Document No.: VCSATSP 100-100 Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP 100-100 Restricted Data Access Policy



Similar documents
Document No.: VCSATSP Vulnerability and Penetration Testing Policy Revision: 7.0

Document No.: VCSATSP Restricted Data Encryption Policy Revision: 4.0. Restricted Data Encryption Policy

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

CREDIT CARD SECURITY POLICY PCI DSS 2.0

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

2: Do not use vendor-supplied defaults for system passwords and other security parameters

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Technology Security Standards and Protocols. Coast Community College District

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PCI DSS Requirements - Security Controls and Processes

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Information Technology Branch Access Control Technical Standard

Accounting and Administrative Manual Section 100: Accounting and Finance

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

74% 96 Action Items. Compliance

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Miami University. Payment Card Data Security Policy

University of Sunderland Business Assurance PCI Security Policy

Altius IT Policy Collection Compliance and Standards Matrix

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

PCI Data Security and Classification Standards Summary

Estate Agents Authority

General Standards for Payment Card Environments at Miami University

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Information Security Program Management Standard

Compliance and Industry Regulations

About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,

Parallels Plesk Panel

Central Agency for Information Technology

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

HIPAA Security Alert

13. Acceptable Use Policy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Information Systems Access Policy

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Massachusetts Identity Theft/ Data Security Regulations

Controls for the Credit Card Environment Edit Date: May 17, 2007

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

Windows Azure Customer PCI Guide

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

<COMPANY> P01 - Information Security Policy

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Global Partner Management Notice

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

OIT OPERATIONAL PROCEDURE

SonicWALL PCI 1.1 Implementation Guide

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

State of Vermont. System/Service Password Policy. Date: 10/2009 Approved by: Neale F. Lunderville Policy Number:

Third-Party Access and Management Policy

Office of Finance and Treasury

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Introduction. PCI DSS Overview

Catapult PCI Compliance

Newcastle University Information Security Procedures Version 3

Implementation Guide

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Network Security Policy

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Supplier Information Security Addendum for GE Restricted Data

Information Security Policy Manual

DHHS Information Technology (IT) Access Control Standard

POL Information Systems Access Policy. History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014

Montclair State University. HIPAA Security Policy

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

New Employee Orientation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Vulnerability Management Policy

Standard: Network Security

California State University, Sacramento INFORMATION SECURITY PROGRAM

PCI implementation guide for L-POS

New River Community College. Information Technology Policy and Procedure Manual

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Client Security Risk Assessment Questionnaire

Remote Access and Network Security Statement For Apple

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

More Expenses. Only this time the Telegraph will have to pay them after their recent data breech

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

PimaCountyCommunityCollegeDistrict Standard Practice Guide Administrative Procedure

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

A Rackspace White Paper Spring 2010

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

Transcription:

DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-100 Title: Restricted Data Access Policy Policy Owner: Director Technology Services Effective Date: 2/1/2014 Revision: 4.0 TABLE OF CONTENTS DOCUMENT INFORMATION... 1 TABLE OF CONTENTS... 1 1. PURPOSE... 2 2. SCOPE... 2 3. RESPONSIBILITIES... 2 4. REFERENCES... 2 5. DEFINITIONS... 3 6. POLICY... 5 6.1 Management of this Policy... 5 6.2 Proper Use... 5 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data... 6 6.4 Device Security... 8 6.5 Service Provider Management... 8 7. ENFORCEMENT... 8 8. COMPLIANCE REFERENCE INDEX... 9 9. HISTORY... 9 Page 1 of 9

