Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Similar documents
Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Employee Security Awareness Training Program

Table of Contents. Blog and Personal Web Site Policy

CIO IT Infrastructure Policy Bundle

Mobility Policy Bundle

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Access to University Data Policy

Table of Contents. PCI Information Security Policy

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Google Cloud Platform: Customer Responsibility Matrix. April 2017

University of Sunderland Business Assurance PCI Security Policy

GM Information Security Controls

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

HIPAA Security and Privacy Policies & Procedures

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Altius IT Policy Collection Compliance and Standards Matrix

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Complete document security

Altius IT Policy Collection Compliance and Standards Matrix

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

UCOP ITS Systemwide CISO Office Systemwide IT Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Information Security Policy

COMMENTARY. Information JONES DAY

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

CERTIFICATE POLICY CIGNA PKI Certificates

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI DSS COMPLIANCE DATA

Navigating the PCI DSS Challenge. 29 April 2011

Section 1: Assessment Information

Tracking and Reporting

Southern Adventist University Information Security Policy. Version 1 Revised Apr

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Payment Card Industry (PCI) Data Security Standard

CCISO Blueprint v1. EC-Council

Payment Card Industry (PCI) Data Security Standard

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Payment Card Industry (PCI) Data Security Standard

PCI compliance the what and the why Executing through excellence

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Section 1: Assessment Information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Compliance in 5 Steps

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

New Data Protection Laws

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI Compliance. What is it? Who uses it? Why is it important?

Data Classification, Security, and Privacy

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

The Honest Advantage

Compliance and Privileged Password Management

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ADIENT VENDOR SECURITY STANDARD

01.0 Policy Responsibilities and Oversight

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

SARBANES-OXLEY (SOX) ACT

HIPAA Compliance Checklist

Information Security Data Classification Procedure

Putting It All Together:

Sarbanes-Oxley Act (SOX)

Oracle Database Vault

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

Checklist: Credit Union Information Security and Privacy Policies

Daxko s PCI DSS Responsibilities

Payment Card Industry (PCI) Data Security Standard

The Unseen Leak: Faxing in the era of SOX, Gramm-Leach Bliley/PIPEDA and HIPAA

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

Data Security: Public Contracts and the Cloud

Supersedes Policy previously approved by TBM

The simplified guide to. HIPAA compliance

Payment Card Industry (PCI) Data Security Standard

Donor Credit Card Security Policy

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Annex 2 to the Agreement on Cooperation in the Area of Trade Finance & Cash Management Terms and Conditions for Remote Data Transmission

Adobe Sign and 21 CFR Part 11

Privacy Policy on the Responsibilities of Third Party Service Providers

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Oracle Data Cloud ( ODC ) Inbound Security Policies

Data Security Standard

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Emsi Privacy Shield Policy

Transcription:

Policy Sensitive Information Version 3.4

Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of 1999... 3 California SB 1386 Personal Information Privacy... 4 Massachusetts 201 CMR 17.00 Data Protection Requirements... 4 User/Customer Sensitive Information and Privacy Bill of Rights... 5 Secure Network Standards... 6 Payment Card Industry Data Security Standard (PCI DSS)... 6 Install and Maintain a Network Configuration Which Protects Data... 9 Wireless & VPN... 11 Modify Vendor Defaults... 11 Protect Sensitive Data... 12 Protect Encryption Keys, User IDs, and Passwords... 13 Protect Development and Maintenance of Secure Systems and Applications... 14 Manage User IDs to Meet Security Requirements... 16 Restrict Physical Access to Secure Data Paper and Electronic Files... 17 Regularly Monitor and Test Networks... 18 Test Security Systems and Processes... 19 Email Retention Compliance... 20 Policy... 20 Email to be printed... 22 Regulations and Industry Impact... 23 Keys to Email Archiving Compliance... 23 Privacy Guidelines... 24 Best Practices... 24 Best Practices for Text Messaging of Sensitive Information... 25 US government classification system... 26 Executive Order 13526... 26 Classification Standards... 26 Classification Levels.... 27 Classification Authority.... 27 Appendix... 29 Sensitive Information Policy Compliance Agreement... 30 HIPAA Audit Program Guide... 31 What s New... 35 1 2017 Copyright Janco Associates, Inc. www.e-janco.com

Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data Overview Sensitive information is defined as information that is protected against unwarranted disclosure. Access to sensitive information is to be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information. If an individual or an organization violates this policy, its standards or procedures, there are subject to immediate termination or contract revocation without recourse. Policy The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry. This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and colocation providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates these specific policies be followed. 2 2017 Copyright Janco Associates, Inc. www.e-janco.com

Secure Network Standards Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) requirements apply to all system components. A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from the rest of the network, may reduce the scope of the cardholder data environment. A service provider or merchant may use a third party provider to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment. The relevant services of the third party provider must be scrutinized either in 1) each of the third party provider s clients PCI audits; or 2) the third party provider s own PCI audit. For service providers required to undergo an annual onsite review, compliance validation must be performed on all system components where cardholder data is stored, processed, or transmitted unless otherwise specified. For merchants required to undergo an annual onsite review, the scope of compliance validation is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed, or transmitted, including the following: All external connections into the merchant network (for example; employee remote access, payment card company, third party access for processing, and maintenance) All connections to and from the authorization and settlement environment (for example, connections for employee access or for devices such as firewalls and routers) Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. Note: Even if some data repositories or systems are excluded from the audit, the merchant is still responsible for ensuring that all systems that store, process, or transmit cardholder data are compliant with the PCI DSS A point-of-sale (POS) environment the place where a transaction is accepted at a merchant location (that is, retail store, restaurant, hotel property, gas station, supermarket, or other POS location) If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded 6 2017 Copyright Janco Associates, Inc. www.e-janco.com

