Third-Party Access and Management Policy



Similar documents
Becoming PCI Compliant

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

How To Protect Your Credit Card Information From Being Stolen

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI Compliance for Cloud Applications

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

How To Protect Your Business From A Hacker Attack

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS Compliance Information Pack for Merchants

An article on PCI Compliance for the Not-For-Profit Sector

Frequently Asked Questions

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI DSS. Payment Card Industry Data Security Standard.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

University of Sunderland Business Assurance PCI Security Policy

Josiah Wilkinson Internal Security Assessor. Nationwide

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Property of CampusGuard. Compliance With The PCI DSS

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Miami University. Payment Card Data Security Policy

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standards.

Two Approaches to PCI-DSS Compliance

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

16+ PCI COMPLIANCE SOLUTIONS. Providing a High-Level Review of Your Company s PCI Obligations OVERVIEW. Our Team

<COMPANY> P01 - Information Security Policy

Merchant guide to PCI DSS

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Sales Rep Frequently Asked Questions

Your Compliance Classification Level and What it Means

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

New PCI Standards Enhance Security of Cardholder Data

Vanderbilt University

How To Protect Visa Account Information

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI Data Security Standards

Accepting Payment Cards and ecommerce Payments

A PCI Journey with Wichita State University

PCI DSS v2.0. Compliance Guide

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI Compliance Training

TERMINAL CONTROL MEASURES

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Supplier Security Assessment Questionnaire

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Payment Card Industry Data Security Standard

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Office of Finance and Treasury

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI Compliance Overview

A Rackspace White Paper Spring 2010

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

SecurityMetrics Introduction to PCI Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI Compliance: Protection Against Data Breaches

PCI DSS Requirements - Security Controls and Processes

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

How To Ensure Account Information Security

Payment Card Industry - Achieving PCI Compliance Steps Steps

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

March

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Information Security Policy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Transcription:

Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and Personnel Services Introduction Threats can be introduced to Chaminade s environment simply by connecting a third-party without efficient security practices and controls in place. Should an attacker penetrate the third-party s network, they may route their way via the connected third-party into Chaminade s network. In some cases, thirdparties have privileged access (meaning they have direct access to cardholder data in the production environment), thus gaining unauthorized access to the cardholder data environment. Chaminade s cardholder data environment includes all systems, applications, equipment, individuals, locations, and connections used for, and involved with, the transmittal, processing, and/or storage of cardholder data. Should an unauthorized user obtain access to Chaminade s network via this route, they may do so under the pretence of being the third-party and therefore potentially penetrate systems, applications, and other networks unnoticed to gain additional access to sensitive data. This can lead to a security breach, causing harm to Chaminade s finances, operations, and brand name. A third-party, in Payment Card Industry (PCI) terms, may either transmit, process, and/or store cardholder data on behalf of Chaminade, but also may be connected to perform non PCI-related functions. Therefore, it is important to safeguard Chaminade from attackers masquerading as an authorized thirdparty, as well as proactively validating the security controls and practices in place at connected thirdparties. There are several types of third-parties, the most common being resellers, point of sale (POS) providers, Information Technology support companies, software application developers and vendors, shopping cart vendors, off-site storage vendors, data center and Web hosting providers, and Service Providers (those companies which transmit, process, and store cardholder data on Chaminade s behalf. Chaminade maintains primary relationships with point of sale providers, off-site web hosting providers, and shopping cart vendors for the purpose/s of providing credit card transaction processing.

Purpose This Third-Party Access and Management Policy details the requirements for the evaluation, connection, compliance, and management of third-parties to Chaminade s cardholder data environment. Scope This policy applies to Chaminade employees, third-parties, service providers, contractors, temporary employees, and/or other staff members at Chaminade with responsibilities for maintenance and management of the cardholder data environment at Chaminade, whether conducting activities on Chaminade premises or off-site. This policy applies to all systems, applications, and equipment owned and/or leased by Chaminade, whether located on Chaminade premises or off-site, where cardholder data is present. Distribution This policy is to be distributed to all those with responsibilities for maintenance and management of the cardholder data environment at Chaminade, to include Chaminade employees, third-parties, service providers, contractors, temporary employees, and/or other staff members. The most current version of this policy is to be readily available and accessible from the Chaminade portal under Administration -> Policy Manuals. Exceptions There are currently no exceptions to this policy. Requests for exceptions may be submitted to the Dean of Information Services for review and approval using email. Violations Individuals found to have violated this policy, whether intentionally or unintentionally, may be subject to disciplinary action and possible termination of employment. Review Schedule The next scheduled review date is December 1, 2013 by the Dean of Information Services, to be approved by the Dean of Information Services and Executive Director for Compliance and Personnel.

