ATM Security Guidelines

Size: px
Start display at page:

Download "ATM Security Guidelines"

Transcription

1 Standard: Versin: 1.0 Date: January 2013 Authr: PCI PIN Transactin Security Pint f Interactin Security Requirements (PCI PTS POI) PCI Security Standards Cuncil Infrmatin Supplement: ATM Security Guidelines

2 i

3 Table f Cntents 1 Related Publicatins Intrductin Dcument Purpse and Scpe Intended Audience Terms and Acrnyms Objectives Cntent Organizatin Intrductin t ATM Security Backgrund Infrmatin ATM Security Overview ATM Technical Standards ATM Guidelines Integratin f Hardware Cmpnents Security f Basic Sftware Device Management/Operatin ATM Applicatin Management Abut the PCI Security Standards Cuncil Annex 1: ATM Reference Mdel Annex 2: Criteria fr the Privacy Screen Design Annex 3: Attack Ptential Frmula (Adpted frm JIL)

4 1 Related Publicatins The fllwing ATMIA/GASA, Eurpean Payment Cuncil, Micrsft, Trusted Security Slutins, NIST, and PCI standards are applicable and related t the infrmatin in this dcument. Standard ANSI X9.24: Retail Financial Services Symmetric Key Management ATMIA/GASA, Best Practice fr ATM Transactin Security ATMIA/GASA Best Practices fr ATM Cyber Security ATMIA/GASA Best Practices PIN Security & Key Management recmmendatin ATMIA/GASA, ATM lifecycle Security Manual, Internatinal minimum security guidelines ATMIA, ATM Sftware Security Best Practices Guide Guidelines fr ATM Security Recmmended ATM anti-skimming slutins within SEPA ISO 11568: Banking Key Management (Retail) Micrsft Windws XP-based ATM Security Design A slutin fr secure, well-managed ATMs using Windws XP and Active Directry Micrsft Managing Windws XP-based ATMs Using SMS and MOM A slutin fr secure, well-managed ATMs using Windws XP, Active Directry, Systems Management Server, and Operatins Manager Micrsft Windws XP-based ATM Security Design Micrsft Active Directry Design fr Windws XP-based ATMs A slutin fr secure, well-managed ATMs using Windws XP and Active Directry Surce ANSI ATMIA/GASA ATMIA/GASA ATMIA/GASA ATMIA/GASA ATMIA Eurpean Payment Cuncil DTR 413 Eurpean Payment Cuncil Dc115-8 ISO Micrsft Micrsft Micrsft Micrsft 2009 Update: Remte Key Lading Trusted Security Slutins Guidance fr securing Micrsft Windws XP systems fr IT Prfessinals Wireless Management and Security Part 1: General Requirements Wireless Management and Security Part 2: ATM and POS Payment Card Industry Data Security Standard Requirements and Security Assessment Prcedures Payment Card Industry Payment Applicatin Data Security Standard NIST NIST NIST PCI SSC PCI SSC 2

5 Standard Surce Requirements and Security Assessment Prcedures Payment Card Industry PTS POI Mdular Security Requirements Payment Card Industry PTS POI Derived Test Requirements Payment Card Industry PIN Security Requirements PCI SSC PCI SSC PCI SSC Nte: These dcuments are rutinely updated and reaffirmed. The current versins shuld be referenced when using these requirements. 3

6 2 Intrductin 2.1 Dcument Purpse and Scpe This dcument prpses guidelines t mitigate the effect f attacks t ATM aimed at stealing PIN and accunt data. These guidelines are neither definitive nr exhaustive and are nt intended t be used as requirements fr a validatin prgram at the PCI SSC. Fr additinal infrmatin regarding any cmpliance questins, cntact the payment brand(s) f interest. 2.2 Intended Audience This Infrmatin Supplement is intended fr ATM manufacturers, integratrs, and deplyers f ATMs. 2.3 Terms and Acrnyms Term/Acrnym AC ATM cmprmise ATM Fraud EPP Fascia NFC Descriptin ATM cntrller A vilatin f the security f a system such that an unauthrized disclsure f sensitive infrmatin may have ccurred. This includes the unauthrized disclsure, mdificatin, substitutin, r use f sensitive data (including plaintext cryptgraphic keys and ther keying material). The illegal prcurement f cash, mney value r cardhlder infrmatin via ATM netwrks Encrypting PIN PAD, a tamper-respnsive security device that prvides secure PIN entry and strage f cryptgraphic material. It is designed t be integrated int ATMs r self-service POS terminals. ATM frnt, available fr user cardhlder interactin: It nrmally includes the devices required fr cardhlder interface, such as the (secure) keypad, the card-reader slt r the NFC-device reader, the screen etc. It may als include the nte-dispensing tray; the depsit-taking cmpartment, etc. Near Field Cmmunicatin Standards that enable payment applicatins t cmmunicate with terminals by being in clse prximity with a reading pad in the terminal. 4

7 Term/Acrnym PCI DSS Descriptin PCI SSC Data Security Standard The PCI DSS is a multifaceted security standard that includes requirements fr security management, plicies, prcedures, netwrk architecture, sftware design, and ther critical prtective measures. This cmprehensive standard is intended t help rganizatins practively prtect custmer accunt data. PCI PA-DSS PCI SSC Payment Applicatin Data Security Standard This dcument is t be used by Payment Applicatin-Qualified Security Assessrs (PA-QSAs) cnducting payment applicatin reviews; s that sftware vendrs can validate that a payment applicatin cmplies with the PCI DSS Payment Applicatin Data Security Standard (PA-DSS). This dcument is als t be used by PA-QSAs as a template t create the Reprt n Validatin. PCI PTS PCI PIN Transactin Security Standard This standard includes security requirements fr vendrs (PTS POI Requirements), device-validatin requirements fr labratries (Derived Test Requirements), and a device apprval framewrk that prduces a list f apprved PTS POI devices (against the PCI PTS POI Security Requirements) that can be referred t by brands mandates. The PCI PTS list is brken dwn int the fllwing Apprval Classes f devices: PIN Entry Devices (PEDs standalne terminals), EPPs (generally t be integrated int ATMs and self-service POS devices), Unattended Payment Terminals (UPT), Secure Card Readers (SCRs), and Nn-PIN-enabled (Nn-PED) POS Terminals. PCI SSC The Payment Card Industry Security Standards Cuncil, the rganizatin set up by internatinal payment brands t prvide glbal security requirements applicable t electrnic card payment systems. The rle f PCI SSC als includes the setting up f standards fr the validatin f merchants, service prviders, and devices against the requirements agreed by brands in PCI SSC. The brands may use apprvals issued by PCI SSC in their mandates requirements. Sensitive data PIN, accunt data, secret keys, and ther sensitive keying material that a given device relies n t prtect characteristics gverned by PCI PTS POI Security Requirements, PCI DSS, and PCI PA-DSS. 5

