 pages
    Service Provider shall not access American Water data other than for purposes of: a. Conducting normal support or maintenance activities. All data should be encrypted during transmission using a dynamically generated key, distributed via an industry standard public key exchange protocol. Key management should follow and industry best practices such as NIST Special Publication 800-57, NIST DRAFT Special Publication 800-130.

    Original Description:

    Original Title

    Security Guidelines for SaaS

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Service Provider shall not access American Water data other than for purposes of: a. Conducting normal support or maintenance activities. All data should be encrypted during transmission using a dynamically generated key, distributed via an industry standard public key exchange protocol. Key management should follow and industry best practices such as NIST Special Publication 800-57, NIST DRAFT Special Publication 800-130.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views4 pages

    Security Guidelines For SaaS

    Uploaded by

    bizmoe
    Service Provider shall not access American Water data other than for purposes of: a. Conducting normal support or maintenance activities. All data should be encrypted during transmission using a dynamically generated key, distributed via an industry standard public key exchange protocol. Key management should follow and industry best practices such as NIST Special Publication 800-57, NIST DRAFT Special Publication 800-130.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Data Protection

    Data Ownership
    1) All data is the property of American Water. The service provider has no claim to the American Water data what so ever. The service Provider shall not access American Water data other than for purposes of: a. Conducting normal support or maintenance activities. b.

    Data in Motion
    1) All American Water data should be encrypted during transmission using a dynamically generated key, distributed via an industry standard public key exchange protocol.

    Data at Rest
    1) All American Water data should be encrypted while at rest using a unique key used specifically for American Water data. a. Key management should follow and industry best practices such as NIST Special Publication 800-57, NIST DRAFT Special Publication 800-130 b. The burden of key management rests solely with the Service Provider

    Data Cleansing Equipment Repair or Equipment Service


    1) If the service provider, for purposes of normal maintenance is required to send a system, hard drive, or solid state drive, to a to a 3rd party vendor any encrypted American Water will be considered secured if the encryption key has never been stored on the same piece of equipment. If the key has every been stored on the same piece of equipment, the key must be securely overwritten accordance with the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, ideally the entire device shall be cleared and sanitized.

    Equipment upgrades
    1) If the service provider, upgrades equipment and is required to send a system, hard drive, or solid state drive, to a to a 3rd party vendor any encrypted American Water will be considered secure if the encryption key has never been stored on the same piece of equipment. If the key has every been stored on the same piece of equipment, at minimum the key must be securely overwritten

    accordance with the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, ideally the entire device shall be cleared and sanitized.

    Equipment Disposal
    1) If the service provider, deactivates and disposes equipment such as a system, hard drive, or solid state drive any encrypted American Water will be considered secure if the encryption key has never been stored on the same piece of equipment. If the key has every been stored on the same piece of equipment, at minimum the key must be securely overwritten accordance with the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, ideally the entire device shall be cleared and sanitized.

    Service Agreement Termination

    Single Key encryption


    1) Upon termination of the service agreement the Service Provider shall, at a minimum, securely, and permanently erase all American Water data. The cleansing of the data must following the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, devices effected but not limited to are: a. Systems b. Hard drives c. Solid state drives d. Tapes e. CDROMS

    Unique Key Encryption per client


    1) Upon termination of the service agreement the Service Provider shall at a minimum, securely, and permanently erase the unique key used to encrypt American Water data, ideally all data will be cleanzed. The cleansing of the data must Following the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, devices effected, but not limited to are: a. Systems b. Hard drives

    c. d. e. f.

    Solid state drives Backup Tapes Tapes CDROMS

    Logging

    You might also like