1. PURPOSE Unauthorized access, breach of confidentiality, loss of integrity, disruption of availability, and other risks threaten VCSATS resources. This policy protects VCSATS resources by establishing rules that reduce exposure of those resources to threats 45 C.F.R. 164.514(d)(2)(ii). 2. SCOPE This policy applies to all systems owned or maintained by Vice Chancellor Student Affairs that process, store or make readable Restricted Data. 3. RESPONSIBILITIES TABLE 1 - ROLES AND RESPONSIBILITIES Role Responsibility Director Technology Services Review and approve changes to this document Infrastructure Manager Oversee the performance of this process Ensure this document remains current and is updated whenever changes to the process occur Ensure execution of duties described in sections 6.1 Management of this Policy, 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data, 6.4 Device Security, and 6.5 Service Provider Management Critical Technology Users Adhere to this policy and related work instructions. 4. REFERENCES TABLE 2 - REFERENCES Reference VCSATSP 100-010 Policy Guidance Location VCSATS Policy Center Page 2 of 9

5. DEFINITIONS The terms and definitions found in VCSATSP 100-010 Policy Guidance, as referenced in section 4 references, shall apply, unless a term is expressly defined here. The scope of every term expressly defined in this section is limited to this document. TABLE 3 - LOCAL DEFINITIONS Term, Abbreviation, Acronym Acceptable Network Location Critical Technologies Definition Acceptable Network Locations include the VCSA network or approved technology for remotely accessing the VCSA network, including but not limited to VPN and Outlook Web App. Examples of using Critical Technology through unacceptable network locations include non-vcsa TS issued laptops/tablets/phones via public wifi or accessing the Environment from a public computer outside of UCR grounds, buildings, and offices. Critical Technologies are those that access the environment (as defined below). If a technology does not access the environment, it is not considered Critical Technology. For example, removable electronic media that does not have access to the environment is not considered Critical Technology. Examples of critical technologies include, but are not limited to remote access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), smartphones, email, internet. Critical Technology Users All personnel, including full-time employees, part time employees, temporary employees/personnel, contractors, consultants, vendors and business partners who are resident on the UCR campus or otherwise have access to the Environment. Environment For the purposes of this policy, environment refers to any and all Restricted Data environments within VCSA. Remote Access Network-level access originating from outside of the VCSA network. Page 3 of 9

Term, Abbreviation, Acronym Service Provider User access to Restricted data Definition A third party or outsourced supplier: With access to the Environment; or those who send or receive Restricted Data as part of a service This term includes, but is not limited to the following: Use of Restricted data which meets the HIPAA definition of Limited Data Set. Use of Restricted data Disclosure of Restricted data Requests for Restricted data Page 4 of 9

6. POLICY 6.1 Management of this Policy 6.1.1 This policy shall be published to all users who access or may access Restricted Data, including but not limited to Critical Technology Users as defined in Table 3 - Local Definitions. 6.2 Proper Use 6.2.1 User access to Restricted data, as defined in Section 5, shall only be provided when all of the following conditions are met 45 C.F.R. 164.514(d)(2)(ii) 45 C.F.R. 164.514(d)(3),, 45 C.F.R. 164.514(d)(5), 45 C.F.R. 164.514(e) : 6.2.1.1 Access to the Restricted data is necessary for the user to perform assigned duties 45 C.F.R. 164.514(d)(2)(i)(A), PCI DSS 7.1. 6.2.1.2 Access to the Restricted data is based on conditions appropriate to such access 45 C.F.R. 164.514(d)(2)(i)(B). 6.2.1.3 The conditional access to the Restricted data is documented and approved by the appropriate Privacy Officer, Managed Services Officer, and/or Data Owner. 6.2.1.4 The privileges necessary to access the Restricted data are documented and approved by the Infrastructure Manager, appropriate Privacy Officer, Managed Services Officer, and/or Data Owner. 6.2.2 Proper Use of Critical Technologies: 6.2.2.1 Critical Technologies must be used for VCSA business, only. They may not be used for personal reasons. 6.2.2.2 Critical Technologies may not be shared. Examples of prohibited sharing include lending your phone to others if it is synched to the Environment and allowing others to use your logged in session without oversight. 6.2.2.3 Explicit approval must be provided by the Infrastructure Manager and any other authorized parties, with evidence vaulted, and the intended/acceptable user of the Critical Technology documented prior to using Critical Technology PCI DSS 12.3.1, PCI DSS 12.3.5. This is to be done in a manner consistent with Section 6.2.1. Page 5 of 9