8 2.4 Objectives This dcument identifies security guidelines fr ATMs, cnsidering the prtectin that can be prvided by the hardware and the sftware f the ATM itself against attacks aimed at cmprmising sensitive data acquired, stred, exprted, r in any way prcessed by the device. The primary fcus is the mitigatin f magnetic-stripe r equivalent image data-skimming and PIN-stealing attacks at ATMs r ther ATM manipulatin t steal cardhlder infrmatin, which are mst prevalent during the nging transitin f payment systems t chip technlgy. This dcument is aligned with the security apprach and mdularity f the PCI PTS POI set f security requirements and is intended t prvide: Security guidance t acquirers and ATM peratrs that purchase, deply, and/r perate ATMs. Security guidance and best practices t the ATM industry stakehlders, which includes ATM acquirers, manufacturers, sftware develpers, security prviders, refurbishers, et al. The security guidelines in this dcument build upn a series f existing standards (IT, security, payment card, and ATM industry). As cmprmise-preventin best practices, they are NOT intended t: Prvide a set f security requirements fr the frmal security certificatin f ATMs. Be used as fraud-preventin guidelines (transactin mnitring, card-authenticatin prcedures, etc.) Identify guidelines preventing the physical access t the cash stred in the ATM r t the site where the ATM is deplyed. Identify guidelines fr the placement f ATMs. 6

9 2.5 Cntent Organizatin Chapter r Annex Chapter 3 Intrductin t ATM Security Cntent ATM Services Overview ATM Security Overview ATM Technical Standards Chapter 4 ATM Guidelines Security Targets Intended Audience A Integratin f hardware cmpnents B Security f basic sftware C Device management/ peratin EPP, readers, cabinet, anti-skimming devices Guidelines fr further integratrs and sftware develpers OS Middleware (XFS, multivendr sftware, Open Prtcls) Cryptgraphic/key management, frm initializatin/distributin t decmmissining ATM individual security cnfiguratin (HW and sftware) Envirnment security ATM manufacturers, repairing rganizatins, refurbishers Sftware integratrs, applicatin develpers, ATM manufacturers ATM deplyers/peratrs and supprting rganizatins/service prviders D Applicatin management Annex 1: ATM Reference Mdel Annex 2: Criteria fr the Privacy Screen Design Annex 3: Attack Ptential Frmula (Adpted frm JIL) Security functins driven by the ATM applicatin and applicatin management Applicatin develpers, sftware integratrs, ATM peratrs A diagram with a generic ATM architecture, its cmpnents, and basic interactins An intrductin t privacy screen design An intrductin t attack ptential calculatin ATM individual security cnfiguratin (hardware and sftware) 7

10 3 Intrductin t ATM Security 3.1 Backgrund Infrmatin Since the intrductin f ATMs in the late sixties in the UK, these card-acceptance devices have been playing a key rle bth in the bank-services-autmatin arena and in the 24/7 cash supply t the ecnmy in general as well as t cmmerce. ATMs deliver service in a wide range f envirnments, frm bank branches and cnvenience stres t unattended lcatins at shpping malls and business centers. The number f ATMs wrldwide reached 2.25 millin units by the end f This number represents grwth f 7.3% in ne year. Arund 100,000 new units were deplyed in Asia-Pacific markets alne 1. Whereas ATMs are primarily engineered t securely stre/dispense bank ntes and take depsits, they are the preferred self-service platfrm fr an increasing number f services available t cardhlders. These include payment f utility bills, tpping up f mbile phnes, relading prepaid cards, etc. Other services such as payment f gvernment benefits, entitlements, r micr lans require the disbursement f cash. As cards and the acceptance infrastructure migrate t chip and NFC technlgies, ATMs will cntinue t play a key rle in prviding increasingly cmplex services t chip cards and NFC enabled device hlders. 3.2 ATM Security Overview The cash in transit r stred in the ATM safe has been the asset traditinally targeted by ATM criminals, smetimes in rather vilent ways. Hwever, in the last years, attackers have turned their attentin equally t sft assets present in the ATM, such as PINs and accunt data. Criminals use this stlen infrmatin t prduce cunterfeit cards t be used fr fraudulent transactins increasingly arund the wrld encmpassing ATM withdrawals, purchases with PIN at the pint f sale, and purchases withut PIN in card-nt-present envirnments. PINs and accunt data are assets belnging t cardhlders and issuers. They are inevitably in clear frm at the ATM, when the card and PIN are entered. By attaching, fr example, a pinhle camera and a skimmer t the ATM, a criminal can steal PINs and accunt data befre they can be securely prcessed by the ATM. These attacks require a relative lw attack ptential, in terms f bth skills and material that is cmmercially available. The latest generatins f skimmers and cameras are unnticeable t untrained eyes and can be quickly installed and remved frm the ATM withut leaving any trace. In high traffic ATMs, dzens f PINs and assciated accunt data sets can be stlen in a few hurs. 1 RBR Lndn, Glbal ATM Market and Frecasts t

