Security Policies - Guidebook

ahemcurrentNetworking and Communications

Nov 21, 2013 (3 years and 8 months ago)

258 views



































DRAFT

Information Technology (IT)

and Security Policies







The enclosed IT security policies have been developed
to protect
[Company Name]

critical operations,
partners, assets, staff and customers. Compliance to
these policies is mandatory. If you have any questions
regarding any of the policies or your responsibilities in
implementin
g them, please contact your supervisor.
















Version
1.0


Approval Date:



Primary Contact:















Confidential Information

The enclosed policies and procedures are confidential to
[Company Name]
. The
material may not be copied or re
-
distributed without the permission of
[Company
Name]
.



CONFIDENTIAL

Page
2

of
87


TABLE OF CONTENTS

Executive Summary

________________________________
___

5

Vision and Philosophy

________________________________
________________________________
__

5

Info
rmation Security Directive

________________________________
____________________________

5

Security Environment

________________________________
________________________________
___

5

Roles and Responsibilities

________________________________
_______________________________

6

Sa
nctions for Policy Violation

________________________________
____________________________

6

Policy Administration
________________________________
________________________________
___

6

Security Policies

________________________________
_____

10

Information Security Program

________________________________
__________________

11

Purpose

________________________________
________________________________
_____________

11

Policy Statement

________________________________
________________________________
______

11

Standards for Risk Assessment

________________________________
__________________________

11

Standards for Risk Management and Security Control Measures

________________________________

13

Standards for Service Provider Oversight

________________________________
__________________

15

Standards for Security Testing and Oversight

________________________________
_______________

15

Standards for IT Security Oversight an
d Program Adjustment

________________________________
__

15

References

________________________________
________________________________
__________

15

Access Control Policy

________________________________
__________________________

17

Purpose

________________________________
________________________________
_____________

17

Policy Statement

________________________________
________________________________
______

17

Applicability

________________________________
________________________________
_________

17

Standards

________________________________
________________________________
___________

17

References

________________________________
________________________________
__________

19

Information Security Review And Audit

________________________________
__________

21

Purpose

________________________________
________________________________
_____________

21

Policy Statement

________________________________
________________________________
______

21

Applicability

________________________________
________________________________
_________

21

Standards

________________________________
________________________________
___________

21

References

________________________________
________________________________
__________

23

Purpose

________________________________
________________________________
_____________

25

Policy Statement

________________________________
________________________________
______

25

Applicability

________________________________
________________________________
_________

25

Standards

________________________________
________________________________
___________

25

References

________________________________
________________________________
__________

26

Physical Security

________________________________
______________________________

28

Purpose

________________________________
________________________________
_____________

28

Policy Statement

________________________________
________________________________
______

28

Applicability

________________________________
________________________________
_________

28

Standards

________________________________
________________________________
___________

28

References

________________________________
________________________________
__________

30

Information Classification,
Handling And Disposal

________________________________
_

31

Purpose

________________________________
________________________________
_____________

31

Policy Statement

________________________________
________________________________
______

31

Applicability

________________________________
________________________________
_________

31

Standards

________________________________
________________________________
___________

31

References

________________________________
________________________________
__________

34

Personnel Security

________________________________
_____________________________

35

Purpose

________________________________
________________________________
_____________

35

Policy Statement

________________________________
________________________________
______

35

Applicability

________________________________
________________________________
_________

35


CONFIDENTIAL

Page
3

of
87


Standards

________________________________
________________________________
___________

35

References

________________________________
________________________________
__________

38

Incident Response

________________________________
_____________________________

39

Purpose

________________________________
________________________________
_____________

39

Policy Statement

________________________________
________________________________
______

39

Scope

________________________________
________________________________
______________

39

Standards

________________________________
________________________________
___________

39

References

________________________________
________________________________
__________

40

Business Continuity And Disaster Recovery Planning

_______________________________

42

Purpose

________________________________
________________________________
_____________

42

Policy Statement

________________________________
________________________________
______

42

Applicability

________________________________
________________________________
_________

42

Standards

________________________________
________________________________
___________

42

References

________________________________
________________________________
__________

44

Organization and Management Policies

___________________

45

Information Security Roles And Responsibilities

________________________________
___

46

Purpose

________________________________
________________________________
_____________

46

Policy

________________________________
________________________________
______________

46

Applicability

________________________________
________________________________
_________

46

Standards

________________________________
________________________________
___________

46

References

________________________________
________________________________
__________

50

Systems Development Life Cycle

________________________________
_________________

51

Purpose

________________________________
________________________________
_____________

51

Policy Statement

________________________________
________________________________
______

51

Applicability

________________________________
________________________________
_________

51

Standards

________________________________
________________________________
___________

51

References

________________________________
________________________________
__________

53

Change Control

________________________________
_______________________________

55

Purpose

________________________________
________________________________
_____________

55

Policy Statement

________________________________
________________________________
______

55

Applicability

________________________________
________________________________
_________

55

Standards

________________________________
________________________________
___________

55

References

________________________________
________________________________
__________

56

Vendor Management

________________________________
__________________________

57

Purpose

________________________________
________________________________
_____________

57

Policy Statement

________________________________
________________________________
______

57

Applicability

________________________________
________________________________
_________

57

Standards

________________________________
________________________________
___________

57

References

________________________________
________________________________
__________

61

End
-
User Acceptable Use Policies

________________________

62

Acceptable Use

________________________________
________________________________

63

Purpose

________________________________
________________________________
_____________

63

Policy Statement

________________________________
________________________________
______

63

Applicability

________________________________
________________________________
_________

63

Standards

________________________________
________________________________
___________

63

References

________________________________
________________________________
__________

71

IT Operations Poli
cies

________________________________
_

72

Firewall Policy

________________________________
________________________________

73

Purpose

________________________________
________________________________
_____________

73


CONFIDENTIAL

Page
4

of
87


Policy Statement

________________________________
________________________________
______

73

Applicability

________________________________
________________________________
_________

73

Standards

________________________________
________________________________
___________

73

References

________________________________
________________________________
__________

75

IT Systems And Network Operations

________________________________
_____________

76

Purpose

________________________________
________________________________
_____________

76

Policy Statement

________________________________
________________________________
______

76

Scope

________________________________
________________________________
______________

76

Standards

________________________________
________________________________
___________

76

References

________________________________
________________________________
__________

81

Reference Materials

________________________________
__

83

Glossary of Terms

________________________________
____

84

Intrusion Detection and File Integrity Management

________________________________
___________

84

Event Log Collection, Monitoring, Analysis and Reporting

________________________________
____

84

Automated Security Policy Enforcement

________________________________
___________________

84

Incident Resolution Workflow Management and Escalation

________________________________
____

84

Vulnerability Assessment

________________________________
_______________________________

84

Virus Detection and Protection

________________________________
__________________________

84

Enterprise
-
wide Firewall Configuration Management

________________________________
_________

85

Audit Reports

________________________________
________________________________
________

85

Authorization Control
________________________________
________________________________
__

85

Audit Control

________________________________
________________________________
________

85

Access Control Management

________________________________
____________________________

85

Planning and Analysis

________________________________
________________________________
_

85

Configuration Management

________________________________
_____________________________

85

Risk Analysis and Management

________________________________
__________________________

86


CONFIDENTIAL

Page
5

of
87


Executive Summary

Vision and Philosophy

The information that resides on our computer systems and networks is of great
value
to
[Company
Name]
.

