Information Security Policy



Similar documents
PCI Data Security and Classification Standards Summary

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Payment Card Industry Compliance

Credit Card Security

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Information Technology

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Miami University. Payment Card Data Security Policy

Credit Card Handling Security Standards

TERMINAL CONTROL MEASURES

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Policy for Protecting Customer Data

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Policies and Procedures

CREDIT CARD PROCESSING & SECURITY POLICY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Appendix 1 Payment Card Industry Data Security Standards Program

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Standards for Business Processes, Paper and Electronic Processing

PCI Data Security. Information Services & Cash Management. Contents

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Cyber Self Assessment

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Accepting Payment Cards and ecommerce Payments

CREDIT CARD PROCESSING POLICY AND PROCEDURES

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

New York University University Policies

Third-Party Access and Management Policy

BERKELEY COLLEGE DATA SECURITY POLICY

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Montclair State University. HIPAA Security Policy

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

HIPAA Security Alert

Data Management Policies. Sage ERP Online

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

SECURITY POLICIES AND PROCEDURES

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI DSS Requirements - Security Controls and Processes

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Payment Card Industry (PCI) Compliance. Management Guidelines

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Virginia Commonwealth University School of Medicine Information Security Standard

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Observations from the Trenches

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Payment Card Industry Self-Assessment Questionnaire

Did you know your security solution can help with PCI compliance too?

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

Newcastle University Information Security Procedures Version 3

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Becoming PCI Compliant

Dartmouth College Merchant Credit Card Policy for Processors

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

HIPAA Information Security Overview

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Computing Services Information Security Office. Security 101

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Transcription:

Information Security Policy

Contents Version: 1 Contents... 1 Introduction... 2 Anti-Virus Software... 3 Media Classification... 4 Media Handling... 5 Media Retention... 6 Media Disposal... 7 Service Providers... 8 1

Introduction Definitions Media documents, files, or data, both on paper and electronic. Assets Minnesota Section American Water Works (MNAWWA) owned computers, servers, storage devices, applications, websites, or anything else that can store media. User A person operating or handling MNAWWA owned assets or media. Service Provider Any other company that has access to cardholder information or has influence over the security measures to keep that information safe. Scope This policy applies to MNAWWA volunteers, employees, third-parties, service providers, contractors, and temporary employees. This policy applies to all systems, applications, and electronic equipment owned, borrowed, or leased by MNAWWA and all MNAWWA locations where cardholder data is present. Distribution This policy is to be distributed to all MNAWWA volunteers, employees, contractors, and service providers. Also, this policy is to be distributed to any third party that is granted access to MNAWWA assets or media. Responsibilities Users are required to: Follow MNAWWA policies at all times. Acknowledge their agreement with this Information Security Policy before first accessing MNAWWA s assets or media. Safeguard MNAWWA s assets and media per the policies within this Information Security Policy. Report any deviation from this Information Security Policy to the executive board immediately. IT Committee is required to: Implement and maintain security controls for electronic assets. Secretary/Treasurer is required to: Monitor and control access, transmission, storage, and destruction of media. Monitor PCI compliance status of service providers. Review and update this Information Security Policy. Executive Board is required to: Take ultimate responsibility for information security management and for safeguarding MNAWWA s assets and media. Respond to reported deviations from this Information Security Policy. Approve updates or changes to this Information Security Policy. Review Schedule This policy is to be reviewed and updated annually by the Secretary/Treasurer and approved by the Executive Board. 2

Anti-Virus Software Deployment Anti-virus software must be deployed on all MNAWWA owned or leased servers, computers, and gateways which are considered to be those commonly affected by viruses. The anti-virus software should be an up to date/current enough version that it protects against spyware and adware. Configuration Configuration of the software must follow the vendor-provided guidance and standards, with exceptions reviewed and approved by the IT Committee. The software should be configured so that users cannot disable or tamper with it. Automatic updating should be enabled. Scanning Anti-virus software should be set to scan in auto-protect mode to automatically scan new files in creation, incoming and outgoing email attachments, and downloaded files. A full computer scan should be set to be performed at least weekly. Logging Anti-virus event logs are to be generated and retained for at least 365 days. These logs should contain dates of scans performed and incidents found. Responsibilities The IT Committee is responsible for training users on how to prevent, detect, and respond to an incident which may be related to a virus. Specifically, users should know not to click on an attachment from an unknown person and how to identify if their system is running slow or acting up. Users are to report suspected incidents to the IT Committee. 3

Media Classification Classification Any media which contains cardholder information or other sensitive information should be labeled as <Confidential>. Other sensitive information includes social security numbers and passwords. Handling Once the media has been classified, it is to be transmitted, processed, used, and/or stored following the methods outlined in the Media Handling Policy. Incident Response Should <Confidential> media be intentionally or unintentionally accessed, viewed, or used by an unauthorized party, the executive board must be notified and respond to the incident. Requests for Access to Confidential Media The Secretary/Treasurer is ultimately responsible for individuals and applications that have access to MNAWWA media, and is to review the access permissions to confidential media on an annual basis. Awareness MNAWWA volunteers are to be trained and made aware of the media classification and handling requirements. Those who have business requirements to view, access, and use <Confidential> media are to receive specialized training on how to properly handle such items. 4