11 The first line f defense t these attacks has t be ffered by the ATM itself. Cuntermeasures at device level include detectin f attached alien bjects, disturbance f magnetic-stripe reading near the entry slt, etc. Alarms generated by the device shuld be acted upn prmptly and cmplemented with inspectins f the ATM, mre frequently at higher-risk installatins. Mre sphisticated attacks can invlve criminals lcally accessing resurces f the PC USB prts, fr example t install malware and harvest stlen data. These attacks can be cmbined with r replace remte attacks that explit vulnerabilities related t the expsure t pen netwrks. Attackers take advantage f the inherent design and integratin f the ATM as a self-service, card-accepting device. The mst significant aspects f an ATM s architecture and usage that draw the attentin f criminals are as fllws: 1. ATM transactins generally require PIN entry and the reading f the card s magnetic stripe and/r the EMV chip. Attackers have therefre the pprtunity t capture pairs f PIN and accunt data that are highly valued in the undergrund cmprmised-accunt-data market. 2. ATMs are generally identified as financial-service-managed devices. They thus generate a level f trust amng cardhlders that is cntradictry t the cautin that shuld be taken when using public-access devices. Cardhlders frequently d nt exercise the due discretin during PIN entry r d nt react t signs f mdificatin f the fascia, etc. 3. Fr cmfrt f the cardhlder and effective user interface, ATMs ffer a large surface t the public. Skimmers r cameras can be hidden r therwise disguised. Furthermre, hles can be drilled t access the inside f the cabinet. 4. ATMs are als frequently deplyed in unattended lcatins where the likelihd f frequent inspectins t detect attachments r tampering is lw. 5. ATMs are made f a set f intercnnected mdules (PC, cabinet, card reader, EPP, etc.) that exchange data thrugh simple prtcls and where all mdules may nt be authenticated r use data encryptin. Exchanged data can be tapped int and the underlying data-exchange prtcls can be abused if prly implemented. 6. The PC itself (its OS r netwrk services) can be abused lcally and remtely ften aided by publicly available infrmatin. Malware can be installed r the attacker can access sensitive resurces f the PC. 9

12 3.3 ATM Technical Standards Many technical IT security standards have been prduced pertaining t ATMs. They address their peratin, cryptgraphic key management, wireless cnnectivity, perating system hardening, physical security, skimming, etc. They als address different stages f the ATM security life, frm cnfiguratin t deplyment and initializatin. These standards and guidelines are riginated at ISO, ANSI, PCI SSC, EPC, and ATMIA r issued by vendrs themselves. The mst relevant implementatin and usage guidelines are listed in the references in this dcument. As rganized glbal crime syndicates target ATMs, the financial industry needs a glbal ATM security standard t prmte the availability f secure ATMs. The main characteristics f this standard are: Fcus n mitigating the effects f skimming and PIN-stealing attacks Primarily targeted at prducts frm ATM vendrs and deplyers Prvide a cmplementary framewrk fr device apprval (evaluatin methdlgy, evaluatin facilities, and apprval management) The current versins f PCI PTS POI Security Requirements and PCI PIN Security Requirements are excellent starting pints fr these needed standards. Hwever they are currently defined fr POS terminals and their adjustment t ATMs is currently under cnsideratin at the PCI SCC. Until there is an effective PCI ATM standard, this dcument fills the perceived current guidance gaps: ATM vendrs need directin t develp the next generatin f ATMs. PCI Payment Brand acquirers need supprt fr their prcurement prcesses and t educate their deplyers and custmers. 10

13 4 ATM Guidelines 4.1 Integratin f Hardware Cmpnents Objective: Avert magnetic-stripe and ther accunt data cmprmise and PIN stealing Security targets: EPP, readers, cabinet, privacy shields, anti-skimming devices The ATM cabinet and the ATM cntrller Guidelines fr further integratrs and sftware develpers Intended audience: ATM manufacturers/deplyers/peratrs, ATM integratrs, repairing rganizatins, refurbishers Security Objectives Objective Descriptin Remarks A1 A2 A3 A4 A5 A6 A7 A8 Avert physical lcal attacks that target accunt data. Avert physical lcal attacks that target PINs. Avert attacks aimed at stealing cryptgraphic, sensitive data stred in secure cmpnents. Avert attacks t disable security cuntermeasures added t the ATM. Mitigate ptential negative impact stemming frm the integratin f service mdules int ATMs. Prtect against unauthrized access t sensitive areas and resurces in the cabinet, including the fascia. Prduce a security cnfiguratin f the ATM mdel. Prvide security guidelines fr hardware and sftware integratrs. Attacks t card readers that include the placement f skimming bugs, with r withut the intrusin f the cabinet. Attacks include pinhle cameras r ther cameras leveraging the ATM surrundings, visual capture, r PIN-pad verlays with manipulatin f the cabinet. Examples f secure cmpnents include EPPs, card readers (CRs), and extra readers (fr example, NFC). Mechanisms like privacy shields and antiskimming add-ns. Integratin f depsit mdules, NFC reading pads, etc. By service/maintenance staff r attackers. Shuld include: Hardware cmpnents and ptins Sftware cmpnents and security parameterizatin T ensure that the subsequent integratrs use effective security functins prvided by prir integratin levels. 11

14 Objective Descriptin Remarks A9 A10 A11 A12 A13 Prvide security guidelines fr service staff. Ensure that remval r unauthrized access t the EPP triggers an alarm. Prevent mdificatins f the hardware that may reduce the security prtectin level. Secure the cmmunicatins between mdules within the ATM. Cntactless data shuld be secured t 16 pints frm the pint f digitizatin f the data. T first level and secnd level f maintenance (including staff in charge f rutine visual checks) EPP is a mandatry security cmpnent, and its remval indicates ptential attack t PIN. The inclusin f additinal features r mdules t the ATM may ffer a new attack path. These include prly designed/installed privacy shields, EPPs, r additinal readers. All such mdificatins shuld be evaluated and dcumented t determine if the mdificatin will impact security i. In additin t within ATM cmpnents, cardhlder accunt data shuld be prtected lgically and/r physically when traversing between ATM cmpnents. ii. The cmmunicatin interface(s) f the ATM shuld nt accept cnnectin requests frm unauthrized surces. Minimum attack ptential f 16 (minimums f 8 fr identificatin and 8 fr explitatin) pints per ATM, as defined in Annex 3. The pint f digitizatin ccurs when the data is prcessed by the NFC cntrller and nt at the pint f entry. The NFC cntrller acts as a mdem, cnverting the analg signal t a digital signal just as a magnetic-stripe reader r smart-card reader reads data and cnverts that t a digital signal. In all cases, the pint f digitatin is where the wireless signal is cnverted t a digital data stream. 12

