Data security policy
This is a page concerning a policy or procedure in development.
Once fleshed out, we'll consider it for adoption as official policy at Free Geek.
,
- This is policy in progress. It is a necessary part of PCI Compliance, which applies to cardholder data (basically credit card numbers and associated personal info) though we should probably make it more general and apply it to all sensitive data.
Scope
- This policy applies to the creation, protection and destruction of sensitive data and should be known by all employees, volunteers or contractors who are entrusted with access to said data.
Annual Review
- This policy needs to be reviewed annually.
Security Oversight
- Network and data security are overseen by the Admistrators of Systems and Security working group, who are overseen by the Technocrats staff committee.
- Their duties cover any network or server problems, including security issues such as intrusions or abuse of the system and are responsible for ensuring that good security practices are defined and followed.
Network use
Wireless
- A wireless access point is provided for general public use. This wireless access is firewalled in such a way as to have access to the internet, but not to any part of the internal network. Other than agreeing to the usage terms, there is no restriction on access to this wireless system, but abusers of the system, such as torrenters, will be detected and blocked. No other wireless access point is to be attached to our network without express approval and oversight from the Technocrats committee or Administrators of Systems and Security working group.
DMZ
- A special firewalled segment of the network is designated for services to the outside world, such as the wiki. Only systems and services approved by the Technocrat committee may be placed in this network segment.
Credit card machines
- The credit card machines are on their own secure network segment which has no access to any other part of the internal network.
Internal Network
- Other services, such as the application servers and database, are accesible only from within Free Geek. Staff and volunteers have access to the application servers. Access to the contributor database is limited to approved staff and volunteers. No credit card data is to be stored on the application servers or in the database.
- All infrastructure computer systems must be set up to be administered by the ASS group. All infrastructure computers must run the Linux OS, unless specially approved by the Technocrats staff committee.
Sensitive data
Credit cards
- Credit cards are normally processed only through the special credit card machines at the front desk and the store and so credit cardholder data is not normally stored onsite.
- In those few instances where cardholder data is retained, such as from a mailing, or a "kerchunked" sales slip, it must be kept in a specially marked container in the safe.
- When media containing cardholder data is no longer needed for a business purpose it should be physically destroyed or securely wiped, once a quarter, media containing cardholder data older than 4 months should be destroyed.
- Credit card data must never leave the premises by any means, paper or electronic, including thumb drives, pdas or laptop, without express approval from the Technocrats committee, by means the Technocrats consider to be secure.
- Credit card data must never be stored on any machine which has been used for inherently insecure purposes (this includes most end users machines).
Outside service providers
- If any outside service providers are engaged to handle any part of the credit card system (e.g. a web commerce page), that organization must first be approved by the Technocrats after verifying that they are able to handle the data securely, and only through a formal contract agreement which takes PCI compliance issues into account.
Contractors
- Contractors and any other persons authorized to handle any credit card data must be made aware of the need for proper data security and the need to follow procedures set up by the technocrats to ensure data security.
Training
- Cashier training shall include credit card holder data security. All staff, volunteers and contractors authorized to handle money are required to go through the cashier training annually.
Related documentation
Below is a dump of the security policy requirement for pci compliance. Everything below should be checked to see if it is addressed in the above policy.
12.1 - done
A security Policy is established, published, maintained, and disseminated, and it accomplishes the following:
More Information >> Help You must have an information security policy in place that states your method of protecting the security of sensitive information.
Your employees and all users of your network, such as vendors, contractors and business partners must be made aware of, and held accountable to the security policy. How to verify you are fulfilling this requirement - Examine the information security policy and verify that the policy is published and disseminated to all relevant system users (including vendors, contractors, and business partners).
12.1.3 - done
Includes a review at least once a year and updates when the environment changes.
More Information >> Help Your information security policy must be reviewed at least annually. If necessary, more frequent updates should be made to reflect any new, known change in the risk environment. How to verify you are fulfilling this requirement - Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
12.3.a
Usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants [PDAs], e-mail, and Internet usage) are developed to define proper use of these technologies for all employees and contractors.