Policy Assessment of Risk Third-parties must be given a risk assessment prior to being connected to the Chaminade cardholder data environment. No third-party may be connected to the Chaminade environment prior to receiving this assessment. Should a third-party have not received this risk assessment and is currently connected, the risk assessment is to be performed before they may be reconnected. This assessment is to include discovery of threats that may lead to potential vulnerabilities, and a review of any support contract. Once the review has been performed, the third-party is to close gaps found, and the remaining findings and description of risk are to be reviewed and accepted by the Dean of Information Services. Compliance with the PCI Data Security Standards (PCI DSS) is required for all Level 1 connected thirdparties. These entities must have been assessed by an on-site Qualified Security Assessor (QSA), have a Report on Compliance accepted by either their acquiring bank or VISA, and have quarterly passing external scans. Levels 2-4 connected third-parties may perform a self-assessment and may be required to have quarterly passing external scans, depending on instruction from their acquiring banks. Should the connected third-party have evidence of their annual PCI compliance passing assessment, they are not required to have a risk assessment performed. Level 1 connected third-parties may provide Chaminade with their acceptance letter from their acquiring bank or VISA as well as their Attestation of Compliance (AoC). Levels 2-4 may provide their Self Assessment Questionnaire (SAQ) and external scans (if performed). Network Diagram A network diagram is to be maintained which accurately depicts all connected third-parties, along with networking equipment, systems, applications, wireless networks, and other applicable components of the cardholder data environment. List of Third-Parties Chaminade is to maintain a current list of connected third-parties with details of whether they have direct access to the cardholder data environment. This is to clearly denote which third-parties have privileged access and so special attention may be paid to them during session monitoring. The list of third-parties is to also include their PCI compliance status and date of, whether they have accepted by their acquiring bank or VISA or have performed a SAQ (whichever is applicable to their Level as defined above). PCI Compliance Status The status of connected third-parties achieving PCI compliance is to be reviewed annually. All thirdparties with direct access to the cardholder data environment must obtain PCI compliance or have an official exception provided by their acquiring bank or VISA. Should a third-party with privileged access not have obtained this compliance status, they are to document in writing their efforts in doing so with the target completion date. Chaminade is to monitor the compliance efforts of these third-parties.

Terms and Conditions All connected third-parties are to sign a Non-Disclosure Agreement (NDA). Contracts with Service Providers are to contain terms and conditions, as well as an agreement to safeguard Chaminade s cardholder data in all its formats from generation to its destruction, and signed by the third-party prior to connection to Chaminade s network. No third-party may be connected to the Chaminade environment prior to signing their agreement with Chaminade s terms and conditions. Should a third-party have not signed their agreement and is currently connected, they are required to do so before they may be reconnected. Terms and conditions should contain the following, but not limited to, the third-party s obligation to: Protect Chaminade s cardholder data and environment. Follow Chaminade s policies and procedures at all times, unless there is specific approval from the Dean of Information Services. Use only Chaminade-approved security controls and practices. Communicate any suspected compromise of third-party systems connected to Chaminade s cardholder data environment. Escalate suspected breaches and incidents to the Chaminade within 8 business hours. Retain and dispose of electronic and paper cardholder data media in a secure manner. Comply with federal and industry laws and regulations. Train individuals with access to Chaminade systems and data on effective safeguard measures. Maintain security awareness amongst personnel. Conduct criminal background checks on all individuals with access to Chaminade s network, systems, and data. Background checks are to be performed prior to granting individuals access. Removing access permissions immediately upon termination of the individual. Maintaining appropriate access control methods, including two-factor remote access. Only attempting to connect to Chaminade s cardholder data environment during authorized periods, and disconnecting when the work is completed. Permitting Chaminade to perform periodic reviews, and forensic investigations upon the Dean of Information Services determination. Physically and logically segregating Chaminade systems, networks, and data from those belonging to any other clients. Implementing logging and audit trail requirements. Notifying and obtaining agreement from Chaminade prior to outsourcing work to other thirdparties. Change Management Any changes made by the third-party in regards to their security controls and practices as well as organizational process changes must be communicated to Chaminade. Chaminade is to review the change as to its potential impact on Chaminade. This is to help protect against the possibility of inadvertently introducing open avenues for attack. Once the review has been performed, the change documentation and description of any residual risk from the third-party performing the change is to be reviewed and accepted by the Dean of Information Services. The Third Party Change Documents must be used to track changes from their initial request stage though review to documentation of residual risk to approval by the Dean of Information Services.

Any system or application changes with impact on Chaminade are to be tested by the third-party in a test environment prior to being placed into the production environment. Event Management and Response Logs for Chaminade systems, applications, and equipment managed by the third-parties are to be generated, reviewed, and maintained to provide an audit trail. Logs are to be synced to a safeguarded central location. Incidents, whether suspected or actual, are to be reported to Chaminade within 8 business hours so they may be responded to in accordance with the Incident Response Plan. Determination of the third-party s role in incident response and containment should be clearly defined. Security Awareness Training is to be provided by the third-party at an appropriate level by function. Individuals with access to Chaminade s cardholder data environment are to be provided with more detailed training upon hire and then on an annual basis, with a focus on the protection of Chaminade s cardholder data environment and technical training. Other company individuals are to receive general security awareness training upon hire and then annually. Background Checks Criminal background checks (within the constraints of local laws) are to be performed by the third-party of each individual with access to Chaminade s cardholder data environment. Background checks should be nation-wide in scope, or at the very least, of each state the individual has resided in. Access Controls Access to the Chaminade s cardholder data environment is to be limited to only those individuals with a business need-to-know. Individual authentication, meaning a unique userid and unique password, is to be used. Remote access may only be performed using a secure network protocol, such as SSH, and users must use two-factor authentication (the user must possess something they have and something they know in addition to their userid). Password management is, where feasible, to follow the password requirements for other institutional systems. Monitoring and Managing Third-Party Access Third-party access may only be permitted with prior authorization from the Director of Business Services, and is to be connected immediately after use. The Director of Business Services or a designated proxy are to monitor the access at all times. In some cases, access is granted to third-parties on a 24/7/365 basis. These types of access should be approved by the Dean of Information Services prior to access being granted, and Director of Networking and Systems is to periodically monitor the connection without prior notification to the third-party.

The third-party may not attempt to access Chaminade s cardholder data environment without prior authorization at anytime, and doing so may result in the initiation of the incident response plan. Segregation The third-party is to logically and physically separate Chaminade s systems, network, and data from any other clients (if applicable). There may not be any shared environments without the explicit permission of Chaminade.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information