15 4.1.2 Guidelines and Best Practices Guideline/Best Practice a) The EPP shuld have a valid PCI PTS POI apprval. b) If the ATM permits access t internal areas that prcess r stre accunt data (e.g., fr service r maintenance), it is nt pssible using this access area t insert a bug that wuld disclse any sensitive data. c) The hardware and any changes t it thereafter have been inspected and reviewed using a dcumented and repeatable prcess, and certified as being free frm hidden and unauthrized r undcumented functins. d) Hardware develpment and integratin shuld be subject t a well-structured prcess including frmal specificatin, test plans, and dcumentatin. Hardware is released nly if tests accrding t the test plan were successful. e) The integratin f the EPP and any mechanisms prtecting against unauthrized remval are prperly implemented and fllw the guidelines prvided by the device vendr. f) The fascia and cabinet design r the mechanical integratin f the EPP shuld nt facilitate the visual bservatin f PIN values as the cardhlder is entering them. g) The ATM is equipped with mechanisms r therwise designed t prevent r deter the attacks aiming at retaining the payment card (and recvery by the attackers when cardhlder leaves the ATM). Remarks i. The EPP mdel shuld have the security apprval listed in the PCI SSC web site i. Encryptin f accunt data between security-relevant cmpnents r sufficiently strng walls, drs, and mechanical lcks may be sufficient t meet this guideline. ii. Minimum attack ptential f 16 (minimums f 8 fr identificatin and 8 fr explitatin) pints per ATM, as defined in Annex 3.. i. It is essential t list the security ptins in an ATM mdel t be able t assess the verall security level and the impact f changes in security prtectin levels when ATM mdules are intrduced r remved (NFC reader, depsit mdule, etc.). i. The integratin f SCRs r EPPs cmpliant t the applicable PCI PTS POI Security Requirements may facilitate the ATM fllwing this guideline. i. Minimum attack ptential f 18 (minimums f 9 fr identificatin and 9 fr explitatin) pints per ATM, as defined in Annex 3. ii. The integratin guidance is validated during the EPP s PTS evaluatin and apprval. i. A privacy screen and ther visual bservatin deterrents (such as placement f the EPP cmbined with defensive psture f the cardhlder s bdy) shuld facilitate the ATM fllwing this guideline. i. Fr example, card trapping, Lebanese Lp attack. 13

16 Guideline/Best Practice h) The ATM is equipped with mechanisms t prevent r deter attempts t mdify r penetrate the ATM t make any additins, substitutins, r mdificatins t the magnetic-stripe reader r the ATM s hardware r sftware, in rder t determine r mdify magnetic-stripe track data. i) The integratin f secure card readers, SCRs and, if applicable, any mechanisms prtecting against SCR s unauthrized remval, are prperly implemented and fllw the guidelines prvided by the embedded device vendr. Remarks i. The cmpliance f the reader t Evaluatin Mdule 4 (SRED) f the PCI PTS POI Security Requirements may greatly facilitate the ability f the ATM t fllw this guideline. ii. The installatin, where feasible, f tw card readers (CRs) with segregated reading technlgies (chip and magnetic-stripe) may greatly cntribute t fllwing this guideline iii. Minimum attack ptential f 16 (minimums f 8 fr identificatin and 8 fr explitatin) pints per ATM, as defined in Annex 3. i. SCRs are readers apprved under the PCI PTS SCR Apprval Class. j) The lgical and physical integratin f CRs int the ATM des nt create new attack paths t accunt data. 14

17 Guideline/Best Practice k) The ATM shuld be equipped with mechanisms preventing skimming attacks against accunt data: There shuld be n demnstrable way t disable r defeat the mechanisms and installing an external r internal skimming device t a minimum attack ptential. If nt equipped with antiskimming mechanisms r with mechanisms that d nt reach the minimum attack ptential, there shuld be manual cntrl prcedures in place s that the ATM is peridically inspected fr the presence f skimming devices. The inspectins shuld include remte and/r lcal prcedures; their frequency shuld be a functin f the risk f the installatin and they shuld be triggered when alarms indicate ptential attachment f a skimming device. Detectin by an anti-skimming device f a skimming attack r any tampering attempt shuld result in the clsure f the machine r the issuance f an alert. Changes in the envirnment f the card slt shuld always be detected after ATM is pwered n. Remarks i. Minimum attack ptential f 16 (minimums f 8 fr identificatin and 8 fr explitatin) pints per ATM fr the anti-skimming mechanisms, as defined in Annex 3. ii. An ATM shuld be equipped with an antiskimming device accrding t at least ne f the fllwing anti-skimming methds: The device is able t prevent attachment r placement inside a card reader f a skimming device r a partly r cmpletely fake ATM frnt n a cardreader. Such an anti-skimming device shuld be equipped with active remval and mdificatin detectin functinality t shut dwn the ATM when activated. The device is able t detect attachment f a skimming device r a partly r cmplete fake ATM frnt n a cardreader. Such an anti-skimming device shuld be equipped with a detectin functinality t shut dwn the ATM when activated, The device is able t disturb the reading f the magnetic stripe by attached devices whenever a card is entered int the card reader. The device is able t detect r prevent the placement f a skimming device inbetween the fascia and the reader (e.g., with internal/mtrized readers). 15

18 Guideline/Best Practice Remarks k) cntinued iii. The ATM mnitring system shuld be able t remtely detect whether electrnic antiskimming slutins are peratinal. iv. When a card is inserted int the card slt and the card transprt des nt functin accrdingly, the ATM shuld stp perating and return the card. When an ATM is clsed fr peratin it shuld nt be pssible t enter the PIN, and a crrespnding warning shuld be displayed. v. If the card-reader entrance pening has a recess t grasp the card, the shape f this recess shuld make it difficult t install an external device t capture magnetic-track data r the card slt shuld be designed with a clean and smth fascia such that any freign additins can be mre easily detected. vi. The materials used t build the cardentrance area shuld have anti-vandal characteristics in rder t make its remval r destructin tamper evident. vii. Security cameras may be used t detect the attachment t the fascia f external skimmers. l) The ATM shuld be equipped with nly ne cardhlder PIN-acceptance interface, the ATM PCI PTS-apprved EPP. m) If the EPP can be used fr nn-pin data entry, the unauthrized alteratin f prmpts fr nn-pin data entry int the EPP cannt ccur withut requiring a minimum attack ptential. i. Only the EPP can be used fr PIN entry. i. PINs may be cmprmised when malware prmpts fr the PIN entry when the EPP utput is nt encrypted. ii. Minimum attack ptential f 16 (minimums f 8 fr identificatin and 8 fr explitatin) pints per ATM, as defined in Annex 3. 16