More Information >> Help The clearer your policies around technology usage, the more secure your critical cardholder data will be. Even innocent actions by an employee can leave your company in a breach situation. Educating employees in a responsible manner will help maintain secure data properly.
Your user policy must address the proper usage of technologies like the Internet, email, wireless technology (PDA and other handheld devices), and laptops by your employees, vendors, and anyone else who uses your network.
12.4
The security Policy and Procedures clearly define Information Security responsibilities for all employees and contractors.
More Information >> Help Your information security policy must clearly state employee and contractor responsibilities.
For example, employees must not disable anti-virus on their computers, must not download executable files, and must not use P2P (peer-to-peer) or other filesharing methods (such as torrents). How to verify you are fulfilling this requirement - Verify that information security policies clearly define information security responsibilities for both employees and contractors.
12.5 - done
The following Information Security management responsibilities are assigned to an individual or team.
More Information >> Help Ultimately, security management of cardholder data must fall under the responsibility of a single entity to avoid any confusion about accountability and execution. How to verify you are fulfilling this requirement - Verify the formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management. Obtain and examine information security policies and procedures to verify that the following information security responsibilities are specifically and formally assigned:
12.5.3 - done
Establishing, documenting, and distributing security incident response and escalation Procedures to ensure timely and effective handling of all situations.
More Information >> Help You must specifically assign roles and responsibilities for response and escalation of any security breach.
For example, indicate who is responsible in the case of a virus, and who is responsible for media information. All employees should know exactly who to contact if they detect something unusual on the network. How to verify you are fulfilling this requirement - Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned.
12.6 - done as long as we continue to have regular cashier training.
A formal security awareness program is in place to make all employees aware of the importance of Cardholder data security. (Please note, complimentary PCI 1-2-3 Security Awareness Training is available in the PCI Resources Section).
More Information >> Help You are responsible for your employees' awareness of the sensitivity of cardholder data. To this end, you must offer a required security awareness program for all employees. How to verify you are fulfilling this requirement - Verify the existence of a formal security awareness program for all employees. - Obtain and examine security awareness program procedures and documentation and perform.
12.8 - not currently happening
If Cardholder data is shared with service providers, are policies and Procedures maintained and implemented to manage service providers, and the policies and Procedures include the following:
More Information >> Help If you share sensitive cardholder information with service providers like back-up storage facilities, security service providers, and Web hosting companies, you must manage and document these relationships. How to verify you are fulfilling this requirement - If the entity being assessed shares cardholder data with service providers (for example, back-up tape storage facilities, managed service providers such as Web hosting companies or security service providers, or those that receive data for fraud modeling purposes), through observation, review of policies and procedures, and review of supporting documentation.
12.8.1 - not currently happening
A list of Service Providers is maintained.
More Information >> Help For example, your list may include the name of your web hosting company, payment processing company and data backup company. How to verify you are fulfilling this requirement - Verify that a list of service providers is maintained.
12.8.2
A written agreement is maintained that includes an acknowledgment that the Service Providers are responsible for the security of Cardholder data the Service Providers possess.
More Information >> Help You must have each service provider sign a written agreement stating it is responsible for the cardholder information your company has shared with it. How to verify you are fulfilling this requirement - Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.
12.8.3
There is an established process for engaging service providers, including proper due diligence prior to engagement.
More Information >> Help You must prove that you have guidelines that govern your selection and hiring of outside service providers.
Your process must include conscientious investigation of providers before engaging them in business. How to verify you are fulfilling this requirement - Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider.
12.8.4
A program is maintained to monitor service providers’ PCI DSS compliance status.
More Information >> Help You must monitor PCI DSS compliance status of all service providers you engage. How to verify you are fulfilling this requirement - Verify that the entity assessed maintains a program to monitor its service providers’ PCI DSS compliance status.