The Interdependence Project Security Policy

Transcription

1 Page 1 f 5 The Interdependence Prject Security Plicy Executive Summary Visin and Philsphy The Interdependence Prject puts securing ur dnrs and event and class participants persnal data as ne f the cmpany s highest pririties. We understand that every time we are prvided with credit card and bank accunt infrmatin, r ther sensitive persnally identifying infrmatin, they trust that we will prtect it and this plicy is designed t ensure that this trust is nt misplaced. The fundatin f ur infrmatin security prgram is a set f strng plicies that are in balance with business peratinal needs. Security Envirnment The Interdependence Prject utilizes yur data t deliver prducts and services t ur dnrs and event r class participants. Accrdingly, all f yur infrmatin t include cardhlder data as well as ther sensitive infrmatin will be prtected by all staff, cntractrs, partners and services prviders in accrdance with well defined plicies and prcedures. The Interdependence Prject will perate n the security principle f that which is nt explicitly allwed is explicitly denied. Attempts by anyne t access, mnitr, use r share infrmatin that is nt explicitly allwed t them by ur security prgram will be cnsidered a security vilatin. Further, access t sensitive infrmatin will be permitted n a need t knw basis, such that emplyees have access t nly thse data and systems required t perfrm their assigned jbs. We will deply systems, prcesses, plicies and training t prtect ur missin critical data assets and privacy. Mst imprtant, we will mnitr and enfrce cmpliance t ur plicies. Vendr Management Vendrs, partners and ther third parties will be required t cmply with the same standards established fr The Interdependence Prject staff. All vendrs string r therwise accessing ur dnrs and event r class participants cardhlder data must prvide prf f PCI DSS Cmpliance. Sanctins fr Plicy Vilatin Failure t cmply with Security plicies and guidelines may result in disciplinary actin by The Interdependence Prject depending upn the type and severity f the vilatin, whether it causes any liability r lss t the cmpany, and/r the presence f any repeated vilatin(s). Each situatin will be judged n a case-by-case basis. Sanctins may include terminatin f emplyment and / r referral fr criminal r civil prsecutin, warnings, r additinal security awareness training. There is n requirement fr advance ntices, written r verbal warnings, r prbatinary perids.

2 Page 2 f 5 Infrmatin Classificatin, Strage and Destructin All The Interdependence Prject infrmatin is categrized int tw main classificatins: Public and Cnfidential. Public infrmatin, such as advertising and marketing materials, is infrmatin that has been declared public knwledge by smene with the authrity t d s, and can freely be given t anyne withut any pssible damage t The Interdependence Prject. Cnfidential cmprises all ther infrmatin such as sales data, addresses, emplyee files, etc, that shuld nt be made available utside the cmpany. A subset f cnfidential infrmatin is Critical Cnfidential infrmatin that shuld be restricted t need t knw access nly, such as trade secrets, financial, technical, and persnnel infrmatin, and ther infrmatin integral t the success f the cmpany. Sales authrizatins cntaining credit card numbers and cvv2 cdes r bank accunt numbers (PANs), and PANs prvided t emplyees in the curse f entering a telephne transactin, fall int the Critical Cnfidential infrmatin categry. The Interdependence Prject persnnel are encuraged t use cmmn sense judgment in securing cnfidential infrmatin t the prper extent. Critical Cnfidential infrmatin will be stred in a limited access area (i.e. lcked file drawer r safe), and nly thse emplyees with a Need t knw will be prvided access t that infrmatin. If an emplyee is uncertain f the sensitivity f a particular piece f infrmatin, he/she shuld cntact their manager. Under n circumstances is a CVV2 cde t be stred, even in paper frmat. If prvided n a paper authrizatin frm, after the transactin is successfully prcessed, it is t be redacted n all stred dcuments. When Critical Cnfidential infrmatin in paper frm need n lnger be stred fr any peratinal r regulatry reasn, it must be dispsed f via crss-cut shredding r incineratin. Any digital infrmatin in the Critical Cnfidential categry, whether n tape, CD/DVD, r lcated n a cmputer hard drive, will be cmpletely erased and rendered unreadable by cmmercially reasnable methds. (As The Interdependence Prject has cntracted with a third party fr all strage f PANs, nne will be stred by the cmpany in digital frm.) When feasible, nn-critical Cnfidential infrmatin shuld be dispsed f in the same manner. Payment Prcessing System The Interdependence Prject utilizes a web-based SaaS system prvided by PaySimple, a PCI DSS Certified payment prcessing service prvider, fr all payment-prcessing functins. All credit card and ACH transactins, whether authrized ver the phne, in writing via mail, r nline are transmitted, prcessed and stred via the PaySimple Slutin system. Telephne and nline transactins are directly entered int the system. Mailed transactins are entered int the system, and the paper authrizatin frm is then stred in a secure lcked cabinet r safe fr nly as lng as required by business peratinal needs. In n circumstances are PANs stred electrnically fr any reasn secure strage is cmpletely relegated t the PaySimple system. The Interdependence Prject emplyees have access t the PaySimple system fr prcessing payments and reprting but never have access t un-encrypted credit card r bank accunt numbers. Each User is granted system access permissins based n the minimum functinality required t perfrm jb respnsibilities. During the curse f perfrming their jb respnsibilities, telephne sales representatives will have access t full credit card numbers, billing addresses, and CVV2 cdes. Telephne peratrs are expressly directed t enter this infrmatin directly int the PaySimple system and are never t recrd any PANs r CVV2s n paper, nr t repeat r therwise transmit this infrmatin t any third parties.