Due to the increasing value of information we collect, store, process and share with our
partners
,
[Company Name]

has established a high priority to protect those critical information.
The foundation of an effective information security program is built on strong information security
policies that are in balance with busines
s operations. Information security policies define a
concise set of behaviors that provide a secure and enabling environment in which
[Company
Name]

may use and manage its information resources with protection fro
m data loss, service
disruption, misuse or unauthorized access.
[Company Name]
’s Information Security Policies
represent the combined efforts of the Information Technology Department (IT), Human Resources
Departmen
t (HRD), Legal, and user communities.


Information Security Directive

The management of
[Company Name]

is committed to developing, adopting, and maintaining
appropriate policies and procedures to ensure integration of information systems policies in line
with
[Company Name]
’s corporate mission, overall business strat
egy,
risk posture
and in
accordance with regulatory guidelines. This
will

be accomplished by active board and
management oversight, effectively managing and monitoring information security risks,
delineating clear accountability, and setting appropriate r
eview processes to ensure that
infrastructures necessary to identify, monitor, and control information security risks are
continuously addressed.


Regulatory Compliance

[Company Name]

has implemented a complete secu
rity program which includes a combination of
policies, physical controls and technical controls to meet regulatory compliance.
[Company Name]

policies comply with the HIPAA Final Security Rule 164.306 which states
that covered entities
must protect against any reasonably anticipated threats or hazards
. These policies also comply
with the Payment Card Industry Data Security Standard (PCI DSS).

While some controls may not
be specifically required by a HIPAA implement
ation specification, the risk posed by not having the
control deemed it necessary and reasonable to ensure the confidentiality, integrity and availability
of electronic protected health information

(ePHI)
.


Security Environment

[Company Name]

utilizes customer data to deliver products and services to our clients. We also
collect, process, store and share other sensitive information that enables us to maintain
competitive advantage and perform our mission. According
ly, all customer information to include
ePHI,
cardholder data as well as other sensitive company information will be protected by all staff,
contractors, partners and services providers in accordance with well defined policies and
procedures.


T
he Manageme
nt and Staff of
[Company Name]

will

operate on the security principle of “that
which is not explicitly allowed is explicitly denied”. Attempts by anyone to access, monitor, use or
share information that is not explicitly allowed to them by our security program
will

be considered
a security

violation. We
will

also operate on the principle of “Defense in Depth”. The security of
the company’s information
will

not rely on a single means of protection when multiple means of
protection are justified by our risk assessment. We
will

deploy syste
ms, processes, policies and
training to protect our mission critical data assets and customer privacy. Most important, we
will

monitor and enforce compliance to our policies.


To this end, the
[Company Name]
’s Info
rmation Technology (IT) Security Policies address our
staff, facilities, systems and data

to ensure the continued confidentiality, integrity and availability

CONFIDENTIAL

Page
6

of
87


for our data and critical systems. The policies are presented in sections that focus on the needs

of
specific stakeholders to include: management, end users and IT staff. Please refer to the
appropriate section for further information as it relates to specific systems and your individual or
group responsibilities.


Roles and Responsibilities

The
Boar
d of Director’s

is ultimately responsible for the oversight of Information Technology (IT)
and sensitive data. Senior management ha
s

delegated
[Company Name]
’s IT responsibilities to
the Chief Information Office (C
IO) with oversight provided by designated management
-
level

representatives from each functional area of the
[Company Name]
.

These representatives
comprise the IT
Steering
Committee.

Assignments are based upon techn
ical and/or managerial
competency in relation to the complexity of the products or services. The IT
Steering
Committee
and CIO
will

periodically provide reports to senior management to guide program adjustments.


The CIO
will

supervise the Information
Secu
rity Officer

(ISO)
who, along with the
IT Steering
Committee, is responsible for carefully considering the impact of any policy or procedural changes
in current products and services which may affect both the security of information and
functionality of pr
oducts.


System users maintain individual responsibilities

as outlined in the
End User Systems Access and
Acceptable Use
policies contained in subsequent sections of the document. Users
will

receive
orientation training during the hiring process and are required to acknowledge their acceptance of
those responsibilities in writing. The guiding principles for users include:



Limit access to users on a “need to know” basis.



Deploy information se
curity safeguards in a “Defense in Depth” strategy to limit single
points of potential vulnerabilities.



Enforce accountability to
[Company Name]

security policies.



Remain vigilant for new threats that may cause damage to
[Company Name]

or our client
data and adjust the security program to control risks.


Vendors, partners and other third parties
will

be required to comply with

the same standards
established for
[Company Name]

staff. All third parties accessing
[Company Name]

systems and
information
will

execute a confidentiality and non
-
disclosur
e agreement in addition to executing an
agreement to provide security safeguards commensurate with the risk caused by their access to
sensitive
[Company Name]

information and systems.


Sanctions for Policy Violation

Failure to comply with our
i
nformation
s
ecurity policies and guidelines may result in disciplinary
action by
[Company Name]

depending upon the type and severity of the violation, whether it
causes any liability or loss to the company, and/or the presence of any repeated violation(s).
Each situation
will

be judged on a case
-
by
-
case basis. Sanctions may include termination of
e
mployment and / or referral for criminal or civil prosecution, warnings, additional security
awareness training, or immediate termination. There is no requirement for advance notices,
written or verbal warnings, or probationary periods.


Policy Administ
ration

The
ISO

will

have the responsibility for developing Information Security Policies.
Security policies
will

be reviewed by the IT Committee and approved by the Board of Directors for implementation.
All policies
will

be
reviewed
annually
and updated

when

there are changes to the environment. All
policies are

subject to review by the
IT Steering Committee
, internal and external auditors as well
as regulators.


All information security policies
will

include the following elements:



Purpose


CONFIDENTIAL

Page
7

of
87




Policy Statem
ent



Applicability



Standards




References


Roles and responsibilities for key
[Company Name]

staff in the implementation and enforcement
of
[Company Name]

policies have been
defined in the Roles and Responsibilities Policy.