6.2.3 All copy, move, and storage of cardholder data onto local hard drives and removable electronic media while remotely accessing the Restricted environment is prohibited unless explicitly authorized for a defined business need PCI DSS 12.3.10 (a). 6.2.4 Initiate sessions to the Restricted environment only when necessary. Terminate the session once there is no longer an immediate need to access the Restricted environment. 6.2.5 Devices must be screen-locked when leaving a workstation. 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data 6.3.1 An access control system shall be in place for systems with multiple users to restrict access Restricted data based on a user s job function, need to know, and shall be set to deny all unless specifically allowed, as follows PCI DSS 7.1.4, PCI DSS 7.2 : 6.3.1.1 Access control systems shall be in place on all system components PCI DSS 7.2.1. 6.3.1.2 Access control systems shall be configured to enforce privileges PCI DSS assigned to individuals based on job classification and function 7.2.2. 6.3.1.3 Access control systems shall have a default deny-all setting PCI DSS 7.2.3. 6.3.2 Users shall be assigned a unique ID before receiving access to system components or Restricted data PCI DSS 8.1. 6.3.3 In addition to assigning a unique ID, one or more of the following methods shall be employed to authenticate all users, including but not limited to users of Critical Technology PCI DSS 8.2, PCI DSS 12.3.3 : 6.3.3.1 Something the user knows, such as a password or passphrase 6.3.3.2 Something the user has, such as a token device or smart card 6.3.3.3 Something the user is, such as a biometric 6.3.4 Group, shared, and generic accounts/passwords/other authentication methods are expressly prohibited PCI DSS 8.5.8 : 6.3.4.1 Generic user IDs and accounts shall be disabled or removed. 6.3.4.2 Shared user IDs for system administration activities and other critical functions shall not exist. 6.3.4.3 Shared and generic user IDs shall not be used to administer any system components. Page 6 of 9

6.3.5 Controls shall be implemented to protect databases that access or store Restricted data. 6.3.5.1 All access to any database containing Restricted data shall be authenticated consistent with the full set of instructions in this policy. This includes access by applications, administrators, and all other users PCI DSS 8.5.16 (a). 6.3.5.2 All user access to, user queries of, and user actions on a database containing Restricted data shall be through programmatic methods only (for example, through stored procedures) PCI DSS 8.5.16 (b). 6.3.5.3 The ability for a user to directly access or query a database containing PCI DSS 8.5.16 Restricted data shall be limited to database administrators (c). 6.3.5.4 Application IDs with database access shall only be able to be used by the intended applications and not by individual users or other processes PCI DSS 8.5.16 (d). 6.3.6 Controls shall be implemented for Critical Technologies to protect Restricted data and environments as follows: 6.3.6.1 Use of Critical Technology must require authentication in a manner PCI DSS 8.3, PCI DSS consistent with the full set of instructions in this policy 12.3.2. 6.3.6.1.1 Software and devices, including phones and laptops, must be configured to require a password to access the device. 6.3.6.1.2 Networks and systems must be configured to require twofactor authentication to remotely access the Environment. 6.3.6.1.3 Service accounts (non-human) are exempt from the twofactor authentication requirement. 6.3.6.2 Critical Technologies shall only be used with Acceptable Network Locations PCI DSS 12.3.6. 6.3.6.2.1 Devices that have the ability to be configured to automatically connect to network locations shall be configured to disable automatic connection to network locations other than Acceptable Network Locations. 6.3.6.3 Sessions for remote access to the Environment shall time out after a period of inactivity PCI DSS 12.3.8. Page 7 of 9