3 Page 3 f 5 Access Cntrls The Interdependence Prject emplyees will be granted access t sensitive cmpany data and any archived authrizatins r reprts cntaining card data r ther cnfidential infrmatin n a need t knw basis. Access t payment prcessing systems and ther cmpany applicatins will als be granted n the basis f the minimum level required t perfrm assigned jb respnsibilities. Key Access Cntrl Prvisins Users will nly be given sufficient rights t all systems t enable them t perfrm their jb functin. User rights will be kept t a minimum at all times. A payment prcessing system Administratr will be respnsible fr issuing user accunts, prvisining user accunt permissins and prcessing limits, and mnitring system usage Access t the PaySimple Slutin payment prcessing system will be by individual username and passwrd Usernames and passwrds must nt be shared by users, passwrds must be at least 8 alpha numeric characters and shuld nt be written dwn Passwrds will expire every 90 days and must be unique ver any 360 day perid User accunts will be lcked after 5 cnsecutive failed lgins Any paper receipts, reprts, r ther dcuments cntaining card hlder data will be secured in a lcked file drawer r safe, with access granted n a limited and dcumented basis. All dcuments cntaining card hlder data must be checked-ut and checked-in by an authrized manager. A payment prcessing system Administratr will be ntified f all emplyees leaving the cmpany and immediately revke access t all systems and strage facilities Anti-Virus/Anti-Phishing The Interdependence Prject has implemented {insert anti-virus applicatin name here} fr the purpse f cmputer virus, wrm and Trjan Hrse preventin, detectin and cleanup. In rder t ensure the security f ur cmputing envirnment, all emplyees using The Interdependence Prject cmputers r systems must adhere t the fllwing: All cmputers accessing cmpany systems, and/r utilizing the PaySimple payment prcessing system, must use the apprved anti-virus/anti-phishing prtectin sftware and cnfiguratin. The virus/phishing prtectin sftware must nt be disabled r bypassed. The settings and autmatic update frequency fr the virus/phishing prtectin sftware must nt be altered in a manner that will reduce its effectiveness. Emplyees shuld NEVER pen any files r macrs attached t an frm an unknwn, suspicius r untrustwrthy surce. Emplyees shuld never dwnlad files frm unknwn r suspicius surces. Emplyees shuld never cmplete any frms accessed via links embedded in an frm an unknwn, suspicius r untrustwrthy surce.