HIPAA Cross Reference


ADMINISTRATIVE SAFEGUARDS (see § 164.308)


Standards

Sections

Implementation Specifications

(R)= Required, A)=Addressable

Policy

Security
Management
Process

164.308(a)(1)

Risk
Analysis (R)

Information Security
Program Risk Assessment
Section

Risk Management (R)

Information Security
Program Risk
Management and Security
Controls Section

Sanction Policy (R)

Executive Summary
Sanctions Section

Information System Activity Review

(R)

Testing and Auditing
Policy

Assigned
Security
Responsibility

164.308(a)(2)

(R)

Roles and Responsibilities
Policy

Workforce
Security

164.308(a)(3)

Authorization and/or Supervision (A)

Access Control Policy

Workforce Clearance Procedure (A)

Personnel Policy

Termination Procedures (A)

Personnel Policy

Information
Access
Management

164.308(a)(4)

Isolating Healthcare Clearinghouse
Function (R)

N/A

Access Authorization (A)

Access Control Policy

Access

Establishment and Modification (A)

Access Control Policy

Security
Awareness and
Training

164.308(a)(5)

Security Reminders (A)

Personnel Policy

Protection from Malicious Software

(A)

Information Systems
Operations Policy

Log
-
in Monitoring (A)

Information Systems
Operations Policy,
Monitoring and Reporting
Section

Password Management (A)

Access Control Policy

Security
Incident
Procedures

164.308(a)(6)

Response and Reporting (R)

Incident Response Policy

Contingency
Plan

164.308(a)(7)

Data Backup Plan (R)

Information Systems
Operations Policy

Disaster Recovery Plan (R)

Business Continuity and
Disaster Recovery Policy

Emergency Mode Operation Plan (R)

Business Continuity and
Disaster Recovery Policy

Testing and Revision
Procedure (A)

Business Continuity and
Disaster Recovery Policy

Applications and Data Criticality Analysis

(A)

Business Continuity and
Disaster Recovery Policy

Evaluation

164.308(a)(8)


(R)

Testing and Auditing
Policy


CONFIDENTIAL

Page
8

of
87


Standards

Sections

Implementation Specifications

(R)= Required, A)=Addressable

Policy

Business
Associate
Contracts and
Other
Arrangement

164.308(b)(1)

Written Contract or Other Arrangement (R)

Vendor Management
Policy



PHYSICAL SAFEGUARDS (see § 164.310)




TECHNICAL SAFEGUARDS (see § 164.312)


Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Policy

Access Control

164.312(a)(1)

Unique User Identification (R)

Access Control Policy

Emergency Access
Procedure (R)

Business Continuity and
Disaster Recovery Policy

Automatic Logoff (A)

Access Control Policy

Encryption and Decryption (A)

Encryption Policy

Audit Controls

164.312(b)


(R)

Audit and Review Policy

Integrity

164.312(c)(1)
Mechanism to
Authenticate

Electronic Protected Health Information
(A)

Encryption Policy;
Information Systems
Operations Policy

Person or
Entity
Authentication

164.312(d)


(R)

Information Systems
Operations Policy

Transmission
Security

164.312(e)(1)

Integrity Controls (A)

Encryption Policy



Encryption (A)

Encryption Policy

Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Policy

Facility Access
Controls

164.310(a)(1)

Contingency Operations (A)

Business Continuity
and Disaster
Recovery Policy

Facility Security Plan (A)

Physical Security
Policy

Access Control and Validation Procedures (A)

Access Control
Policy

Maintenance Records (A)

Physical Security
Policy

Workstation Use

164.310(b)


(R)


Acceptable Use
Policy

Workstation
Security

164.310(c)


(R)

Acceptable Use
Policy

Device and
Media Controls

164.310(d)(1)

Disposal (R)

Information
Classification,
Handling and
Disposal Policy


Media Re
-
use (R)

Information
Classification,
Handling and
Disposal Policy

Accountability (A)

Information
Classification,
Handling and
Disposal Policy

Data Backup and Storage (A)

Information
Classification,
Handling and

Disposal Policy


CONFIDENTIAL

Page
9

of
87


O
RGANIZATIONAL
R
EQUIREMENTS (see § 164.314
)


Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Policy

Business
Associate
Contracts
or
Other
Arrangements

164.314(a)(1)


(R)

Vendor Management
Policy

Group Health
Plans

164.314(b)(1)


(R)

N/A



D
OCUMENTATION

R
EQUIREMENTS

(see § 164.316)


Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Policy

Policies and

Procedures

164.316(a)


(R)

Information Security
Program

Documentation

164.316(b)(1)


(R)

Information Security
Program




References
:

1.

HIPAA 164.308(a)(1) Security Management Process

2.

HIPAA 164.316(a) Policies and Procedures

3.

HIPAA 164.316(b) Documentation





CONFIDENTIAL

Page
10

of
87


Security Policies



CONFIDENTIAL

Page
11

of
87


I
NFORMATION SECU
RITY PROGRAM


Section:


Security

Effective Date:


--



FIRST RELEASE

Policy Number:


POLICY IS001


Date Last Approved by
Board:



Prior Policy Number:


N/A

Department:


Management and Information
Technology

Initial Policy Date:


--

Prior Effective Date:


FIRST RELEASE

Purpose

Protecting the confidentiality, integrity and availability of customer and sensitive
protected health
information,
financial information, records and transactions is critical to
[Company Name]
.
[Company Name]

considers all customer information confidential, regardless of the media on
whi
ch it is stored, the manual or automated systems that process it, or the methods by which it is
distributed. All
[Company Name]

staff share in the responsibility to our clients and customers, to
ensure that the app
ropriate procedures and controls are implemented and that information
security remains a constant priority.

This policy is not designed to act as a substitute for sound risk analysis or good judgment. The
primary objective of the policy is to ensure the a
ppropriate protection of
[Company Name]

customer information, records and transactions handled by computer and data communication
systems owned by or administered for
[Company N
ame]
.

Policy Statement

All information
collected, processed,
stored on or transmitted over
[Company Name]

computer
systems and networks will be treated as a
[Company Name]

corporate asset. It is the policy of
[Company Name]

to prohibit unauthorized access, disclosure, duplication, modification, diversion,
destruction, loss, misuse or theft of our sensitive information assets.
[Company Name]

will
maintain an information security program to control risks associated with access, use, storage,
sharing, and destruction of sensitive customer and financial information.
This program

will

document

mi
nimum standards of behavior for staff, contractors and service providers
and include
clear guidance for the day
-
to
-
day operations of
[Company Name]
.
At a minimum, the program
must

include:



Risk Assessment



Risk Miti
gation and Management



Monitoring and Reporting



Audit



IT Oversight and Program Adjustment



Vendor Management

Standards for Risk Assessment

Each critical process deployed at

[Company Name]

will undergo a comprehensive risk assessment
to identify critical information assets, threats to those assets, and effectiveness of risk controls.
The risk assessment will review risks to the entire process and not limited to specific IT systems.
The ris
k assessment
will

be updated on an annual basis
.
The Information Security Officer

(ISO)
, in
conjunction with the IT Steering
Committee, must decide to what degree potential losses will be
mitigated to reduce risk to
[C
ompany Name]
, staff, partners and members. For each system,
service, or activity offered by or through
[Company Name]
,

the
company

will conduc
t a risk
assessment following the guidelines published in NIST SP800
-
3
0. At a minimum, the
[Company
Name]

risk assessment program will include activities outlined in the diagram
below:


Input

Risk


Assessment Activities




Output




Hardware



Software



System Interfaces



Data and information



People



System mission



System
Boundary



System Functions



System and data criticality



System and Data sensitivity


CONFIDENTIAL

Page
12

of
87












Step 1.

SYSTEM CHARACTERIZAT
ION



History of system attack



Data from other (outside)
sources

Step 2.

THREAT IDENTIFICATIO
N



Threat Statement



Reports from prior risk
assessments



Any audit comments



Security requirements



Security test results

Step 3.

Vulnerability Identification



List of Potential Vulnerabilities



Current Controls



Planned Controls

Step 4.

CONTROL ANALYSIS



List of Current and Planned
Controls



Threat
-
source motivation



Threat capability



Nature of vulnerability



Current controls

Step
5.

Likelihood determination



Likelihood rating



Mission impact analysis



Asset criticality
assessment



Data criticality



Data sensitivity

Step 6.

Impact Analysis



Loss of Integrity



Loss of Availability



Loss of Confidentiality




Likelihood rating



Likelihood of threat
exploitation



Magnitude of impact



Adequacy of planned or
current controls

Step 7.

RISK DETERMINATION



Risks and
associated risk levels



Coordination with CRO

Step 8.

CONTROL RECOMMENDATI
ONS



Recommended Controls

Step 9.

RESULTS DOCUMENTATIO
N



Risk Assessment
Report


CONFIDENTIAL

Page
13

of
87


As threats, operating environment (physical and virtual) and systems architecture change, the ISO
in conjunction with the IT Steering Committee, will update the risk assessment to ensure new
risks are mitigated be
fore making changes to infrastructure, policies or procedures. At a
minimum, the IT Steering Committee and BOD will review the comprehensive risk assessment at
least once per year
.

Standards for Risk Management and Security Control Measures

All information systems require effective and reliable controls to maintain data confidentiality,
assure availability and integrity, ensure customer privacy, and protect
[Company Name]


computer and telecommunicatio
ns systems from unauthorized intrusions and access, misuse, or
fraud. Based upon justification detailed in the risk assessment,
[Company Name]

will implement
controls that support the following principles.


POLICY
DEVELOPMENT

A critical part of our risk mitigation plan is to provide policies and risk mitigation guidelines to our
staff and partners. We will leverage best practices including
ISO 27002

to develop policies and
document security procedures to meet opera
tional risk mitigation objectives as well as compliance
with customer privacy expectations and other regulatory requirements.
At a minimum, the IT
Steering Committee and BOD review and approve required changes to policies and standards at
least once per y
ear.



ACCESS CONTROLS

All
[Company Name]

computers

and telecommunications systems will limit access to
users who
have a proven “need
-
to
-
know”. Access to confidential information
must

be granted on a minimum
level of access necessary to perform assigned responsibilities and
will

be monitored for compliance
pursuant to the Access Control Policy. Access controls will implement the following safeguards:

1.

Logical access restrictions: The
CIO will provide an infrastructure to validate unique user
identification through central authentication systems and will implement user log
-
in
monitoring to verify that only users granted access to sensitive data are allowed access to
our sensitive system
s and data.

2.

Separation and Rotation of Duties: Each department’s roles and responsibilities are clearly
established in order to ensure that no one person is permitted to perform critical functions
from start to finish or check the accuracy of their own wor
k.

3.

Access restrictions on physical locations containing customer information: Access to the
data center and record storage areas containing confidential information, applications and
systems will be limited to authorized personnel according to guidelines d
efined in the
Physical Security Policy
.

4.

Network Segmentation: The CIO will review risk assessment data and segment systems
and data storage on the network according to the organization’s network Security Policies.


PHYSICAL SECURITY

Critical, confidential, and sensitive client/ member information and information processing systems
must be physically protected from unauthorized access, damage and service disruption. Such
protection
will

be in accordance with the Physical Security Poli
cy and the Information Classification
Policy.



ENCRYPTION

Any system or service requiring the transmission or storage of information such as social security
numbers (SSN
'
s), passwords, client/ customer account information, non
-
public personal financial
in
formation including credit reporting information, account numbers, balances, and payment card
data will use an approved method of encryption as a means of
protecting data.
Approved
encryption methods will be defined and determined by the
[Company Name]

ISO. Any
transmission of sensitive company information and/or non
-
public personal staff or customer
information sent via email must be encrypted and / or password protected. Additional protection
will

be in accordan
ce with the Cryptography Controls Policy and the Information Classification
Policy.




CONFIDENTIAL

Page
14

of
87


SYSTEMS DEVELOPMENT
LIFE CYCLE

[Company Name]

considers all servers, workstations, network devices, security systems,
peripheral

equipment, data and application software as valuable company assets. In order to
mitigate its exposure to risk, we have established policies and set standards for the acquisition,
installation and maintenance of all hardware and software in the Systems D
evelopment Lifecycle
(SDLC) Policy.


CHANGE MANAGEMENT

Inadequate control of changes to information processing facilities and systems is a common cause
of system or security failures.
[Company Name]

will

establish
formal management responsibilities
and procedures to ensure satisfactory control of all changes to equipment, software and
procedures. Operational programs
will

be subject to strict change control. The details of change
and configuration management are o
utlined in the Change Management Policy.


CONFIGURATION MANAGE
MENT

The IT Systems and Network

Operations Policy outlines minimum configuration requirements
required to deploy a system. Hardening guidelines
will

be created based on the minimum
requirements established by the policy. Antivirus
must

be installed on all systems before being
allowed on the network.


