Information Security Standards

Application-level Security

1. Web applications will be secured from "SQL Injection Attacks" where the attacker enters SQL commands into Web form input fields or URL query strings to try to manipulate the SQL statement being sent to and from the database. The following methods to avoid SQL injection attacks will be used:
   • Use of parameterized queries or stored procedures to access a database as opposed to using string concatenation
   • Limit the amount of characters in Web form input fields and URL query strings to a proper amount
   • Validate text input and URL query strings for improper characters (e.g. apostrophe, dash)
   • Display user-friendly error page when an application error occurs. Do not display errors to the user that could be used to determine software, framework, and database names and versions or display actual source code
2. ASP.Net Web applications must be secured from "Cross-Site Scripting" (XSS) attacks. Developers must set the ASP.Net "validateRequest" Page directive to “True” (the default setting) so that users of the application are prevented from entering HTML or JavaScript code into Web forms.
3. Web applications must not have security vulnerabilities. If a vulnerability is detected within the Web application, the Web application will be taken offline until the vulnerability is mitigated.
4. Web applications must have defect tracking and change control processes during the system’s lifetime in order to maintain Web application availability.
5. The California Department of Education (CDE) may perform information security audits of the Web application during the development and production phases of the Web application.

Data Transmission Security

When confidential or sensitive data is passed between the end-user and the Web server, the HTTPS (Employing currently approved National Institute of Standards and Technology (NIST) TLS versions) protocol will be used. HTTPS provides server authentication, data encryption ("over the wire"), and data transmission integrity. The digital certificate used on the Web server will need to be "trusted" by the Web browsers listed on the CDE’s Minimum Web Browser Requirement Web page. An HTTPS security test will also be performed by the CDE Information Security Office (ISO) against HTTPS Web sites, which must result in a passing letter grade for the Web site to be approved.

End-to-end encryption, utilizing currently approved NIST ciphers and key lengths, shall be used to protect confidential, sensitive, or personal information that is transmitted or accessed outside the secure internal network (e.g., email, remote access, file transfer, Internet/Web site communication tools) of the CDE, or stored on portable hard drives), mobile computing devices (e.g., laptops, netbooks, tablets, and smartphones), and other mobile electronic devices.

Database Security

1. Web applications will follow the principle of least privilege (POLP) to access database objects (i.e. tables, views, stored procedures). For example, if the Web application needs read-only access to a specific database table, the database permissions will be set accordingly as opposed to giving the Web application "admin or owner" rights to the entire database.
2. Individual database fields storing confidential or sensitive data (e.g. passwords, Social Security number) must be stored using CDE approved encryption techniques.

Password Requirements

Passwords whether created by application developers, administrators, or users must be validated to meet all of the following parameters:

• Be at least eight characters in length
• Not use any of the previous 10 passwords
• Not be older than 90 days
• Result in an account lockout after 5 invalid logon attempts
• Not be the same as the logon or user name
• Contain characters from three of the following four categories:
  • At least one uppercase letter (A though Z)
  • At least one lowercase letter (a through z)
  • At least one number (0 through 9)
  • At least one special character (!, @, #, $, ^, &, *, -, =, _, +, ?)

Cloud Security Requirements

If CDE data will be maintained by a Cloud Service Provider (CSP), the following criteria must be met:

• The CSP must have FedRAMP authorization
• CDE data must reside within the contiguous United States and remote access to CDE data is prohibited from outside the contiguous United States
• The CSP must not comingle CDE data with other CSP customers’ data (CDE data must be maintained in a database containing only CDE data)
• CDE data must be encrypted at rest and in transit utilizing currently approved NIST ciphers and key lengths
• The CDE must be able to move its data out of the current CSP to CDE or another CSP

At the end of the contract with the CSP, CDE data must be removed from all CSP media, including backups. Destruction will include the electronic “wiping” of storage media or the physical destruction of storage media through pulverization.