6.3.6.4 Critical Technologies used by vendors and business partners to remotely access the Environment shall be activated only when needed and shall be immediately deactivated after use PCI DSS 12.3.9. 6.3.6.5 Critical Technologies used by vendors and business partners to PCI DSS remotely access the Environment shall be monitored when in use 8.5.6. 6.4 Device Security 6.4.1 A list of all Critical Technology shall be maintained, including PCI DSS 12.3.3 : 6.4.1.1 All devices using or constituting Critical Technology PCI DSS 12.3.3. 6.4.1.2 All personnel authorized to use the devices PCI DSS 12.3.3. 6.4.2 All handheld devices using or constituting Critical Technology shall be enabled to automatically lockout after a long idle period PCI DSS 9.1.3. 6.4.3 All handheld devices using or constituting Critical Technology shall be configured to require a password when powering on PCI DSS 9.1.3. 6.4.4 All devices using or constituting Critical Technology shall be labeled in accordance with VCSATSP 100-170 Physical Security of Restricted Data PCI DSS 12.3.4. 6.5 Service Provider Management 6.5.1 An agreement must be in place and approved in written form by UCR Purchasing and a director from either UCR C&C or VCSATS PCI DSS 12.8.2. 6.5.1.1 The agreement must include an acknowledgement that the service provider is responsible for the security of Restricted Data in their possession PCI DSS 12.8.2. 6.5.2 A list of service providers shall be maintained PCI DSS 12.8.1. 6.5.3 Evidence of Service Provider compliance status shall be vaulted as required for: PCI DSS 12.8.4 6.5.3.1 PCI DSS 6.5.3.2 HIPAA 6.5.3.3 Other applicable regulatory or contractual requirements. 7. ENFORCEMENT Any employee found to have violated this work instruction may be subject to disciplinary action. Page 8 of 9

8. COMPLIANCE REFERENCE INDEX 45 C.F.R. 164.514(d)(2)(i)(A)... 5 45 C.F.R. 164.514(d)(2)(i)(B)... 5 45 C.F.R. 164.514(d)(2)(ii)... 2, 5 45 C.F.R. 164.514(d)(3)... 5 45 C.F.R. 164.514(d)(5)... 5 45 C.F.R. 164.514(e)... 5 PCI DSS 12.3.1... 5 PCI DSS 12.3.10 (a)... 6 PCI DSS 12.3.2... 7 PCI DSS 12.3.3... 6, 8 PCI DSS 12.3.4... 8 PCI DSS 12.3.5... 5 PCI DSS 12.3.6... 7 PCI DSS 12.3.8... 7 PCI DSS 12.3.9... 8 PCI DSS 12.8.1... 8 PCI DSS 12.8.2... 8 PCI DSS 12.8.4... 8 PCI DSS 7.1... 5 PCI DSS 7.1.4... 6 PCI DSS 7.2... 6 PCI DSS 7.2.1... 6 PCI DSS 7.2.2... 6 PCI DSS 7.2.3... 6 PCI DSS 8.1... 6 PCI DSS 8.2... 6 PCI DSS 8.3... 7 PCI DSS 8.5.16 (a)... 7 PCI DSS 8.5.16 (b)... 7 PCI DSS 8.5.16 (c)... 7 PCI DSS 8.5.16 (d)... 7 PCI DSS 8.5.6... 8 PCI DSS 8.5.8... 6 PCI DSS 9.1.3... 8 9. HISTORY FogBugz Case Description of Changes 1490 Create initial version of this Policy. 5323, 5324 Requested approval for version 1.0 of this policy. (Not Approved) 6795, 6796 Requested approval for version 2.0 of this policy. 8270, 8311, 8314, 8315, 8317, 8407, 8409, 8504, 8788 Added support for 45 C.F.R. 164.514, PCI DSS Requirements 7, 8, 9 and 12. 8916, 8917 Requested approval for version 2.0 of this policy 15518 Added sections 6.2.4 and 6.2.5. 15878, 15979 Requested approval for version 4.0 of this policy Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information