PERSONNEL SECURITY

Human threats represent the one of most
significant hazards to safe and secure del
ivery of our
services. To mitigate hazards introduced by our staff,
[Company Name]


will

enforce safeguards
contained in our Personnel Security Policy. At a minimum, that policy will address hiring and
termination

procedures to grant authorized access to company systems and data along with
provisions for training. All new employees will receive security training as a part of new employee
orientation. All employees will receive annual security training on a schedul
e determined by
company management. This training will include a review of relevant IT Policies, technology
changes, and the procedures to follow in maintaining the confidentiality of
classified
data
.


MONITORING SYSTEMS

The CIO will supervise regular mon
itoring of the critical systems in
use by
[Company Name]


and
evaluate whether the controls are functioning effectively and that no security breaches have
occurred. At a minimum, standards established in the Securi
ty Operations Policies
will

address the
following:

1.

Exception reports for security policy violations will be immediately reported to the IT
Steering Committee;

2.

Summary reports of all event log analysis will be provided to the IT Steering Committee at
least once per quarter;

3.

Vulnerability assessments, penetration tests and other events and access monitoring will
be periodically performed using approved security
tools to verify vulnerabilities are
mitigated within 30 days of receiving vulnerability notices and security policies and
procedures are enforced. Results will be analyzed and policies/controls modified as
needed to prevent, detect and respond to possible

security breaches.


INFORMATION SECURITY

INCIDENT RESPONSE

Information security incident response is an important component of our information technology
program. Appropriate responses to information security incidents are defined in the Incident
Respons
e Policy.



BUSINESS CONTINUITY
AND DISASTER RECOVER
Y

The continuation of our services after a disaster or service disruption is critical to the success of
[Company Name]
. A Business Continuity Plan (BCP) with
integrated Disaster Recovery Plan will
be maintained by the CIO in accordance with our Business Continuity Policy. Company
management will participate in developing the plans, training staff and conducting annual tests to
ensure the organization, its staf
f and clients are protected from anticipated hazards.


PERIMETER SECURITY

[Company Name]

will

maintain the security controls to protect company assets and information as
justified by the risk assessment.
Perimeter
security controls are specified in the IT Systems and
Network Operations Policy
will

include the following safeguards:


CONFIDENTIAL

Page
15

of
87


1.

Firewall(s)

2.

Intrusion Detection System (IDS)

3.

Virus Protection

4.

Router

Management


SYSTEMS MANAGEMENT

To reduce the risks of internal abuse

or misuse by authorized users as well as providing a tiered
security program to protect against external attacks including non
-
human attacks like fire and
weather related events,
[Company Name]

will

maintain system

controls as specified in the IT
Security Operations Policy to include the following:

1.

Vulnerability management

2.

Host based integrity management for critical systems

3.

Configuration Management

4.

Central Event log analysis

5.

Back
-
up Procedures


TRAINING

Training is

an important part of ensuring the confidentiality, integrity and availability for customer
and company information. In order to minimize possible security risks, all company staff will be
trained in their specific responsibilities under the information s
ecurity program. Training
requirements are specified in the Personnel Security Policy and includes the identification and
protection of sensitive information, and the guidelines for the use of sensitive information and
information processing facilities.


Standards for Service Provider Oversight

A periodic review of all mission
-
critical outsourcing arrangements will be performed to confirm that
[Company Name]

service providers and critical vendors comply with the Ven
dor Management
Policy defined in this document.
[Company Name]

has integrated critical business partners into
the delivery of services to customers. Therefore, each service provider who has access to
sensitive com
pany systems or information must comply with the guidelines for selection,
contracting and monitoring as specified in the vendor management policy and associated
procedures. It is the responsibility of the process owner to present new or changed requireme
nts
to service providers to the IT Steering Committee for approval.


Standards for Security Testing and
Auditing

Internal audits will be periodically performed on critical information systems and confidential data
to ensure compliance to these policies. T
his includes monitoring data access rights and network
ID security levels. At least once per year, the CIO and Information Security Officer will retain an
independent firm to conduct a comprehensive security assessment for compliance to this policy
and re
gulatory requirements.

Standards for IT Security Oversight and Program Adjustment

The Information Security Officer
will

provide a periodic report on the status of the company
security program to the IT Steering Committee at least once per quarter. The I
T Steering
Committee will provide annual reports summarizing risks and risk mitigation efforts to the Board
of Directors (BOD).
The policies will be updated to reflect major changes to the environment,
The
BOD will approve risk assessments and all updated
policies annually. These measures are to
ensure adjustments to the risk management plan and the information security program are
implemented a
nd enforced as justified by chan
ge in company operations, infrastructures and new
risks.

References

1.

HIPAA 164.308(
a)(1)

2.


3.

ISO 27002

Section 12 Compliance

4.

FFIEC IS Handbook Ongoing Security

5.

FFIEC IS Handbook Information Security Strategy


CONFIDENTIAL

Page
16

of
87


6.

FFIEC IS Handbook Risk Assessments

7.

GLBA Part 208.3 III A 2 Oversee the development, implementation, and maintenance of the bank’s
information security program

8.

GLBA Part 208.3 III B Assess Risk

9.

GLBA Part 208.3 III C 2 Train Staff

10.

GLBA Part 208.3 III C 1 c
Encryption

11.

GLBA Part 208.3 III C 1 e Separation of Duties

12.

Payment Card Industry (PCI) Data Security Standard, Requirement 12.1: Est
ablish, publish, maintain, and
disseminate a security policy

13.

Payment Card Industry (PCI) Data Security Standard, Requirement 12.1.1: Address all requirements in
this specification

14.

Payment Card Industry (PCI) Data Security Standard, Requirement 12.1.2: Incl
udes an annual process
that identifies threats, and vulnerabilities, and results in a formal risk assessment

15.

Payment Card Industry (PCI) Data Security Standard, Requirement 12.1.3: Includes a review at least once
a year and updates when the environment cha
nges

.



CONFIDENTIAL

Page
17

of
87


ACCESS CONTROL POLIC
Y


Section:


Security

Effective Date:


--



FIRST RELEASE

Policy Number:


POLICY IS002


Date Last Approved by
Board:

--


Prior Policy Number:


N/A

Department:


[Company Name]

Management and
Information
Technology

Initial Policy Date:


--

Prior Effective Date:


FIRST RELEASE


Purpose

Human threats are the primary cause for a wide range of hazards to
business

systems and
information. Unauthorized users could obtain confidential information and misuse use it
and

authorized users could fail to follow system instructions to protect data. To mitigate human
threats, the
organization

must establish access controls

that limit access to sensitive systems and
information to the minimum necessary level to support
organizational

service delivery.

Policy Statement

[Company Name]

will grant and provide the least amount of access to

data on a “business need
-
to
-
know” basis. Management recognizes that the risk exposure varies between different classes of
privileges and users assigned to those classes. Where a class of privileges and users in those
classes present greater risk exposure
,
[Company Name]

will design and implement
correspondingly stronger systems of access controls. Management is committed to implementing
operational tools and procedures to meet or exceed the access control standards

stated below.