19 Guideline/Best Practice n) If the ATM supprts any input devices ther than the EPP, including tuch screens, bth the ATM display and additinal input devices shuld be securely prtected s that it is nt pssible t alter display prmpts r lg key entry withut requiring a minimum attack ptential. ) Where pssible and allwed by law, the ATM shuld be equipped with a security camera. p) The integratin f the EPP int the ATM fascia shuld be engineered in a way that the ATM des nt facilitate the fraudulent placement f an verlay ver the PIN pad. Remarks i. Minimum attack ptential f 18 (minimums f 9 fr identificatin and 9 fr explitatin) pints per ATM, as defined in Annex 3. ii. Any input device shuld be securely cntrlled s that it is nt pssible t maliciusly abuse it t capture PINs. iii. All user interfaces e.g., HTML, scripts, etc. shuld be prtected against manipulatin at all times. i. The lcatin fr camera installatin shuld be carefully chsen t ensure that images f keypad entry are nt recrded. ii. The camera shuld supprt the detectin f the attachment f alien devices t the fascia and pssess the ability t generate an alarm fr remte mnitring if the camera is blcked r therwise disabled. i. Features like recesses in the fascia, bezels, r a privacy shield may facilitate r disguise the attachment f a thin, fraudulent keypad ver the EPP keypad. 17

20 4.2 Security f Basic Sftware Objective: Avert magnetic-stripe skimming and PIN stealing Security targets: Operating System, BIOS Intended audience: Security Objectives Middleware (XFS, CEN XFS, CEN J/XFS, multivendr sftware, Open Prtcls) Sftware integratrs, applicatin develpers, ATM manufacturers/deplyers/peratrs Objective Descriptin Remarks B1 B2 B3 Prevent abuse f OS and reduce the attack surface f the ATM OS platfrm (Windws) and BIOS. Prevent explitatin f public dmain vulnerabilities in the Open Prtcls stack. Reduce attack surface frm public and private netwrks. Operating system shuld be hardened r parameterized s as t prevent abuse f privileges, default accunts, installatin f malicius sftware, and unauthrized access t resurces like USB prts/cds/dvds/hard disks. The OS shuld enfrce strict applicatin separatin, fr example prevent the unauthrized usage f the varius services (OS, Platfrm, including XFS and Applicatins) shuld be prevented at all times e.g., runtime, service and administratin. It shuld nt be pssible t install rgue sftware. (Bth with and withut physical access shuld be cnsidered.) Hardening/lcking-dwn guidelines issued by the OS supplier shuld be strictly fllwed. Ensure the regular security review and the patching f minimum set f prtcls used. The cmmunicatin interface shuld be hardened. B4 Prevent abuse by sftware suppliers. Sftware frm third-party middleware vendrs (fr example, multivendr ATM applicatin emulatrs) and ther sftware shuld be tested befre installatin r usage. Fr example, PA-DSS requirements shuld be applied t banking applicatins t facilitate the prtectin f accunt and PIN data. 18

21 Objective Descriptin Remarks B5 Use effective netwrk islatin and intrusin detectin/mitigatin tls. Netwrk islatin and intrusin detectin/mitigatin tls shuld be used. B6 Trace/lg OS activity. OS shuld be parameterized t lg all relevant events. B7 B8 B9 B10 Prtect sensitive functins and enfrcement mechanisms fr apprpriate key-lading prcedures. Prtect against unauthrized changes. Prtect against the unauthrized remte cntrl f the applicatin. Prtect again unauthrized installatin f sftware. Example f sensitive functins: firmware lading, lading f clear, initial keys. Access t the AC shuld require administratr rights. T ensure prtectin against malware. Strict access-cntrl prcedures shuld be put in place t allw remte access fr service purpses. ATMs have a multi-layer sftware stack cnsisting f: 1) The perating system, 2) The platfrm tgether with the respective hardware drivers and supprt fr CEN XFS - CEN J/XFS, and 3) The sftware applicatin Guidelines and Best Practices Guideline/Best Practice a) The ATM perfrms a self-test upn startup and at least nce per day t check the sftware f the AC, the security mechanisms under the cntrl f the ATM fr signs f tampering, and whether the ATM is in a cmprmised state. In the event f a failure, the ATM and its functinality shuld fail in a secure manner. b) The ATM uses and relies upn the EPP functins and cntrl mechanisms fr key lading and key management, as evaluated during the PCI PTS EPP apprval prcess. Remarks i. Cre sftware mechanisms exist t validate banking applicatins. i. An example f a sensitive EPP functin is the lading f clear initial keys under the principles f dual cntrl and split knwledge. 19

GUIDANCE FOR BUSINESS ASSOCIATES

GUIDANCE FOR BUSINESS ASSOCIATES GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.

More information

VCU Payment Card Policy

VCU Payment Card Policy VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this

More information

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus

More information

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch

More information

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the

More information

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department

More information

Process of Setting up a New Merchant Account

Process of Setting up a New Merchant Account Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am

More information

HIPAA HITECH ACT Compliance, Review and Training Services

HIPAA HITECH ACT Compliance, Review and Training Services Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical

More information

BAMS Third Party Service Providers (TPSPs) FAQs

BAMS Third Party Service Providers (TPSPs) FAQs BAMS Third Party Service Prviders (TPSPs) FAQs 1) What is the Third Party Service Prvider (TPSP) Agent Registratin Prgram? The TPSP Agent Registratin Prgram is a Card Brand (Visa USA Inc and MasterCard

More information

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1 Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues

More information

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days ITIL V3 Planning, Prtectin and Optimizatin (PPO) Certificatin Prgram - 5 Days Prgram Overview The ITIL Intermediate Qualificatin: Planning, Prtectin and Optimizatin (PPO) Certificate is a free-standing

More information

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337 HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders

More information

Personal Data Security Breach Management Policy

Personal Data Security Breach Management Policy Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner

More information

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant

More information

Serv-U Distributed Architecture Guide

Serv-U Distributed Architecture Guide Serv-U Distributed Architecture Guide Hrizntal Scaling and Applicatin Tiering fr High Availability, Security, and Perfrmance Serv-U Distributed Architecture Guide v14.0.1.0 Page 1 f 16 Intrductin Serv-U

