ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster



Similar documents
TASK TDSP Web Portal Project Cyber Security Standards Best Practices

IBX Business Network Platform Information Security Controls Document Classification [Public]

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Data Management Policies. Sage ERP Online

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Supplier Information Security Addendum for GE Restricted Data

Payment Card Industry Data Security Standard

Client Security Risk Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security Controls for the Autodesk 360 Managed Services

SUPPLIER SECURITY STANDARD

Payment Card Industry Self-Assessment Questionnaire

RL Solutions Hosting Service Level Agreement

Fortinet Solutions for Compliance Requirements

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Managing internet security

Central Agency for Information Technology

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

PCI Data Security and Classification Standards Summary

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Ohio Supercomputer Center

White Paper: Librestream Security Overview

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

University of Pittsburgh Security Assessment Questionnaire (v1.5)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

PCI DSS Requirements - Security Controls and Processes

Fundamentals of Network Security - Theory and Practice-

INFORMATION SECURITY PROGRAM

GFI White Paper PCI-DSS compliance and GFI Software products

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Projectplace: A Secure Project Collaboration Solution

Privacy + Security + Integrity

Did you know your security solution can help with PCI compliance too?

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

The Protection Mission a constant endeavor

HIPAA Security Alert

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

FormFire Application and IT Security. White Paper

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CITY OF BOULDER *** POLICIES AND PROCEDURES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Passing PCI Compliance How to Address the Application Security Mandates

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Data Security Incident Response Plan. [Insert Organization Name]

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Audit The Mint'S Information Technology

Supplier Security Assessment Questionnaire

Cyber Self Assessment

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

PCI Data Security Standards (DSS)

Guideline on Auditing and Log Management

Miami University. Payment Card Data Security Policy

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Controls for the Credit Card Environment Edit Date: May 17, 2007

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

System Security Plan University of Texas Health Science Center School of Public Health

74% 96 Action Items. Compliance

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Tenzing Security Services and Best Practices

How To Ensure The C.E.A.S.A

Information Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008

CHIS, Inc. Privacy General Guidelines

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

BKDconnect Security Overview

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Supplier IT Security Guide

Guide to Vulnerability Management for Small Companies

DATA SECURITY AGREEMENT. Addendum # to Contract #

A Rackspace White Paper Spring 2010

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

SRA International Managed Information Systems Internal Audit Report

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

LogRhythm and PCI Compliance

Consensus Policy Resource Community. Lab Security Policy

FINANCIAL SERVICES Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

March

Securing the Service Desk in the Cloud

Security Management. Keeping the IT Security Administrator Busy

SecureAge SecureDs Data Breach Prevention Solution

Transcription:

Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii) protect against the accidental or unauthorized use, destruction, access, disclosure or alteration of Customer Content in the possession or under the management of Symantec as provided under the Services (the Security Standards ). The Symantec Network means Symantec s own data center facilities, servers, and networking equipment/software involved in hosting Customer Content or Data that are under Symantec s reasonable control and are used to provide the Services. The Security Standards will be substantially equivalent to the generally accepted security standards in the IT industry for hosted services similar to Symantec s archiving services. Symantec will conform to the Security Standards during the Term of this Agreement, including the Security Standards in this Appendix to the Agreement. Symantec may modify its Security Standards under the Agreement for the Services only upon mutual written consent. 1. Logical Access Control To enable compliance with Customer s access security control requirements, Symantec shall commit and adhere to: (a) access controls protect all passwords or access codes assigned to Symantec by Customer (c) change passwords immediately upon receipt and every ninety (90) days using complex passwords prompt removal of logical access privileges for Symantec staff no longer involved in processing Customer data. 2. Change Control Reliably developing, testing and documenting each change according to Symantec change management and control standards, procedures and processes associated with a given Service, while maintaining logical integrity of data, programs and audit trails 3. Back-up and Recovery

Comply with Customer requirements and industry best practices for back-up and recovery, Symantec shall: (a) deploy appropriate data protection measures, including the placement of data files in secure off-site storage as back-up files, replication of data to other secure DR site, or other to enable efficient system recovery ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster (c) have a documented disaster recovery plan in place for the Services and test it annually. 4. Staff Accountability Symantec shall: (a) use Customer information processed on Symantec systems only for purposes explicitly approved by Customer, except, Symantec may use certain information obtained from the Services, once anonymized ( Anonymized Information ) for the following purposes: (a) preparing and distributing statistical reports related to security trends and data patterns; distributing Anonymized Information to Symantec customers, in compiled or original formats, for the purposes of providing computer security information; and/or (c) analysis; internal research, product or services development, system improvements, marketing purposes, or for providing general security related services. Anonymized Information shall not include personal information or any information that could identify Customer certify that all devices, used by Symantec employees and/or by its contractors and connected to Customer s processing environment, are and will continue to be in compliance with the following requirements: the most current security patches applicable to all operating systems and software on the device must be applied and be up to date within thirty (30) days of patch release, the device must have industry-standard anti-virus and