Further, Management is committed to testing and monitoring programs designed to ascertain
whether the systems of controls and their component parts are functioning as intended, and
whether they afford an acceptable level of protection as
time and technology advance.
At a
minimum, management will review access granting and access control effectiveness on a semi
-
annual basis.

Applicability

This access control policy applies to all users of organizational information systems or to those
user
s who access sensitive
[Company Name]

information.


Standards

As specified in the End User Policy each user is provided access to
[Company Name]

systems and
data on a “business need
-
to
-
know” basis.
Safeguards such as role
-
based access control or
context
-
based access control or mandatory access control or discretionary access control will be
used as appropriate to control access to sensitive infor
mation.

Each user must submit a
Systems
Access Request Form

approved by the user's supervisor
.

Access will be granted by the IT
department to specific applications, menus, data, and services as approved on the form. Our
Human Resources (HR) department wil
l verify that a
Statement of Understanding

has been signed
by each user prior to granting access
.

The IT department will ensure that all Authentication and
Authorization systems enforce “deny all” principles for access control. That is, all systems will
first
deny access until configured to “allow” access based on need
-
to
-
know.




CONFIDENTIAL

Page
18

of
87


All access to any database containing
sensitive
data will require at least one full factor of
authentication. This includes access by applications, administrators, and all other
users. A “full
factor” of authentication requires the user to supply an identity (e.g., a username) and proof of
that identity (e.g., a password, unique physical token, or biometric).


(
Microsoft’s Active Directory

(AD)
or state other authentication mecha
nism)

has been
deployed to provide enterprise wide logical access controls to all objects including files, directories
and computers. Management recognizes, however, that AD is not the only authentication and
authorization system used to protect sensitive
[Company Name]

assets. In many cases,
applications, third
-
party products, and enterprise solutions may use other
Authentication and
Authorization (
AA
)

systems that are not configurable by AD policy. In any case, the controls
established within AD Group polices must similarly be observed in each AA system to ensure
control consistency.


Enterprise group policies
will

be defined to achieve the followin
g requirements. These policies
will

be deployed at the domain level and
will

also be implemented on any self contained systems,
databases, applications, and application components, or any other authenticating system
component.
[Company Name]

has implemented the following controls to support logical access
controls:



All users must be identified with a unique credential that established identity. This unique
credential, whether a username, a badge, or other token, mus
t not be shared with any
other person. Users are responsible for all actions performed under the context of their
identity.



In addition to unique identification, user will be required to use at least one of token
devices, password or biometric devices for

authentication.



All user accounts inactive for 90 days
will

be disabled from use.



2
-
factor authentication
will

be implemented for all remote access to the network by
employees, administrators, and third parties. Technologies such as RADIUS or TACACS
with
tokens or VPN with individual client certificates
will

be used

in addition to the use of a
password.



All “guest” or generic accounts will be disabled or removed from access;



Accounts used by vendors for remote maintenance
will

be kept disabled until requir
ed for
use;



Accounts
will

be disabled after 6 failed logon attempts. After lockout, the account may be
automatically reactivated after a minimum period of 30 minutes or until an IT
administrator manually resets the account;



User identity must be verified prior to re
-
enabling or resetting account privileges. IT
Administrators and Helpdesk personnel must be appropriately trained to enforce this
requirement, particularly for unfamiliar or remote users whose identities cannot be
physically verified.



All users must be aware of the standards regulating password management. These issues
must be specifically called out during security awareness and training campaigns.



The CIO will enforce the following access control standards to
prevent unauthorized access
to sensitive systems and confidential information.


FORMAL ACCESS, ACCES
S CHANGE, AND ACCESS

TERMINATION PROCESSE
S



Access to
[Company Name]

information processing systems will require sup
ervisor
approval prior to granting access or privileges. The employee’s supervisor will ensure that
approval is based upon a “business need
-
to
-
know” basis.



All users will be given a unique username for access to system components or sensitive
data. In add
ition to a unique username, the user
will

be required to use a password for
authentication.



Users must not share account credentials under any circumstances. The use of “group” or
shared user accounts is strictly prohibited. This requirement includes all

accounts used
within IT for system or application administration.



All changes to user accounts (except for password resets) must be approved by the
employee’s manager. This includes account termination, creation, and changes to account
privileges.


CONFIDENTIAL

Page
19

of
87




Superv
isor approval for making changes to user access rights must be recorded and
stored in writing.



Access for terminated users will be revoked immediately. Full access termination
standards are outlined in the Personnel Security Policy.


ADMINISTRATOR PRIVIL
E
GES



Administrator privileges must be limited to the minimum number of staff required to
perform sensitive duties (e.g. granting access to sensitive systems and confidential
information).



For that limited staff that are granted “Administrator” privileges,
[Company Name]

will
conduct a thorough background check to include criminal history, credit, and prior
employment.



All administrators must use dual factor authentication when accessing sensitive systems,
network or s
ecurity devices from a remote connection (i.e., a connection that traverses
the Internet or wireless networks).



Documented justification will be created for each person who possesses administrator
rights to any
[Comp
any Name]

application, system, networking infrastructure device,
security tool, or other enterprise service.



As mentioned earlier, the use of shared administrative accounts is strictly prohibited. IT
administrators must use unique credentials when admi
nistering
[Company Name]

systems.


PASSWORD MANAGEMENT



At a minimum, IT
will

enforce the use of strong passwords to authenticate user identities.
This specifically includes:



The use of strong passwords when logging into confidential
[Company Name]

systems
.

Strong passwords must use alpha and numeric characters. The password must be at least
7characters in length and require the use of
three out of four of the following:



Capital letters;



Lower case letters;



Numbers;



Special characters.



The use of password rotation schedules. Passwords may not be reused for at least 4
password change periods and changed passwords
cannot

use the same phrase with simple
changes like “Password1” to “Password2”.



All roles
will

require users to change passwords at least every 90 days. Any exceptions to
this requirement
must

be documented and approved by the ISO.



All systems and applications
w
ill
ensure that user sessions expire after 15 minutes and
require re
-
submission of the user’s password to re
-
activate the session.



[Company Name]

information resources
will
never display, transmit, or store a passw
ord
in clear text that can be viewed by a third party.



First
-
time passwords (e.g., passwords assigned by IT administrators upon account
creation or during password resets) must be set to a unique value per user and changed
immediately after first use.



All
passwords will be encrypted during transmission and storage on all system
components.



Password procedures and policies will be distributed to all users who have access to
sensitive information.

References

1.

