University of Wisconsin Colleges and University of Wisconsin-Extension Organization-wide Information Security Policy

ahemcurrentΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

147 εμφανίσεις

Organization
-
wide Information Security Policy


Page
1

of
5

University of Wisconsin Colleges & University of Wisconsin
-
Extension |Information Security


Central IT


Issue Date: xx/xx/xxxx

|
Review

Date
: xx/xx/xxxx

University of Wisconsin Colleges and University of Wisconsin
-
Extension

Organization
-
wide Information Security Policy


I.

Policy Statement

A.

Statement

The policy objective is to assure that

processing activities and controls for
payment card data, personally
identifying information,
student
-
information, faculty
-
staff information, and intellectual property comply with
applicable standards and re
gulations and generally safeguard the confidentiality, integrity, and availability of
the organization’s data
.

All card processing activities and related technologies must comply with the Payment Card Industry Data
Security Standard (PCI
-
DSS) in its entire
ty. Card processing activities must be conducted as described herein
and in accordance with the standards and procedures
referred to

in the Related Documents section of this
Policy. No activity may be conducted nor any technology employed that might obst
ruct compliance with any
portio
n of the PCI
-
DSS. [PCI
-
DSS 12.1
]

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives
or the risk environment.

[PCI
-
DSS
12.1]

B.

Applicability and Availability

This
policy applies to all employees.


[PCI
-
DSS
12.1]

Relevant sections of this policy apply to vendors,
contractors, and business partners. The most current version of this policy is available
in the ‘
Information
Security Policies and Procedures Library
’ of t
he ‘
Organization
-
wide PCI Compliance
Center’ SharePoint site at
https://collab.uwex.uwc.edu/uwcx/PCI
-
Center/default.aspx
.

II.

Specific Policy Requirements

A.

Adherence to Standards

Configura
tion standards must be maintained for applications, network components, critical servers, and
wireless access points.

[PCI
-
DSS
2.2
]


These standards must be consistent with industry
-
accepted hardening
standards as defined, for example, by SysAdmin

Assessment Network Security Network (SANS), National
Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

Configuration standards must include:



firewall and router configuration
[PCI
-
DSS
1.1]



standard system components such as servers and services
[PCI
-
DSS
2.2]



updating of anti
-
virus software and definitions

[PCI
-
DSS
5.2]



provision for installation of all relevant new security patches within 30 days

[PCI
-
DSS
6.1]



prohibition of group and share
d passwords

[PCI
-
DSS
8]




Organization
-
wide Information Security Policy


Page
2

of
5

University of Wisconsin Colleges & University of Wisconsin
-
Extension |Information Security


Central IT


B.

Handling of Cardholder Data

Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including
that distributed to individuals.

[PCI
-
DSS
9.7
]


Procedures must include periodic media inventories in order to
validate the effectiveness of these controls.

[PCI
-
DSS
9.9
]

Procedures for data retention and disposal must be maintained by each department and must include the
following

[PCI
-
DSS
3.1
]
:



legal
, regulatory, and business requirements for data retention, including specific requirements for
retention of cardholder data



provisions


for disposal of data when no longer needed for legal, regulatory, or business reasons,
including disposal of cardholder

data



coverage for all storage of cardholder data, including database servers, mainframes, transfer
directories, and bulk data copy directories used to transfer data between servers



a programmatic (automatic) process to remove, at least on a quarterly bas
is, stored cardholder data
that exceeds business retention requirements, or, alternatively, an audit process, conducted at least
on a quarterly basis, to verify that stored cardholder data does not exceed business retention
requirements



destruction of medi
a when it is no longer needed for business or legal reasons as follows

[PCI
-
DSS
9.10
]
:

o

cross
-
cut shred, incinerate, or pulp hardcopy materials

o

purge, degauss, shred, or otherwise destroy electronic media such that data cannot be
reconstructed

Credit card n
umbers must be masked when displaying cardholder data. Those with a need to see full credit
card numbers must request an exception to this policy using the exception process

[PCI
-
DSS
3.3
]
.

Primary Account Numbers may not be sent via email

[PCI
-
DSS
4.2
]

C.

Ac
cess to Cardholder Data

Procedures for data control must be maintained by each department and must incorporate the following

[PCI
-
DSS
7.1
]
:



Access rights to privileged User IDs are restricted to least privileges necessary to perform job
responsibilities



Assignment of privileges is based on individual personnel's job classification and function



Requirement for an authorization form signed by management that specifies required privileges



Implementation of an automated access control system

Firewall and netw
ork architectures must prohibit direct public access between the Internet and any system in
the cardholder data environment
.
[PCI
-
DSS
1.3]

Physical access to data, devices, systems, and/or hardcopies that hold cardholder data shall be restricted in
accordance with PCI
-
DSS and the organization
-
wide policy (or a department
-
level policy that is equally or
more restrictive).
[PCI
-
DSS
9]

Organization
-
wide Information Security Policy


Page
3

of
5

University of Wisconsin Colleges & University of Wisconsin
-
Extension |Information Security


Central IT


D.

Transmission

of

Cardholder Data

Cardholder data must be encrypted before crossing open or public networks.
[PCI
-
DSS
4.1
]

E.

Critical Employee
-
facing Technologies

1.

For critical employee
-
facing technologies, departmental procedures shall require

[PCI
-
DSS
12.3
]
:



explicit management approval to use the devices

[PCI
-
DSS
12.3
]



that all device use is authenticated with username and
password or other authentication item (for
example, token)

[PCI
-
DSS
12.3
]



a list of all devices and personnel authorized to use the devices

[PCI
-
DSS
12.3
]



labeling of devices with owner, contact information, and purpose

[PCI
-
DSS
12.3
]



automatic disconnect
of
remote access

sessions after a specific period of inactivity

[PCI
-
DSS
12.3
]



activation of
remote access solutions

used by vendors only when needed by vendors, with immediate
deactivation after use

[PCI
-
DSS
12.3]

2.

Departmental usage standards shall includ
e:



acceptable uses for the technology

[PCI
-
DSS
12.3
]



acceptable network locations for the technology

[PCI
-
DSS
12.3
]



a list of company
-
approved products

[PCI
-
DSS
12.3
]



prohibition of the storage of cardholder data onto local hard drives, floppy disks, or
other external
media when accessing such data remotely via modem

[PCI
-
DSS
12.3
]



prohibition of use of cut
-
and
-
paste and print functions during remote access

[PCI
-
DSS
12.3
]


F.

Responsibilities

[PCI
-
DSS
12.2

& 12.4
]

1.

The Information

Security Officer
and the Dir
ector of Technical Operations are

responsible for overseeing
all aspects of information security, including but not limited to

the following

[PCI
-
DSS
12.5
]
:



creating and distributing security policies and procedures

[PCI
-
DSS
12.5
]



monitoring and analyzing
security alerts and distributing information to appropriate information
security and business unit management personnel

[PCI
-
DSS
12.5
]



periodic analysis, identification, and ranking of emerging security vulnerabilities
[PCI
-
DSS
6.2]



creating and distributi
ng security incident response and escalation procedures that include

[PCI
-
DSS
12.5

&
12.9
]
:

o

roles, responsibilities, and communication
[PCI
-
DSS
12.9]

o

coverage and responses for all critical system components

[PCI
-
DSS
12.9
]

o

notification, at a minimum, of cr
edit card associations and acquirers

[PCI
-
DSS
12.9
]

o

strategy for business continuity post compromise

[PCI
-
DSS
12.9]

o

reference or inclusion of incident response procedures from card associations

[PCI
-
DSS
12.9
]

o

analysis of legal requirements for reporting
compromises

[PCI
-
DSS
12.9
]

o

annual testing

[PCI
-
DSS
12.9]

o

designation of personnel to monitor for intrusion detection, intrusion prevention, and file
integrity monitoring alerts on a 24/7 basis

[PCI
-
DSS
12.9
]

o

plans for periodic training

[PCI
-
DSS
12.9]

o

a pro
cess for evolving the incident response plan according to lessons learned and in
response to industry developments

[PCI
-
DSS
12.9]

Organization
-
wide Information Security Policy


Page
4

of
5

University of Wisconsin Colleges & University of Wisconsin
-
Extension |Information Security


Central IT




maintaining a formal security awareness program for all employees that provides

multiple methods
of communicating awareness an
d educating employees (for example, posters, letters, meetings)

[PCI
-
DSS
12.6]



review security logs at least daily and follow
-
up on exceptions

[PCI
-
DSS
10.6]

2.

The
Technical Operations Group of the Central
Information Te
chnology Department, as well Division,
Campus and Program Area Information Technology Departments
shall maintain daily administrative and
technical operational security procedures that are consistent with the PCI
-
DSS
.
[PCI
-
DSS
12.2
]


System and Application

Administrators shall

perform the following roles according to the Information
Systems Delegation Model for the organization:



Establish and adhere to a change control policy and process for all changes to system
components
[PCI
-
DSS
6.4]



perform periodic sy
stem component security testing


[PCI
-
DSS
1
1.1
-
11.5]



m
onitor and analyze security alerts and information and distribute to appropriate personnel



administer user accounts and manage authentication

[PCI
-
DSS
12.5
]



monitor and control all access to data

[PCI
-
DSS
12.5]



maintain a list of connected entities

[PCI
-
DSS
12.10]



perform due diligence prior to connecting an entity, with supporting documentation

[PCI
-
DSS
12.10]



verify that the entity is PCI
-
DSS compliant, with supporting documentation

[PCI
-
DSS
12.10, 12
.4]



establish a documented procedure for connecting and disconnecting entities

[PCI
-
DSS
12.10]



retain audit logs for at least one year

[PCI
-
DSS
10.7]

3.

The
Application Development

Group of the Central Information Technology Department, as

well as
correspondi
ng

Division, Campus
,

and Program
-
Area

application development groups

shall
develop
software applications in accordance with PCI
-
DSS and based on industry best practices
. [PCI
-
DSS
6.3
]

4.

Faculty
-
staff manager/supervisors are

responsible for
managing

employee

participation in the

information

security awareness program, including

the following
:



facilitating participation

upon hire and at least annually, usually in combination with the
employee’s annual performance evaluation

[PCI
-
DSS
12.6
]



ensuring that
employees acknowledge in writing that they have read and understand the
company's information security policy

[PCI
-
DSS
12.6]



screen potential employees to minimize the risk of
compromise or exploit from within the
organization
[PCI
-
DSS
12.7]

5.

Internal Audit

(or equivalent) is responsible for executing a
[PCI
-
DSS
12.1
]

risk assessment process that
identifies threats, vulnerabilities, and results in a formal risk assessment.

6.

The
General Counsel
’s Office
will ensure that for service providers with whom cardhold
er information is
shared

the following practices are observed
:



contracts require adherence to PCI
-
DSS by the service provider

[PCI
-
DSS
12.8, 12.4
]



contracts include
written
acknowledgement or responsibility for the security of cardholder data
by the servic
e provider

[PCI
-
DSS
12.8, 12.4]



Organization
-
wide Information Security Policy


Page
5

of
5

University of Wisconsin Colleges & University of Wisconsin
-
Extension |Information Security


Central IT


Related Documents

Related policy, procedure, training, and other documents shall be stored in the ‘
Information Security Policies and
Procedures Library
’ of the ‘
Organization
-
wide PCI Compliance
Center’ SharePoint site at
https://collab.uwex.uwc.edu/uwcx/PCI
-
Center/default.aspx
.