Media Handling Cardholder Data Cardholder data may never be transmitted electronically using any end-user methodologies, such as e- mail, unless specifically approved by the Secretary/Treasurer for a valid business need. If required to transmit cardholder data, it must be in unreadable format (for example, encrypted, masked, truncated). Users may also not store cardholder data without specific approval to do so from the Secretary/Treasurer at which point it must also be retained in a protected format. Handling Requirements for Media Labeled as <Confidential>: Access: Business need-to-know only. Must be approved by Secretary/Treasurer. Non-Disclosure (NDA): MNAWWA third-parties, contractors, and volunteers may only access this media after signing a NDA. Email: Only individuals approved by the Secretary/Treasurer to transmit this media by email may do so, and then only if the email and its attachments are approved using a MNAWWA-approved encryption method. A receipt request should be used or requested. Internet: This media may never be posted/communicated via the internet. This includes posting to websites or using internet messaging technologies. Fax: The person sending the fax with this media is required to be present at the fax machine to verify that it has been sent and is not stored in the memory. A receipt request should be used or requested. External Mail: This type of media is to be packaged in a secure manner and delivered by a commercial delivery service which can be tracked. A return receipt should be used or requested, such as a delivery signature. The Secretary/Treasurer must be notified prior to mailing. Printing: This type of media should not be printed unless absolutely needed for business purposes, and after approval from the Secretary/Treasurer. Print Storage: Printed media of this type is required to be within eyesight or within possession at all times, or locked up in a secure manner or location. Electronic Storage: Stored media of this type may not be retained in a readable electronic format and is to be truncated, masked, or encrypted using a MNAWWA-approved method. This includes media storage on computers, servers, backup tapes, etc. Logs: The Secretary/Treasurer must maintain a list of all individuals that have been granted access to this type of media. Also, the Secretary/Treasurer must log all changes of physical location for this type of media. 5

Media Retention Retention of Cardholder Data Cardholder data should only be retained for the minimum length of time needed for processing. Retention of Sensitive Authentication Data Sensitive Authentication Data (the magnetic strip, PIN blocks, CVV) may never be stored after authorization, unless there is a specific business need to retain this data. The PCI Data Security Standards have specific requirements for what comprises a business need for the retention of this data. The Sensitive Authentication data may be retained prior to authorization, but must be safeguarded following the requirements outlined for Confidential data in the Data Handling Policy. Retention Periods Cardholder data is to be destroyed when it is no longer needed for business or legal reasons. A review of media is to be conducted quarterly to determine if any cardholder data still needs to be destroyed. If cardholder data is to be retained after processing, it must be assigned and labeled with a specific retention time. Other confidential media should be assigned specific retention times based on legal and regulatory requirements. A review of all confidential media is to be conducted annually to determine if any data still needs to be destroyed. Responsibilities The Secretary/Treasurer is ultimately responsible for ensuring that confidential media is not retained past the defined retention periods and for performing reviews of retained media to determine if any media needs to be destroyed. 6

Media Disposal Disposal Requirements for Electronic Media Labeled as <Confidential>: Hard drives and other electronic storage devices containing <Confidential> files are to be securely wiped using an industry-strength wiping tool or reformatted prior to being transferred to another party. If the storage device is not going to be reused, it should be physically destroyed in addition to taking the extra precaution of being securely wiped. Users should be made aware of the importance of safely destroying and deleting this data. Cardholder data must be securely erased when it is no longer needed (see Media Retention Policy). Disposal Requirements for Printed Media Labeled as <Confidential>: Printed documentation labeled as <Confidential> must be shredded using a cross-cut shredder. Anyone handling documentation with sensitive information must have such a shredder located nearby or a locked bin if a third-party is used to pick up the documentation for shredding. These documents are to be securely retained up to their destruction. Third-party vendors used to shred documentation must have provided a signed Non-Disclosure Agreement and agree to MNAWWA s terms and conditions of protecting the sensitive data. Users should be made aware of the importance of safely destroying these documents. Cardholder data must be securely erased when it is no longer needed (see Media Retention Policy). Responsibilities The Secretary/Treasurer is ultimately responsible for ensuring that electronic and printed media is disposed of in a secure manner. Third-Parties Third-parties must receive a copy of MNAWWA s data labeling, handling, retention, and disposal policies and follow them. Periodic checks should be made by MNAWWA to ensure that the third-party does not violate the policies. 7

Service Providers List of Service Providers Company Name Date of Initiation Date of PCI Verification Yourmembership.com 07/2014 10/16/2014 Bluepay 07/2014 10/16/2014 Engagement of Service Providers Prior to the use of a service provider, a review and risk assessment of the service provider will be conducted by the MNAWWA executive board. This review will include verifying the service provider s PCI compliance status, reviewing security policies, collecting feedback from other users, and conducting a verbal interview with a qualified employee of the service provider. Agreement A written agreement must be obtained from each service provider that establishes their responsibility for the security of cardholder data that is in their possession prior to use of that service provider. Monitoring The PCI compliance status of each service provider listed above must be checked annually by the Secretary/Treasurer. The date of PCI verification in the above list must be updated. If a service provider is out of compliance with PCI requirements when checked, use of that service provider must be terminated. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information