HIPAA 164.308 (a)(3)

2.

HIPAA 164.308 (a)(4)

3.

FFIEC IS
Handbook Access Controls (Access Control Policies are also included in acceptable use policies)

4.

GLBA Part 208.3 III C 1 a Access Controls

5.

GLBA Part 208.3 III C 1 b Access Restrictions

6.

Payment Card Industry (PCI) Data Security Standard, Requirement 7.1: Lim
it access to computing
resources and cardholder information to only those individuals whose job requires such access.


CONFIDENTIAL

Page
20

of
87


7.

Payment Card Industry (PCI) Data Security Standard, Requirement 7.2: Establish a mechanism for
systems with multiple users that restricts
access based on a user’s need to know, and is set to “deny all”
unless specifically allowed.

8.

Payment Card industry (PCI) Data Security Standard, Requirement 8.1: Identify all users with a unique
username before allowing them to access system components or
cardholder data.

9.

Payment Card industry (PCI) Data Security Standard, Requirement 8.2. Employ at least on of the methods
below, in addition to unique identification, to authenticate all users

10.

Payment Card industry (PCI) Data Security Standard, Requirement 8
.3: Implement two
-
factor
authentication for remote access to the network by employees, administrators, and third parties. Use
technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates.

11.

Payment Card industry (PCI) Data Security

Standard, Requirement 8.4:
Render all passwords unreadable
during transmission and storage on all system components using strong cryptography.

12.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5: Ensure proper user authentication
and pass
word management for non
-
consumer users and administrators, for all system components

13.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.1: Control the addition, deletion,
and modification of user IDs, credentials, and other identifier obje
cts

14.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.2: Verify user identity before
performing password resets

15.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.3: Set first
-
time passwords to a
unique value per user
and change immediately after first use

16.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.4: Immediately revoke accesses of
terminated users

17.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.5: Remove
or disable
inactive
user
accounts at least every 90 days

18.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.6: Enable accounts used by
vendors for remote maintenance only during the time needed

19.

Payment Card industry (PCI) Data Security Standard, Requirement 8
.5.7:
Communicate password
procedures and policies to all users who have access to cardholder data.

20.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.8:
Do not use group, shared, or
generic accounts and passwords.

21.

Payment Card industry (P
CI) Data Security Standard, Requirement 8.5.9: Change user passwords at least
every 90 days

22.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.10: Require a minimum password
length of at least seven characters

23.

Payment Card industry (PCI) D
ata Security Standard, Requirement 8.5.11: User passwords containing
both numeric and alphabetic characters

24.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.12: Do not allow an individual to
submit a new password that is the same as any
of the last four passwords used

25.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.13: Limit repeated access attempts
by locking out the user ID after not more than six attempts

26.

Payment Card industry (PCI) Data Security Standard, Requireme
nt 8.5.14: Set the lockout duration to
thirty minutes or until administrator enables the user ID.

27.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.15: If a session has been idle for
more than 15 minutes, require the user to re
-
enter the
password to re
-
activate the terminal.

28.

Payment Card industry (PCI) Data Security Standard, Requirement 8.5.16: Authenticate all access to any
database containing cardholder information. This includes access by applications, administrators, and all
other use
rs.




CONFIDENTIAL

Page
21

of
87


INFORMATION SECURITY

REVIEW AND AUDIT


Section:


Security

Effective Date:


--



FIRST RELEASE

Policy Number:


POLICY IS003


Date Last Approved by
Board:


--

Prior Policy Number:


N/A

Department:


Management and
Information
Technology

Initial Policy Date:


--

Prior Effective Date:


FIRST RELEASE


Purpose

Our
company

operations, systems and industry are constantly changing. New threats are
routinely introduced to our environment
through

systems and operations changes as well as
periodic changes in our staff an
d critical partners. To enforce existing security program criteria as
we
ll as identify new threat
s,
[Company Name]

must
routinely measure
the effectiveness and
compliance of its information security program.

Policy

Statement

Given the

inherent vulnerabilities of sensitive data including electronic protected health
information (ePHI), financial transactions and cardholder data, as well as the significant impact for
failure to enforce security program criteria
,
[Company Name]

is committed to aggressively
monitoring
its

information security
program and making adjustments to the program in order to
minimize risk
.
[Company Name]

will m
onitor, measure and evaluate the effectiveness, adequacy,
and compliance with its information security program and make adjustments to the program as
needed to adequately manage data security risks. This
will be
accomplished by actively
performing ongoing

system security reviews. Reviews will be performed by Information
Technology department staff, the Information Security Officer (ISO),
[Company Name]

Internal
Audit,
[Company
Name]
’s external auditors, and the
[Company Name]
’s regulators. Summary
reports of the effectiveness, adequacy, and compliance will be made periodically to the IT Steering
Committee,
[Company Name]

Managing
Committee and the Board of Directors. The reports will
also discuss changes and additions to the company’s information security program deemed
advisable to properly protect information assets.

Applicability

This polic
y will be enforced by company management and the IT Steering Committee. The scope
of audits will impact all managers regarding staff training, risk management and effectiveness of
security controls.

Standards

The CIO is responsible for establishing a moni
toring and reporting program that contains the
following:



Risk Management Reviews



Security Monitoring



Internal Testing



External Examination


RISK MANAGEMENT REVI
EWS

The IT Steering Committee and Board of Directors of
[Company Name]

continuously strive to
maintain a clear understanding of the types of information security risks to which
[Company
Name]

is exposed
. This is accomplished by:


CONFIDENTIAL

Page
22

of
87




Delineating clear accountability and l
ines of authority
across
[Company Name]
’s

businesses and information security activities.



Conducting an annual review of threats and hazards to critical operations and adjusting
the information security program acco
rdingly.



Maintaining an active oversight role as products, services and new technologies are
instituted and improved.



Providing clear guidance regarding acceptable levels of security
over
[Company Name]
’s

informatio
n assets.



Ensuring that the established policies, procedures, and controls are communicated to and
observed by all employees.



Annually reviewing and approving information systems and security policies to ensure that
the policies address security risks, are

in
line with
[Company Name]
’s overall

business and
technology strategies, and comply with relevant laws, regulations, and rulings.



Performing an annual review and approval of the internal audit program for scope an
d
frequency concerning compliance with information security policies.


SECURITY MONITORING

The ISO is responsible for
coordinating the
monitoring
program for
all information systems activity
and reporting any significant violations to company policy to S
enior Management and the IT
Steering Committee. This includes oversight of the following duties:


IT DEPARTMENT RESPON
SIBILITIES



Perform a periodic review of all systems management logs, activity reports, disk usage,
and application activity reports to se
arch for possible security incidents. If the logs
identify a possible intrusion, implement procedures as outlined in the Incident Response
Policy.