4 Page 4 f 5 Acceptable Use The Interdependence Prject is cmmitted t prtecting its emplyees, partners and the cmpany frm illegal r damaging actins by individuals, either knwingly r unknwingly. All cmputer related systems and equipment including but nt limited t cmputer equipment, sftware, accunts, and web brwsers are the prperty f The Interdependence Prject. All data btained during the curse f perfrming jb respnsibilities is the prperty f The Interdependence Prject. These systems and data are t be used fr business purpses in serving the interests f the cmpany, and ur dnrs and event r Class participants in the curse f nrmal peratins. Effective security is a team effrt invlving the participatin and supprt f every The Interdependence Prject emplyee and affiliate wh deals with infrmatin and/r infrmatin systems. It is the respnsibility f every emplyee knw these guidelines, and t cnduct their activities accrdingly. Key Acceptable Use Plicy Prvisins Users shuld be aware that the data they create n the crprate systems remains the prperty f The Interdependence Prject. There is n expectatin f privacy r guarantee f cnfidentiality f infrmatin stred n r accessed via any netwrk, cmputer, r electrnic device belnging t The Interdependence Prject. Keep passwrds secure and d nt share accunts. Authrized users are respnsible fr the security f their passwrds and accunts. PaySimple payment prcessing system passwrds are changed every 90 days. Emplyees must use extreme cautin when pening attachments received frm unknwn senders, which may cntain viruses, bmbs, r Trjan hrse cde. Under n circumstances is an emplyee f The Interdependence Prject authrized t engage in any activity that is illegal under lcal, state, federal r internatinal law while utilizing The Interdependence Prject-wned resurces. The fllwing activities are strictly prhibited, with n exceptins: Effecting security breaches r disruptins f netwrk cmmunicatin. Security breaches include, but are nt limited t, accessing data f which the emplyee is nt an intended recipient r lgging int a server r accunt that the emplyee is nt expressly authrized t access, unless these duties are within the scpe f regular duties. Fr purpses f this sectin, "disruptin" includes, but is nt limited t, netwrk sniffing, pinged flds, packet spfing, denial f service, and frged ruting infrmatin fr malicius purpses. Executing any frm f netwrk mnitring which will intercept data nt intended fr the emplyee's hst, unless this activity is a part f the emplyee's nrmal jb/duty. Circumventing user authenticatin r security f any hst, netwrk r accunt. Prviding infrmatin abut, r lists f, The Interdependence Prject emplyees t parties utside The Interdependence Prject. Prviding infrmatin abut r lists f The Interdependence Prject dnrs and event r Class participants, including but nt limited t PANs, and ther sensitive infrmatin, t any external party r unauthrized internal party.

5 Page 5 f 5 Vendr Management All vendrs that will have access t Critical Cnfidential infrmatin, including Credit Card numbers and Bank Accunt numbers, must be cvered by a frmal cntract that includes the fllwing guarantees: Service prviders must cmply with all PCI DSS requirements, and maintain and prvide prf f PCI DSS certificatin as a service prvider. Service prviders must acknwledge respnsibility fr security f the cardhlder data they pssess, including but nt limited t: Prtect cardhlder data as specified by the PCI DSS, if prcessing r string payment card data n behalf f The Interdependence Prject. Reprt any knwn r suspect cmprmise f that data t the cmpany as sn as pssible. Allw fr audits by VISA/MasterCard/American Express/Discver r VISA/MasterCard/American Express/Discver-apprved entities in the event f a cardhlder data cmprmise. Ensure cntinued security f cardhlder data retained during and after cntract terminatins. As part f the Vendr Management prgram, The Interdependence Prject will perfrm due diligence n each Vendr prir t signing any cntract t cnfirm that the abve guarantees have been adequately met. On at least a yearly basis, The Interdependence Prject will review all vendrs that have access t Critical Cnfidential infrmatin t ensure that: PCI DSS cmpliance certificatin is up-t-date Other prcedures in place t prtect cnfidential infrmatin cntinue t adequately prtect dnrs and event r Class participants and are being prperly executed Make any changes necessary t plicies and prcedures