anti-spyware software installed, running and updated with the latest signature file, an industry-standard personal firewall product must be installed and active on the device. 5. Server Security To enable the integrity, confidentiality and availability of any and all servers used to process Customer information and/or data and to mitigate the threat, risk and impact of external or internal misuse and/or abuse of server platforms, Symantec agrees to: (a) Restricting employee access to servers and any related systems on a need-to-know / need-to-use business-only basis Protecting all server access, at a minimum, by a combination of User ID and secret password (c) Changing all factory pre-set server passwords before commencement of processing and changing them thereafter every ninety (90) days or more frequently (e) (f) (g) Ensuring that servers are housed in physically secured areas Hardening of all servers used to process, store and/or transmit Customer data and/or information with such hardening to include, but not be limited to, the removal of all privileges and services, except those that are essential for the performance of the operations for which the servers were installed Deploying server security scanning tools to periodically report on the status of each server and verify that all settings, parameters and options are in accordance with the agreed upon hardened state for that device and to detect unauthorized changes from the approved server configuration baseline Retain for a total of fifteen (15) months (three (3) months online and an additional twelve (12) months offline on tape) the following Services specific logs: application logs, Windows security event logs, Intrusion detection system logs, SQL database logs, Firewall logs, Load Balancer logs, Routers/switches logs, IIS web server logs, DNS

server logs, Symantec Endpoint Protection logs. [Pending confirmation. (h) Reviewing all server security controls defined above on a periodic basis (at least once per year) to enable that they are still in effect. 6. Security of Databases and Data Files To enable the integrity, confidentiality and general security of any and all databases and data files used to store Customer information and/or data, Symantec shall commit and adhere to: (a) Storing Customer Confidential information (e.g. passwords, customer data, etc.) in an encrypted format Storing all database servers, data file servers and repository devices containing Customer data in a physically secured area (c) Restricting all physical and logical access to databases, data files and their resident information and/or data and any systems or network components relating to the processing of transactions on a need-toknow / need-to-use business-only basis (e) (f) (g) (h) Protecting all access to databases and data files using, at a minimum, a combination of user ID and secret password Changing all factory pre-set passwords for databases before commencement of processing and changing them thereafter every ninety (90) days or more frequently Logging all database and data file access activities and storing this activity data in an appropriate manner for a minimum period of ninety (90) days Logging all transaction data activities and storing this activity data in an appropriate manner for at least ninety (90) days from the date of the transactions Handling all back-up copies of all database and data file records according to stringent safe-keeping measures and access controls,

with such controls identical or similar to those employed for the primary database or data files (i) (j) (k) Deploying database security scanning tools to periodically review database configurations and enable compliance with Symantec expected base configurations Deleting and destroying all instances of any and all Customer information and/or data and related printed matter to enable that transaction and other data cannot be recovered by unauthorized persons in accordance with Symantec s internal policies Reviewing all database security controls defined above on a periodic basis (at least once per year) to enable that they are still in effect. 7. Network Security To mitigate the threat, risk and impact of system and/or network intrusion, abuse or misuse, Symantec shall commit and adhere to: (a) The installation, configuration and activation of a comprehensive, intrusion protection system to continuously prevent, detect and report the occurrence of detected unauthorized network attacks against its systems, such as, but not limited to, penetration attempts, denial of service attacks and excessive probing (c) Installing network firewalls between servers and public network facing gateways to screen out communication protocols not required for processing Internet traffic Logging all firewall and gateway activity and storing such activity data in an appropriate manner for a minimum period of twelve (12) months in accordance with Symantec s policies The protection of data from unauthorized disclosure while in transit through public networks to Customer, or its authorized agents, or its customers, to enable the security of any Bank-owned or Bankrelated data (e) The application of cryptographic techniques, using Secure Sockets

Layer (SSL) Version 3.0 for mutual certificate authentication (Client to Server or Server to Server) and a minimum key length of 128 bits or an equivalent industry-standard cryptographic technique. 8. Protection against Malware To mitigate the threat, risk and impact of computer viruses, worms, Trojan horses and other malicious types of software, collectively called malware, Symantec shall commit and adhere to: (a) The installation, configuration, activation and currency of a comprehensive,, anti-virus and anti-spyware program, The installation of such anti-virus and anti-spyware software on any and all servers, devices, laptops and workstations that process or store transactions and any other Customer data covered by this Agreement, (c) The configuration of such software to automatically invoke on startup and run interactively on a continuous basis on all devices where installed, 9. Security Vulnerabilities and Installation of Security Patches To mitigate the threat, risk and impact of system and/or network security vulnerabilities, Symantec shall commit and adhere to: (a) The development and deployment of a process to continually monitor reliable sources for advisories on emerging security vulnerabilities (c) The identification of specific vulnerabilities that may impact operating environments or platforms used by Symantec on behalf of Customer An assessment of the criticality of the vulnerability in relation to overall operations to determine the appropriateness of installing the associated security patch applicable to the Services testing and installation of required security patches in a timely manner.

10. Problem Alert and Escalation and Security Incident Management To enable appropriate levels of problem alerting and escalation and timely management of security-related incidents, Symantec shall commit and adhere to: (a) The implementation, maintenance and compliance with Symantec documented problem alert and escalation procedures and Promptly notifying Customer, in person or by phone, of a confirmed breach affecting Customer s data that results in a comprise of such data. [Pending confirmation] 11. (a) Symantec will make available TLS encryption such that data sent by Customer gateways top any host outside Customer will be encrypted. The control of enforcing the encrypted connection shall be maintained by Customer. Data at rest will be encrypted as stated above and in the Services Description. Such encryption method must use an encryption key or keys that are unique to Customer and different from any other Symantec customers. The private portion of the encryption keys must not be stored on disks without strong cryptographic protections.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information