More information

Systems Support - Extended

Systems Support - Extended 1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets

More information

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities PCI - Why Yu Need t be Cmpliant When Accepting Credit Card Payments Tuesday, March 27, 2012 Agenda Breach Events & Cmmnalities Evlutin f PCI PCI Requirements Risks f Nn-cmpliance Industry Initiatives t

More information

Installation Guide Marshal Reporting Console

Installation Guide Marshal Reporting Console Installatin Guide Installatin Guide Marshal Reprting Cnsle Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 2 Sftware Prerequisites 3 Installatin Prcedures 3 Appendix: Enabling

More information

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

SBClient and Microsoft Windows Terminal Server (Including Citrix Server) SBClient and Micrsft Windws Terminal Server (Including Citrix Server) Cntents 1. Intrductin 2. SBClient Cmpatibility Infrmatin 3. SBClient Terminal Server Installatin Instructins 4. Reslving Perfrmance

More information

ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH)

ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH) ITL BULLETIN FOR JANUARY 2016 SECURING INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT USING SECURE SHELL (SSH) Murugiah Suppaya, Karen Scarfne, 1 and Larry Feldman, 2 Editrs Cmputer Security Divisin Infrmatin

More information

expertise hp services valupack consulting description security review service for Linux

expertise hp services valupack consulting description security review service for Linux expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS

More information

Name. Description. Rationale

Name. Description. Rationale Cmplliiance Cmpnentt Descriptin Ratinale Benefits List the Dmain List the Discipline List the Technlgy Area List Prduct Cmpnent Dcument the Cmpliance Cmpnent Type Cmpnent Sub-type DEEFFI INITION Hst-Based

More information

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs

More information

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014 State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)

More information

MaaS360 Cloud Extender

MaaS360 Cloud Extender MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument

More information

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

ITIL Release Control & Validation (RCV) Certification Program - 5 Days ITIL Release Cntrl & Validatin (RCV) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010 OntariMD Inc. Electrnic Medical Recrds SPECIFICATION Hspital Reprt Manager Cnnectivity Requirements DRAFT Date: September 30, 2010 Versin: 1.0 2007-2010 OntariMD Inc. All rights reserved HRM EMR Cnnectivity

More information

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite CISP/PCI Implementatin Guidance fr Odyssey Suite Applicable Applicatin Versin This dcument supprts the fllwing applicatin versin: Odyssey Suite Versin 2.0 Intrductin Systems which prcess payment transactins

More information

CHANGE MANAGEMENT STANDARD

CHANGE MANAGEMENT STANDARD The electrnic versin is current, r when printed and stamped with the green cntrlled dcument stamp. All ther cpies are uncntrlled. DOCUMENT INFORMATION Descriptin Dcument Owner This standard utlines the

More information

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...

More information

Ensuring end-to-end protection of video integrity

Ensuring end-to-end protection of video integrity White paper Ensuring end-t-end prtectin f vide integrity Prepared by: Jhn Rasmussen, Senir Technical Prduct Manager, Crprate Business Unit, Milestne Systems Date: May 22, 2015 Milestne Systems Ensuring

More information

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1 Preparing t Deply Reflectin : A Guide fr System Administratrs Versin 14.1 Table f Cntents Table f Cntents... 2 Preparing t Deply Reflectin 14.1:... 3 A Guide fr System Administratrs... 3 Overview f the

More information

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Zimbra Professional Services Portfolio, Purchasing Guide & Price List In- Tuitin Netwrks Ltd Zimbra Prfessinal Services Prtfli, Purchasing Guide & Price List This dcument prvides an verview f In- Tuitin Netwrks Limited s range f Zimbra Prfessinal Services available n the

More information

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Audit Cmmittee Charter St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Versin 2.0, 22 February 2016 Apprver Bard f Directrs St Andrew

More information

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor ACTIVITY MONITOR Real Time Mnitr Emplyee Activity Mnitr This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it is a library

More information

Chapter 7 Business Continuity and Risk Management

Chapter 7 Business Continuity and Risk Management Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity

More information

Using PayPal Website Payments Pro UK with ProductCart

Using PayPal Website Payments Pro UK with ProductCart Using PayPal Website Payments Pr UK with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 2 What is Website Payments Pr?... 2 Website Payments Pr and Website Payments Standard...

More information

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t

More information

CSC IT practix Recommendations

CSC IT practix Recommendations CSC IT practix Recmmendatins CSC Healthcare 28th January 2014 Versin 3 www.csc.cm/glbalhealthcare Cntents 1 Imprtant infrmatin 3 2 IT Specificatins 4 2.1 Wrkstatins... 4 2.2 Minimum Server with 1-5 wrkstatins

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT The PCI Security Standards Cuncil Releases PCI DSS Versin 3.2 May 9, 2016 On April 28, 2016, the PCI Security Standards Cuncil (PCI SSC) released PCI Data Security Standard (PCI

More information

Vulnerability Management:

Vulnerability Management: Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks.

More information

SaaS Listing CA Cloud Service Management

SaaS Listing CA Cloud Service Management SaaS Listing CA Clud Service Management 1. Intrductin This dcument prvides standards and features that apply t the CA Clud Service Management (CSM) SaaS ffering prvided t the Custmer and defines the parameters

More information

Key Steps for Organizations in Responding to Privacy Breaches

Key Steps for Organizations in Responding to Privacy Breaches Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins

More information

Implementing SQL Manage Quick Guide

Implementing SQL Manage Quick Guide Implementing SQL Manage Quick Guide The purpse f this dcument is t guide yu thrugh the quick prcess f implementing SQL Manage n SQL Server databases. SQL Manage is a ttal management slutin fr Micrsft SQL

More information

TrustED Briefing Series:

TrustED Briefing Series: TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers

More information

First Global Data Corp.

First Global Data Corp. First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First

More information

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

Vantiv eprotect iframe Technical Assessment Paper Prepared for: Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015 P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6

More information

THIRD PARTY PROCUREMENT PROCEDURES

THIRD PARTY PROCUREMENT PROCEDURES ADDENDUM #1 THIRD PARTY PROCUREMENT PROCEDURES NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS TRANSPORTATION DEPARTMENT JUNE 2011 OVERVIEW These prcedures establish standards and guidelines fr the Nrth Central

More information

Installation Guide Marshal Reporting Console

Installation Guide Marshal Reporting Console INSTALLATION GUIDE Marshal Reprting Cnsle Installatin Guide Marshal Reprting Cnsle March, 2009 Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 3 Sftware Prerequisites 3 Installatin

More information

Business Continuity Management Systems Foundation Training Course

Business Continuity Management Systems Foundation Training Course Certificatin criteria fr Business Cntinuity Management Systems Fundatin Training Curse CONTENTS 1. INTRODUCTION 2. LEARNING OBJECTIVES 3. ENABLING OBJECTIVES KNOWLEDGE & SKILLS 4. TRAINING METHODS 5. COURSE

More information

Data Warehouse Scope Recommendations

Data Warehouse Scope Recommendations Rensselaer Data Warehuse Prject http://www.rpi.edu/datawarehuse Financial Analysis Scpe and Data Audits This dcument describes the scpe f the Financial Analysis data mart scheduled fr delivery in July

More information

ScaleIO Security Configuration Guide

ScaleIO Security Configuration Guide ScaleIO Security Cnfiguratin Guide 1 Intrductin This sectin prvides an verview f the settings available in ScaleIO t ensure secure peratin f the prduct: Security settings are divided int the fllwing categries:

More information

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days ITIL Service Offerings & Agreement (SOA) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance

More information

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Christchurch Polytechnic Institute of Technology Access Control Security Standard CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin

More information

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents

More information

Restricted Document. Pulsant Technical Specification

Restricted Document. Pulsant Technical Specification Pulsant Technical Specificatin Title Pulsant Dedicated Server Department Prduct Develpment Cntributrs RR Classificatin Restricted Versin 1.0 Overview Pulsant ffer a Dedicated Server service t underpin

More information

Implementing an electronic document and records management system using SharePoint 7

Implementing an electronic document and records management system using SharePoint 7 Reprt title Agenda item Implementing an electrnic dcument and recrds management system using SharePint 7 Meeting Finance, Prcurement & Prperty Cmmittee 16 June 2008 Date Reprt by Dcument Number Head f

More information

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide ROSS RepliWeb Operatins Suite fr SharePint SSL User Guide Sftware Versin 2.5 March 18, 2010 RepliWeb, Inc., 6441 Lyns Rad, Ccnut Creek, FL 33073 Tel: (954) 946-2274, Fax: (954) 337-6424 E-mail: inf@repliweb.cm,

More information

Licensing Windows Server 2012 R2 for use with virtualization technologies

Licensing Windows Server 2012 R2 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 R2 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 R2 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents

More information

Session 9 : Information Security and Risk

Session 9 : Information Security and Risk INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin

More information

Electronic Signatures Laws

Electronic Signatures Laws White Paper Electrnic Signatures Laws Versin 1.0 Last Updated: 21-09-2010 www.sutisft.cm Intrductin Mst businesses these days use electrnic signatures fr btaining users cnsent r apprval f dcuments nline.

More information

IMT Standards. Standard number A000014. GoA IMT Standards. Effective Date: 2010-09-30 Scheduled Review: 2011-03-30 Last Reviewed: Type: Technical

IMT Standards. Standard number A000014. GoA IMT Standards. Effective Date: 2010-09-30 Scheduled Review: 2011-03-30 Last Reviewed: Type: Technical IMT Standards IMT Standards Oversight Cmmittee Gvernment f Alberta Effective Date: 2010-09-30 Scheduled Review: 2011-03-30 Last Reviewed: Type: Technical Standard number A000014 Electrnic Signature Metadata

More information

Gateway Agent - First Amendment to the High Level Design Document

Gateway Agent - First Amendment to the High Level Design Document Gateway Agent - First Amendment t the High Level Design Dcument Scpe The Gateway Agent HLD thrugh update 1 assumes that nly the Cntrl App, while cnnected t the prximal netwrk, can initiate new clud services.

More information

Information Services Hosting Arrangements

Information Services Hosting Arrangements Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based

More information

9 ITS Standards Specification Catalog and Testing Framework

9 ITS Standards Specification Catalog and Testing Framework New Yrk State ITS Standards Specificatin Develpment Guide 9 ITS Standards Specificatin Catalg and Testing Framewrk This chapter cvers cncepts related t develpment f an ITS Standards Specificatin Catalg

More information

Symantec User Authentication Service Level Agreement

Symantec User Authentication Service Level Agreement Symantec User Authenticatin Service Level Agreement Overview and Scpe This Symantec User Authenticatin service level agreement ( SLA ) applies t Symantec User Authenticatin prducts/services, such as Managed

More information

Serv-U Distributed Architecture Guide

Serv-U Distributed Architecture Guide Serv-U Distributed Architecture Guide Hrizntal Scaling and Applicatin Tiering fr High Availability, Security, and Perfrmance Serv-U Distributed Architecture Guide v15.1.2.0 Page 1 f 20 Intrductin Serv-U

More information

Cloud Services Frequently Asked Questions FAQ

Cloud Services Frequently Asked Questions FAQ Clud Services Frequently Asked Questins FAQ Revisin 1.0 6/05/2015 List f Questins Intrductin What is the Caradigm Intelligence Platfrm (CIP) clud? What experience des Caradigm have hsting prducts like

More information

Licensing Windows Server 2012 for use with virtualization technologies

Licensing Windows Server 2012 for use with virtualization technologies Vlume Licensing brief Licensing Windws Server 2012 fr use with virtualizatin technlgies (VMware ESX/ESXi, Micrsft System Center 2012 Virtual Machine Manager, and Parallels Virtuzz) Table f Cntents This

More information

Nuance Healthcare Services Project Delivery Methodology

Nuance Healthcare Services Project Delivery Methodology NUANCE PROFESSIONAL SERVICES Nuance Healthcare Services 2008 Nuance Cmmunicatins, Inc. All rights reserved. Nuance Healthcare Services 1 INTRODUCTION This dcument describes the prject management methdlgy

More information

Wireless Light-Level Monitoring

Wireless Light-Level Monitoring Wireless Light-Level Mnitring ILT1000 ILT1000 Applicatin Nte Wireless Light-Level Mnitring 1 Wireless Light-Level Mnitring ILT1000 The affrdability, accessibility, and ease f use f wireless technlgy cmbined

More information

NERC-CIP Cyber Security Standards Compliance Documentation

NERC-CIP Cyber Security Standards Compliance Documentation Cmpliance Dcumentatin Briv OnAir 8/3/20154 Page 2 Overview This dcument is intended t be the primary surce f infrmatin fr Briv s cmpliance with the Nrth America Electric Reliability Crpratin (NERC) reliability

More information

BES12 Jumpstart Program Description ( Jumpstart Program Description )

BES12 Jumpstart Program Description ( Jumpstart Program Description ) BES12 Jumpstart Prgram Descriptin ( Jumpstart Prgram Descriptin ) This dcument includes all attached Annexes, is prvided fr infrmatinal purpses nly, and des nt in itself cnstitute a binding legal dcument.