Perform all scheduled maintenance to include software updates and maintain a log of
services performed.



Perform an annual audit of all systems, software and peripheral devices to ensure an
accurate software and hardware inventory.



Enforce our policy to immediately remove any unlicensed software, hardware or
unauthorized modems from the network or any syste
m.



Periodically review and clear error logs.



Review media backup and anti
-
virus logs daily to ensure that no viruses are detected and
that the data was successfully backed up the previous night.



Periodically review user and group security profiles. This

includes reviewing user’s
accesses to systems and data based upon their business responsibilities, granting access
rights based upon these job functions, and ensuring security profiles are promptly
modified or revoked upon a change in job function or term
ination. For each audit entry,
the following information will be recorded:



Date and Time of event



User ID and User involved in the event



Type of User action



At least once per month, review system access logs and remove any terminated users
from the access

control lists.

Validate termination lists with Human Resources or the
user’s supervisor before removal.



Ensure vulnerabilities are managed according to the standards of the Network and
Systems Operations Policy.



Ensure that internal and external network
vulnerability scans are run at least quarterly
and after any significant change in the network (e.g., new system component installations,
changes in network topology, firewall rule modifications, product upgrades).



Conduct periodic “spot checks” of system
configurations to ensure standard systems
configuration guidelines are being followed.



Ensure that penetration tests are conducted according to the standards of the Network
and Systems Operations Policy.



Ensure that a wireless analyzer is used periodically

to identify all wireless devices in use.



Ensure that all alerts from file integrity monitors and intrusion detection systems are
promptly reviewed.


CONFIDENTIAL

Page
23

of
87




Test security controls, limitations, network connections and
restrictions

routinely to make
sure they can a
dequately identify or stop any unauthorized access attempts


INTERNAL AUDIT TESTI
NG METHODOLOGY



The
[Company Name]

internal auditor will perform an annual audit of Information
Technology (IT) systems. The audit

wil
l include testing risk management and operational
processes and render a report to the Audit Committee of the Board of Directors regarding
the information security program and overall information systems activities and related
operations. The auditor and t
he Information Security Officer
will

track all exceptions. The
CIO will prepare a response

for any deficiencies identified in the audit report.



The auditor is charged with responsibility for an annual in
-
depth review of all network and
information systems activities, related controls, training support, supporting operations
and related policies and procedures, internal reporting systems, and Manag
ement’s follow
-
up on previously cited exceptions. Audit reports will be issued to
[Company Name]

Senior
Management, the IT Steering Committee, and the
[Company Name]

Board of

Directors.


EXTERNAL VULNERABILI
TY ASSESSMENT AND PE
NETRATION TESTING



The
ISO

will supervise an independent assessment for the effectiveness of the
[Company
Name]

information security program at least once per year
. The assessment may include
evaluating systems security parameters and profiles such as access controls, password
strength, network privileges, system configuration, vulnerability management, security
safeguard implementation, staff training, startup fil
es and login violations.
If credit card
data is processed, transmitted or stored,
[Company Name]

will
engage a
Qualified
Security Assessor Company

to review its information security program in whole or in part
agai
nst the Payment Card Industry (PCI) Data Security Standard (DSS).



The
ISO

is also responsible for ensuring penetration tests are performed at least annually
and after significant infrastructure changes, application upgrades or modification.
Using

approved
attack methods such as war dialing, wireless testing, scripted attacks and social
engineering.
The penetration tests will include networ
k and application level testing, both
from external (untrusted) and internal (trusted) sources.



If credit card data is
processed, transmitted or stored,
[Company Name]

ISO

will also
coordinate all required external vulnerability scans to ensure compliance to the PCI DSS.
The scans must be provided by a certified
Approved Scan Vendo
r (A
SV)

approved by the
PCI Security S
tandards Council
. The ISO is responsible for ensuring that all vulnerabilities
detected in the scans are
remediate
d

to levels acceptable to scan provider and the
[Company Name]

PCI affiliate.



The external assessment will be presented to the IT Steering Committee and Board of
Directors to assist in their understanding of threats and hazards for sensitive information
and systems.

References

1.

HIPAA 164.308(a)(1)

Security Management Process

2.

HIPAA 164.308 (a)(8) Evaluation

3.

FFIEC IS Handbook Monitoring and Updating

4.

FFIEC IS Handbook Ongoing Process

5.

GLBA Part 208.3 III C 1 f Monitoring Systems

6.

GLBA Part 208.3 III B Assess Risk

7.

Payment Card Industry (PCI) Data Securit
y Standard, Requirement 11.1:
Test for the presence of wireless
access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all
wireless devices in use.

8.

Payment Card Industry (PCI) Data Security Standard, Requi
rement 11.2: Run internal and external
network vulnerability scans at least quarterly and after any significant change in the network

9.

Payment Card Industry (PCI) Data Security Standard, Requirement 11.3:
Perform external and internal
penetration testing at

least once a year and after any significant infrastructure or application upgrade or
modification (such as an operating system upgrade, a sub
-
network added to the environment, or a web
server added to the environment).

10.

Payment Card Industry (PCI) Data Se
curity Standard, Requirement 11.4:
Use intrusion
-
detection systems,
and/or intrusion
-
prevention systems to monitor all traffic in the cardholder data environment and alert
personnel to suspected compromises. Keep all intrusion
-
detection and prevention engi
nes up
-
to
-
date.


CONFIDENTIAL

Page
24

of
87


11.

Payment Card Industry (PCI) Data Security Standard, Requirement 11.5:
Deploy file
-
integrity monitoring
software to alert personnel to unauthorized modification of critical system files, configuration files, or
content files; and configure t
he software to perform critical
file comparisons at least weekly
.

CONFIDENTIAL

Page
25

of
87


CRYPTOGRAPHY CONTROL
S POLICY


Section:

Security Policies

Effective Date:

--

FIRST RELEASE

Policy Number:


POLICY IS004


Date Last Approved by
Board:

--


Prior Policy Number:


N/A

Department:


Management and
Information
Technology

Initial Policy Date:

--

Prior Effective Date:


FIRST RELEASE

Purpose

This policy is intended to establish the need for cryptography

controls within
[Company Name]

networks, systems, data storage, and applications.
[Company Name]

regularly conducts activities
that store and move sensitive data, both inside
[Company Name]

networks and o
utside; to
business partners, contractors, service providers, and external
[Company Name]

users. Great
care must be exercised to ensure that sensitive information is not intercepted by unauthorized
entities. Crypt
ographic controls can mathematically obfuscate sensitive messages, making them
extremely difficult to decipher.

Policy Statement