The Interdependence Project Security Policy

Similar documents
VCU Payment Card Policy

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

GUIDANCE FOR BUSINESS ASSOCIATES

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

FAYETTEVILLE STATE UNIVERSITY

Plus500CY Ltd. Statement on Privacy and Cookie Policy

IT Account and Access Procedure

Data Protection Policy & Procedure

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

TrustED Briefing Series:

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Technical Writing - TheUsers Visa (SHR User Accunt)

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

HIPAA HITECH ACT Compliance, Review and Training Services

Unified Infrastructure/Organization Computer System/Software Use Policy

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

Systems Support - Extended

Information Services Hosting Arrangements

Key Steps for Organizations in Responding to Privacy Breaches

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

Norwood Public Schools Internet & Cell Phone Use Agreement School Year

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

DisplayNote Technologies Limited Data Protection Policy July 2014

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

First Global Data Corp.

THIRD PARTY PROCUREMENT PROCEDURES

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

Woodstock Multimedia, INC. Software/Hardware Usage Policy

New York Institute of Technology Faculty and Staff Retention Policy

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Process of Setting up a New Merchant Account

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Online Banking Agreement

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Session 9 : Information Security and Risk

Internet Banking Agreement and Disclosure Statement

Internet and Policy User s Guide

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

Information Security Policy

Database Services - Extended

How To Ensure Your Health Care Is Safe

Personal Data Security Breach Management Policy

Procedures for Payments Made to or on Behalf of International Students, Visitors and Vendors

Consumer ebanking Account and Services Agreement

NAIC Replacement Requirements For Certain Life Insurance Policies And Annuity Contracts

expertise hp services valupack consulting description security review service for Linux

IT Help Desk Service Level Expectations Revised: 01/09/2012

Wire Transfer Request

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Columbine Federal Credit Union ONLINE BANKING/ BILL PAYMENT AGREEMENT & DISCLOSURES AND PRIV ACY DISCLOSURE

SaaS Listing CA Cloud Service Management

Preventing Identity Theft

How To Ensure That The Internet Is Safe For A Health Care Worker

ensure that all users understand how mobile phones supplied by the council should and should not be used.

To clarify terms used within these policies, the following definitions are provided:

How to put together a Workforce Development Fund (WDF) claim 2015/16

Privacy and Security Training Policy (PS.Pol.051)

What Information Is Collected and How Is It Collected?

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Accessible Service Policy

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

RQ10.06 AACo Share Trading Policy

Electronic Data Interchange (EDI) Requirements

IMPLEMENTATION DETAILS

Offer Specifications Dell Management Services (EMS): Policy Based Encryption-E

Symantec User Authentication Service Level Agreement

Malpractice and Maladministration Policy

In addition to assisting with the disaster planning process, it is hoped this document will also::

OITS Service Level Agreement

Yur Infrmatin technlgy Security Plicy

DATA REQUEST GUIDELINES

UNT Payment Card Merchant Handbook

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

Felician College. Computer Use Policy. Office of Information Technology 262 South Main St Lodi, NJ

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

PRIVACY POLICY Last revised: April 2015

SPENCER STUART CANDIDATE DATA PROTECTION STANDARDS

Cyber Security: Simulation Platform

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

BAMS Third Party Service Providers (TPSPs) FAQs

Corporate Account Takeover & Information Security Awareness

To Receive CPE Credit

Cell Phone & Data Access Policy Frequently Asked Questions

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Privacy Plicy Welcme, Sensati & JHI

Chapter 7 Business Continuity and Risk Management

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Transcription:

Page 1 f 5 The Interdependence Prject Security Plicy Executive Summary Visin and Philsphy The Interdependence Prject puts securing ur dnrs and event and class participants persnal data as ne f the cmpany s highest pririties. We understand that every time we are prvided with credit card and bank accunt infrmatin, r ther sensitive persnally identifying infrmatin, they trust that we will prtect it and this plicy is designed t ensure that this trust is nt misplaced. The fundatin f ur infrmatin security prgram is a set f strng plicies that are in balance with business peratinal needs. Security Envirnment The Interdependence Prject utilizes yur data t deliver prducts and services t ur dnrs and event r class participants. Accrdingly, all f yur infrmatin t include cardhlder data as well as ther sensitive infrmatin will be prtected by all staff, cntractrs, partners and services prviders in accrdance with well defined plicies and prcedures. The Interdependence Prject will perate n the security principle f that which is nt explicitly allwed is explicitly denied. Attempts by anyne t access, mnitr, use r share infrmatin that is nt explicitly allwed t them by ur security prgram will be cnsidered a security vilatin. Further, access t sensitive infrmatin will be permitted n a need t knw basis, such that emplyees have access t nly thse data and systems required t perfrm their assigned jbs. We will deply systems, prcesses, plicies and training t prtect ur missin critical data assets and privacy. Mst imprtant, we will mnitr and enfrce cmpliance t ur plicies. Vendr Management Vendrs, partners and ther third parties will be required t cmply with the same standards established fr The Interdependence Prject staff. All vendrs string r therwise accessing ur dnrs and event r class participants cardhlder data must prvide prf f PCI DSS Cmpliance. Sanctins fr Plicy Vilatin Failure t cmply with Security plicies and guidelines may result in disciplinary actin by The Interdependence Prject depending upn the type and severity f the vilatin, whether it causes any liability r lss t the cmpany, and/r the presence f any repeated vilatin(s). Each situatin will be judged n a case-by-case basis. Sanctins may include terminatin f emplyment and / r referral fr criminal r civil prsecutin, warnings, r additinal security awareness training. There is n requirement fr advance ntices, written r verbal warnings, r prbatinary perids.

Page 2 f 5 Infrmatin Classificatin, Strage and Destructin All The Interdependence Prject infrmatin is categrized int tw main classificatins: Public and Cnfidential. Public infrmatin, such as advertising and marketing materials, is infrmatin that has been declared public knwledge by smene with the authrity t d s, and can freely be given t anyne withut any pssible damage t The Interdependence Prject. Cnfidential cmprises all ther infrmatin such as sales data, addresses, emplyee files, etc, that shuld nt be made available utside the cmpany. A subset f cnfidential infrmatin is Critical Cnfidential infrmatin that shuld be restricted t need t knw access nly, such as trade secrets, financial, technical, and persnnel infrmatin, and ther infrmatin integral t the success f the cmpany. Sales authrizatins cntaining credit card numbers and cvv2 cdes r bank accunt numbers (PANs), and PANs prvided t emplyees in the curse f entering a telephne transactin, fall int the Critical Cnfidential infrmatin categry. The Interdependence Prject persnnel are encuraged t use cmmn sense judgment in securing cnfidential infrmatin t the prper extent. Critical Cnfidential infrmatin will be stred in a limited access area (i.e. lcked file drawer r safe), and nly thse emplyees with a Need t knw will be prvided access t that infrmatin. If an emplyee is uncertain f the sensitivity f a particular piece f infrmatin, he/she shuld cntact their manager. Under n circumstances is a CVV2 cde t be stred, even in paper frmat. If prvided n a paper authrizatin frm, after the transactin is successfully prcessed, it is t be redacted n all stred dcuments. When Critical Cnfidential infrmatin in paper frm need n lnger be stred fr any peratinal r regulatry reasn, it must be dispsed f via crss-cut shredding r incineratin. Any digital infrmatin in the Critical Cnfidential categry, whether n tape, CD/DVD, r lcated n a cmputer hard drive, will be cmpletely erased and rendered unreadable by cmmercially reasnable methds. (As The Interdependence Prject has cntracted with a third party fr all strage f PANs, nne will be stred by the cmpany in digital frm.) When feasible, nn-critical Cnfidential infrmatin shuld be dispsed f in the same manner. Payment Prcessing System The Interdependence Prject utilizes a web-based SaaS system prvided by PaySimple, a PCI DSS Certified payment prcessing service prvider, fr all payment-prcessing functins. All credit card and ACH transactins, whether authrized ver the phne, in writing via mail, r nline are transmitted, prcessed and stred via the PaySimple Slutin system. Telephne and nline transactins are directly entered int the system. Mailed transactins are entered int the system, and the paper authrizatin frm is then stred in a secure lcked cabinet r safe fr nly as lng as required by business peratinal needs. In n circumstances are PANs stred electrnically fr any reasn secure strage is cmpletely relegated t the PaySimple system. The Interdependence Prject emplyees have access t the PaySimple system fr prcessing payments and reprting but never have access t un-encrypted credit card r bank accunt numbers. Each User is granted system access permissins based n the minimum functinality required t perfrm jb respnsibilities. During the curse f perfrming their jb respnsibilities, telephne sales representatives will have access t full credit card numbers, billing addresses, and CVV2 cdes. Telephne peratrs are expressly directed t enter this infrmatin directly int the PaySimple system and are never t recrd any PANs r CVV2s n paper, nr t repeat r therwise transmit this infrmatin t any third parties.

Page 3 f 5 Access Cntrls The Interdependence Prject emplyees will be granted access t sensitive cmpany data and any archived authrizatins r reprts cntaining card data r ther cnfidential infrmatin n a need t knw basis. Access t payment prcessing systems and ther cmpany applicatins will als be granted n the basis f the minimum level required t perfrm assigned jb respnsibilities. Key Access Cntrl Prvisins Users will nly be given sufficient rights t all systems t enable them t perfrm their jb functin. User rights will be kept t a minimum at all times. A payment prcessing system Administratr will be respnsible fr issuing user accunts, prvisining user accunt permissins and prcessing limits, and mnitring system usage Access t the PaySimple Slutin payment prcessing system will be by individual username and passwrd Usernames and passwrds must nt be shared by users, passwrds must be at least 8 alpha numeric characters and shuld nt be written dwn Passwrds will expire every 90 days and must be unique ver any 360 day perid User accunts will be lcked after 5 cnsecutive failed lgins Any paper receipts, reprts, r ther dcuments cntaining card hlder data will be secured in a lcked file drawer r safe, with access granted n a limited and dcumented basis. All dcuments cntaining card hlder data must be checked-ut and checked-in by an authrized manager. A payment prcessing system Administratr will be ntified f all emplyees leaving the cmpany and immediately revke access t all systems and strage facilities Anti-Virus/Anti-Phishing The Interdependence Prject has implemented {insert anti-virus applicatin name here} fr the purpse f cmputer virus, wrm and Trjan Hrse preventin, detectin and cleanup. In rder t ensure the security f ur cmputing envirnment, all emplyees using The Interdependence Prject cmputers r systems must adhere t the fllwing: All cmputers accessing cmpany systems, and/r utilizing the PaySimple payment prcessing system, must use the apprved anti-virus/anti-phishing prtectin sftware and cnfiguratin. The virus/phishing prtectin sftware must nt be disabled r bypassed. The settings and autmatic update frequency fr the virus/phishing prtectin sftware must nt be altered in a manner that will reduce its effectiveness. Emplyees shuld NEVER pen any files r macrs attached t an email frm an unknwn, suspicius r untrustwrthy surce. Emplyees shuld never dwnlad files frm unknwn r suspicius surces. Emplyees shuld never cmplete any frms accessed via links embedded in an email frm an unknwn, suspicius r untrustwrthy surce.

Page 4 f 5 Acceptable Use The Interdependence Prject is cmmitted t prtecting its emplyees, partners and the cmpany frm illegal r damaging actins by individuals, either knwingly r unknwingly. All cmputer related systems and equipment including but nt limited t cmputer equipment, sftware, e-mail accunts, and web brwsers are the prperty f The Interdependence Prject. All data btained during the curse f perfrming jb respnsibilities is the prperty f The Interdependence Prject. These systems and data are t be used fr business purpses in serving the interests f the cmpany, and ur dnrs and event r Class participants in the curse f nrmal peratins. Effective security is a team effrt invlving the participatin and supprt f every The Interdependence Prject emplyee and affiliate wh deals with infrmatin and/r infrmatin systems. It is the respnsibility f every emplyee knw these guidelines, and t cnduct their activities accrdingly. Key Acceptable Use Plicy Prvisins Users shuld be aware that the data they create n the crprate systems remains the prperty f The Interdependence Prject. There is n expectatin f privacy r guarantee f cnfidentiality f infrmatin stred n r accessed via any netwrk, cmputer, r electrnic device belnging t The Interdependence Prject. Keep passwrds secure and d nt share accunts. Authrized users are respnsible fr the security f their passwrds and accunts. PaySimple payment prcessing system passwrds are changed every 90 days. Emplyees must use extreme cautin when pening e-mail attachments received frm unknwn senders, which may cntain viruses, e-mail bmbs, r Trjan hrse cde. Under n circumstances is an emplyee f The Interdependence Prject authrized t engage in any activity that is illegal under lcal, state, federal r internatinal law while utilizing The Interdependence Prject-wned resurces. The fllwing activities are strictly prhibited, with n exceptins: Effecting security breaches r disruptins f netwrk cmmunicatin. Security breaches include, but are nt limited t, accessing data f which the emplyee is nt an intended recipient r lgging int a server r accunt that the emplyee is nt expressly authrized t access, unless these duties are within the scpe f regular duties. Fr purpses f this sectin, "disruptin" includes, but is nt limited t, netwrk sniffing, pinged flds, packet spfing, denial f service, and frged ruting infrmatin fr malicius purpses. Executing any frm f netwrk mnitring which will intercept data nt intended fr the emplyee's hst, unless this activity is a part f the emplyee's nrmal jb/duty. Circumventing user authenticatin r security f any hst, netwrk r accunt. Prviding infrmatin abut, r lists f, The Interdependence Prject emplyees t parties utside The Interdependence Prject. Prviding infrmatin abut r lists f The Interdependence Prject dnrs and event r Class participants, including but nt limited t PANs, and ther sensitive infrmatin, t any external party r unauthrized internal party.

Page 5 f 5 Vendr Management All vendrs that will have access t Critical Cnfidential infrmatin, including Credit Card numbers and Bank Accunt numbers, must be cvered by a frmal cntract that includes the fllwing guarantees: Service prviders must cmply with all PCI DSS requirements, and maintain and prvide prf f PCI DSS certificatin as a service prvider. Service prviders must acknwledge respnsibility fr security f the cardhlder data they pssess, including but nt limited t: Prtect cardhlder data as specified by the PCI DSS, if prcessing r string payment card data n behalf f The Interdependence Prject. Reprt any knwn r suspect cmprmise f that data t the cmpany as sn as pssible. Allw fr audits by VISA/MasterCard/American Express/Discver r VISA/MasterCard/American Express/Discver-apprved entities in the event f a cardhlder data cmprmise. Ensure cntinued security f cardhlder data retained during and after cntract terminatins. As part f the Vendr Management prgram, The Interdependence Prject will perfrm due diligence n each Vendr prir t signing any cntract t cnfirm that the abve guarantees have been adequately met. On at least a yearly basis, The Interdependence Prject will review all vendrs that have access t Critical Cnfidential infrmatin t ensure that: PCI DSS cmpliance certificatin is up-t-date Other prcedures in place t prtect cnfidential infrmatin cntinue t adequately prtect dnrs and event r Class participants and are being prperly executed Make any changes necessary t plicies and prcedures

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information