More information

COE: Hybrid Course Request for Proposals. The goals of the College of Education Hybrid Course Funding Program are:

COE: Hybrid Course Request for Proposals. The goals of the College of Education Hybrid Course Funding Program are: COE: Hybrid Curse Request fr Prpsals The gals f the Cllege f Educatin Hybrid Curse Funding Prgram are: T supprt the develpment f effective, high-quality instructin that meets the needs and expectatins

More information

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition State f Wiscnsin DET Dedicated Virtual Hst Services Offering Definitin Dcument Revisin Histry Date Versin Creatr Ntes 10/29/2010 1.0 Phil Staley Initial draft 11/3/2010 1.1 Phil Staley Ryan McKee Secnd

More information

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS SERIES: 1 General Rules RULE: 17.1 Recrd Retentin Scpe: The purpse f this rule is t establish the systematic review, retentin and destructin

More information

Internal Audit Charter and operating standards

Internal Audit Charter and operating standards Internal Audit Charter and perating standards 2 1 verview This dcument sets ut the basis fr internal audit: (i) the Internal Audit charter, which establishes the framewrk fr Internal Audit; and (ii) hw

More information

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy. Privacy Plicy The Central Equity Grup understands hw highly peple value the prtectin f their privacy. Fr that reasn, the Central Equity Grup takes particular care in dealing with any persnal and sensitive

More information

HP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3

HP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3 HP Pint f Sale FAQ Warranty, Care Pack Service & Supprt Limited warranty... 2 HP Care Pack Services... 3 Supprt... 3 Limited warranty Q: What des a 3/3/3 limited warranty mean? A: HP Retail Pint f Sale

More information

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT Plicy Number: 2.20 1. Authrity Lcal Gvernment Act 2009 Lcal Gvernment Regulatin 2012 AS/NZS ISO 31000-2009 Risk Management Principles

More information

Guidelines on Data Management in Horizon 2020

Guidelines on Data Management in Horizon 2020 Guidelines n Data Management in Hrizn 2020 Versin 1.0 11 December 2013 Guidelines n Data Management in Hrizn 2020 Versin 16 December 2013 Intrductin In Hrizn 2020 a limited pilt actin n pen access t research

More information

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents HP ExpertOne HP2-T21: Administering HP Server Slutins Industry Standard Servers Exam preparatin guide Table f Cntents Overview 2 Why take the exam? 2 HP ATP Server Administratr V8 certificatin 2 Wh shuld

More information

SMART Active Directory Migrator 9.0.2. Requirements

SMART Active Directory Migrator 9.0.2. Requirements SMART Active Directry Migratr 9.0.2 January 2016 Table f Cntents... 3 SMART Active Directry Migratr Basic Installatin... 3 Wrkstatin and Member Server System... 5 Netwrking... 5 SSL Certificate... 6 Service

More information

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6 THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6 C-Track Case Management System (CMS) is a cnfigurable, brwser based case management system fr all levels

More information

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine Title: Identity Theft Prgram Effective Date: July 2009 NYU Langne Medical Center NYU Hspitals Center NYU Schl f Medicine POLICY It is the plicy f the NYU Langne Medical Center t educate and train staff

More information

BackupAssist SQL Add-on

BackupAssist SQL Add-on WHITEPAPER BackupAssist Versin 6 www.backupassist.cm 2 Cntents 1. Requirements... 3 1.1 Remte SQL backup requirements:... 3 2. Intrductin... 4 3. SQL backups within BackupAssist... 5 3.1 Backing up system

More information

.100 POLICY STATEMENT

.100 POLICY STATEMENT Treasury Management Operatins Sectin: Treasury Management Number: 105.100 Title: Treasury Management Operatins POLICY Index.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE

More information

Cyber Security: Simulation Platform

Cyber Security: Simulation Platform Service Overview The Symantec Cyber Security: Simulatin Platfrm is a Web hsted Service with immersive and hands-n access t cyber exercises fr ffensive (red team) events, inspired by real-life security

More information

Good Secure Collaboration Suite Quickstart Program Description ( Quickstart Program Description )

Good Secure Collaboration Suite Quickstart Program Description ( Quickstart Program Description ) Gd Secure Cllabratin Suite Quickstart Prgram Descriptin ( Quickstart Prgram Descriptin ) This dcument includes all attached Annexes, is prvided fr infrmatinal purpses nly, and des nt in itself cnstitute

More information

Support Services. v1.19 / 2015-07-02

Support Services. v1.19 / 2015-07-02 Supprt Services v1.19 / 2015-07-02 Intrductin - Table f Cntents 1 Intrductin... 3 2 Definitins... 4 3 Supprt Prgram Feature Overview... 5 4 SLA fr the Supprt Services... 6 4.1 Standard Supprt... 6 4.2

More information

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003 Trends and Cnsideratins in Currency Recycle Devices Nvember 2003 This white paper prvides basic backgrund n currency recycle devices as cmpared t the cmbined features f a currency acceptr device and a

More information

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved.

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE. 2015 Savision B.V. savision.com All rights reserved. Rev 7.5.0 Intrductin 2 LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE 2015 Savisin B.V. savisin.cm All rights reserved. This manual, as well as the sftware described in it, is furnished under license and

More information

Data Protection Policy & Procedure

Data Protection Policy & Procedure Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015

More information

Junos Pulse Instructions for Windows and Mac OS X

Junos Pulse Instructions for Windows and Mac OS X Juns Pulse Instructins fr Windws and Mac OS X When yu pen the Juns client fr the first time yu get the fllwing screen. This screen shws yu have n cnnectins. Create a new cnnectin by clicking n the + icn.

More information