Cardholder Data Sensitive Authentication Data** Data Element Storage Permitted Protection Required PCI DSS Requirement 3.4 Primary Account Number Yes Yes Yes (PAN) Cardholder Name* Yes Yes* No Service Code* Yes Yes* No Expiration Date Yes Yes* No Full Magnetic Stripe No N/A N/A CVC2/CVV2/CID No N/A N/A Pin / Pin Block No N/A N/A * These data elements must be protected if stored in conjunction with the PAN (Primary Account Number). This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). 8 2017 Copyright Janco Associates, Inc. www.e-janco.com

Regulations and Industry Impact Regulation Industry Impacted Retention Implications Penalties Sarbanes-Oxley All publicallytraded companies Audit records must be maintained for 7 years AFTER the audit Fines up to $5,000,000 & imprisonment up to 20 years Section 17a-4 Financial Services Email records must be kept for 3 years, trading records thru the end of the account plus 6 years Case by case HIPAA Healthcare Hospital records must be kept for 5 years, medical records for the life of the patient plus 2 years Fines up to $250,000 & imprisonment up to 10 years Regulations and Industry Impact Table Keys to Email Archiving Compliance There are four objectives that must be met. They are: Discovery - Information must be easy to access and consistently available in to meet legal discovery challenges from regulatory committees. Legibility - Information must have the ability to be read today and in the future, regardless of technology. When selecting archiving technology, companies should look for solutions that are based on open systems, in the event that their Email application should change. For example, if a company migrates from Microsoft Exchange to Lotus Notes, they must still be able to quickly access and read archived Emails. Auditability - An Email archiving solution must have the ability to allow third parties to review information and validate that it is authentic. Authenticity - Information must meet all security requirements, account for alteration, and provide an audit trail from origin to disposition. An audit trail can track any changes made to an Email. 23 2017 Copyright Janco Associates, Inc. www.e-janco.com

US government classification system Protecting Classified Government DataThe US classification system is based on the sensitivity of the information it protects; that is, an estimate of the level of damage to national security that a disclosure would cause. There are three levels of sensitivity or classification each with rising levels of sensitivity in that order Confidential Secret Top Secret Classification is not arbitrary but uses a six-step process to determine whether the information should be classified and at what level. Executive Order 13526 is the current instruction on the Original Classification Authorities (OCAs). Executive Order 13526 Classification Standards Information may be originally classified under the terms of this order only if all of the following conditions are met: an original classification authority is classifying the information; the information is owned by, produced by or for, or is under the control of the United States Government; the information falls within one or more of the categories of information listed in section 1.4 of this order; and the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage If there is significant doubt about the need to classify information, it shall not be classified. This provision does not: amplify or modify the substantive criteria or procedures for classification; or create any substantive or procedural rights subject to judicial review. Classified information shall not be declassified automatically as a result of any unauthorized disclosure of identical or similar information. The unauthorized disclosure of foreign government information is presumed to cause damage to the national security. 26 2017 Copyright Janco Associates, Inc. www.e-janco.com

Sensitive Information Policy Compliance Agreement Employee Name ID Number Job Title Location I hereby certify that I have reviewed ENTERPRISE s Secure Information policy and understand the policy, its standards, and procedures contained therein. Sensitive information is defined as information that is protected against unwarranted disclosure. Access to sensitive information is to be safeguarded. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information. I understated that if I violate this policy, its standards or procedures, I am subject to immediate termination without recourse. By signing this form, I affirm my willingness to abide by ENTERPRISE s security and sensitive information policies, procedures, and guidelines. Signature Date 30 2017 Copyright Janco Associates, Inc. www.e-janco.com

What s New Version3.4 Updated to reflect latest compliance requirements' Updated to reflect lessons learned from recent business disruption events and known security breaches Included US government security classification system definition Version 3.3 Updated electronic forms Added section on best practices for sensitive information text messaging Version 3.2 Added user/customer sensitive information and privacy Bill of Rights Version 3.1 Added an overview section to the policy including a definition of what sensitive information is. Updated electronic form Updated to meet latest mandated requirements Version 3.0 Added privacy guidelines section Added MS WORD electronic version of the Sensitive Information Policy Compliance Agreement Updated to comply with new mandated requirements.docx and.pdf formats support enhanced Version 2.4 Updated to comply with Gramm-Leach-Bliley Updated to comply with Massachusetts and California requirements Version 2.3 Updated General Policy Statement to Include references to PCI and HIPAA Requirements Version 2.2 Updated to CSS Stylesheet Modified to comply with Record Management, Retention, and Destruction Policy 35 2017 Copyright Janco Associates, Inc. www.e-janco.com

Update Email record retention compliance requirements Version 2.1 Payment Card Industry Data Security Standard (PCI DSS) Added Best Practices Added Wireless and VPN Added Added as a separate document PCI DSS Audit Program (extracted from PCI standards documentation with modifications) Version 2.0 HIPAA Audit Program Added Office 2007 version Added 36 2017 Copyright Janco Associates, Inc. www.e-janco.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback