Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Transcription

1 Policy Sensitive Information Version 3.4

2 Table of Contents Sensitive Information Policy Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of California SB 1386 Personal Information Privacy... 4 Massachusetts 201 CMR Data Protection Requirements... 4 User/Customer Sensitive Information and Privacy Bill of Rights... 5 Secure Network Standards... 6 Payment Card Industry Data Security Standard (PCI DSS)... 6 Install and Maintain a Network Configuration Which Protects Data... 9 Wireless & VPN Modify Vendor Defaults Protect Sensitive Data Protect Encryption Keys, User IDs, and Passwords Protect Development and Maintenance of Secure Systems and Applications Manage User IDs to Meet Security Requirements Restrict Physical Access to Secure Data Paper and Electronic Files Regularly Monitor and Test Networks Test Security Systems and Processes Retention Compliance Policy to be printed Regulations and Industry Impact Keys to Archiving Compliance Privacy Guidelines Best Practices Best Practices for Text Messaging of Sensitive Information US government classification system Executive Order Classification Standards Classification Levels Classification Authority Appendix Sensitive Information Policy Compliance Agreement HIPAA Audit Program Guide What s New Copyright Janco Associates, Inc.

3 Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data Overview Sensitive information is defined as information that is protected against unwarranted disclosure. Access to sensitive information is to be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information. If an individual or an organization violates this policy, its standards or procedures, there are subject to immediate termination or contract revocation without recourse. Policy The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry. This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and colocation providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates these specific policies be followed Copyright Janco Associates, Inc.

4 Secure Network Standards Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) requirements apply to all system components. A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from the rest of the network, may reduce the scope of the cardholder data environment. A service provider or merchant may use a third party provider to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment. The relevant services of the third party provider must be scrutinized either in 1) each of the third party provider s clients PCI audits; or 2) the third party provider s own PCI audit. For service providers required to undergo an annual onsite review, compliance validation must be performed on all system components where cardholder data is stored, processed, or transmitted unless otherwise specified. For merchants required to undergo an annual onsite review, the scope of compliance validation is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed, or transmitted, including the following: All external connections into the merchant network (for example; employee remote access, payment card company, third party access for processing, and maintenance) All connections to and from the authorization and settlement environment (for example, connections for employee access or for devices such as firewalls and routers) Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. Note: Even if some data repositories or systems are excluded from the audit, the merchant is still responsible for ensuring that all systems that store, process, or transmit cardholder data are compliant with the PCI DSS A point-of-sale (POS) environment the place where a transaction is accepted at a merchant location (that is, retail store, restaurant, hotel property, gas station, supermarket, or other POS location) If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded Copyright Janco Associates, Inc.

5 Cardholder Data Sensitive Authentication Data** Data Element Storage Permitted Protection Required PCI DSS Requirement 3.4 Primary Account Number Yes Yes Yes (PAN) Cardholder Name* Yes Yes* No Service Code* Yes Yes* No Expiration Date Yes Yes* No Full Magnetic Stripe No N/A N/A CVC2/CVV2/CID No N/A N/A Pin / Pin Block No N/A N/A * These data elements must be protected if stored in conjunction with the PAN (Primary Account Number). This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted) Copyright Janco Associates, Inc.

6 Regulations and Industry Impact Regulation Industry Impacted Retention Implications Penalties Sarbanes-Oxley All publicallytraded companies Audit records must be maintained for 7 years AFTER the audit Fines up to $5,000,000 & imprisonment up to 20 years Section 17a-4 Financial Services records must be kept for 3 years, trading records thru the end of the account plus 6 years Case by case HIPAA Healthcare Hospital records must be kept for 5 years, medical records for the life of the patient plus 2 years Fines up to $250,000 & imprisonment up to 10 years Regulations and Industry Impact Table Keys to Archiving Compliance There are four objectives that must be met. They are: Discovery - Information must be easy to access and consistently available in to meet legal discovery challenges from regulatory committees. Legibility - Information must have the ability to be read today and in the future, regardless of technology. When selecting archiving technology, companies should look for solutions that are based on open systems, in the event that their application should change. For example, if a company migrates from Microsoft Exchange to Lotus Notes, they must still be able to quickly access and read archived s. Auditability - An archiving solution must have the ability to allow third parties to review information and validate that it is authentic. Authenticity - Information must meet all security requirements, account for alteration, and provide an audit trail from origin to disposition. An audit trail can track any changes made to an Copyright Janco Associates, Inc.

7 US government classification system Protecting Classified Government DataThe US classification system is based on the sensitivity of the information it protects; that is, an estimate of the level of damage to national security that a disclosure would cause. There are three levels of sensitivity or classification each with rising levels of sensitivity in that order Confidential Secret Top Secret Classification is not arbitrary but uses a six-step process to determine whether the information should be classified and at what level. Executive Order is the current instruction on the Original Classification Authorities (OCAs). Executive Order Classification Standards Information may be originally classified under the terms of this order only if all of the following conditions are met: an original classification authority is classifying the information; the information is owned by, produced by or for, or is under the control of the United States Government; the information falls within one or more of the categories of information listed in section 1.4 of this order; and the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage If there is significant doubt about the need to classify information, it shall not be classified. This provision does not: amplify or modify the substantive criteria or procedures for classification; or create any substantive or procedural rights subject to judicial review. Classified information shall not be declassified automatically as a result of any unauthorized disclosure of identical or similar information. The unauthorized disclosure of foreign government information is presumed to cause damage to the national security Copyright Janco Associates, Inc.

8 Sensitive Information Policy Compliance Agreement Employee Name ID Number Job Title Location I hereby certify that I have reviewed ENTERPRISE s Secure Information policy and understand the policy, its standards, and procedures contained therein. Sensitive information is defined as information that is protected against unwarranted disclosure. Access to sensitive information is to be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information. I understated that if I violate this policy, its standards or procedures, I am subject to immediate termination without recourse. By signing this form, I affirm my willingness to abide by ENTERPRISE s security and sensitive information policies, procedures, and guidelines. Signature Date Copyright Janco Associates, Inc.

9 What s New Version3.4 Updated to reflect latest compliance requirements' Updated to reflect lessons learned from recent business disruption events and known security breaches Included US government security classification system definition Version 3.3 Updated electronic forms Added section on best practices for sensitive information text messaging Version 3.2 Added user/customer sensitive information and privacy Bill of Rights Version 3.1 Added an overview section to the policy including a definition of what sensitive information is. Updated electronic form Updated to meet latest mandated requirements Version 3.0 Added privacy guidelines section Added MS WORD electronic version of the Sensitive Information Policy Compliance Agreement Updated to comply with new mandated requirements.docx and.pdf formats support enhanced Version 2.4 Updated to comply with Gramm-Leach-Bliley Updated to comply with Massachusetts and California requirements Version 2.3 Updated General Policy Statement to Include references to PCI and HIPAA Requirements Version 2.2 Updated to CSS Stylesheet Modified to comply with Record Management, Retention, and Destruction Policy Copyright Janco Associates, Inc.

10 Update record retention compliance requirements Version 2.1 Payment Card Industry Data Security Standard (PCI DSS) Added Best Practices Added Wireless and VPN Added Added as a separate document PCI DSS Audit Program (extracted from PCI standards documentation with modifications) Version 2.0 HIPAA Audit Program Added Office 2007 version Added Copyright Janco Associates, Inc.