module 03

1.0 Purpose

The purpose is to implement policies and procedures to ensure that physical access controls exist that ensure that all cardholder data can only be accessed by authorized personnel.

2.0 Scope

This policy applies to all <company name> employees, contractors, consultants, and temps who utilize <company name> IT resources described herein their assigned job responsibilities.

3.0 Policy

3.1 Facility Access

1. Facility entry controls will be implemented to limit and monitor physical access to systems that process or transmit cardholder data.

2. Physical access to publicly accessible network jacks, wireless access points, gateways, and handheld devices will be restricted.

3.2 Visitors

1. Procedures will exist to help personnel to easily distinguish between employees and visitors in areas where cardholder data is accessible.

2. All visitors will be authorized before entering areas where cardholder data is processed or maintained.

3. All visitors will be given a token, such as a badge or access device, which identifies them as non-employees, and will be required to surrender the device before leaving the facility or on the data of expiration.

4. All visitors to sensitive area must complete a visitor’s log which will be maintained for a minimum of three months, unless otherwise restricted by law.

3.3 Media Controls

1. All media back-ups will be stored in a secure location, preferably in an offsite facility, such as an alternate or backup site, or a commercial storage facility.

2. All paper and electronic media (including computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data will be physically secured.

3. Strict control will be maintained over the internal and external distribution of any kind of media that contains cardholder data, such that the media is identified as confidential, and will only be sent by secured and traceable courier.

4. Management will approve in advance any and all media being moved from a secured area.

5. Strict control will be maintained over the storage and accessibility of media that contains cardholder data such that it is inventoried securely stored, and protected by a password.

6. Media containing cardholder data will be destroyed when it is no longer needed for business or legal reasons. The means of destruction will be cross-cut shred, incineration or pulping of hardcopy materials. Electronic data will be destroyed using a method (purge, degauss, or shred) which ensures that cardholder data cannot be reconstructed.

3.4 Individual Access

1. All systems and applications which store critical information will require a unique user name for all users.

2. All unique user names will require a password, token device, or biometrics to authenticate the user.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

N/A

6.0 References

7.0 Revision History

Initial effective date:

Acceptable Encryption Policy

1.0 Purpose

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

2.0 Scope

This policy applies to all <Company Name> employees and affiliates.

3.0 Policy

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. <Company Name>’s key length requirements will be reviewed annually and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.

Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.

Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

6.0 Revision History

Audit Vulnerability Scan Policy

1.0 Purpose

The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the <Internal or External Audit Name> to the <Company Name>. <Internal or External Audit Name> shall utilize <Approved Name of Software> to perform electronic scans of Client’s networks and/or firewalls or on any system at <Company Name>.

Audits may be conducted to:

· Ensure integrity, confidentiality and availability of information and resources

· Investigate possible security incidents ensure conformance to <Company Name> security policies

· Monitor user or system activity where appropriate.

2.0 Scope

This policy covers all computer and communication devices owned or operated by <Company Name>. This policy also covers any computer and communications device that are present on <Company Name> premises, but which may not be owned or operated by <Company Name>. The <Internal or External Audit Name> will not perform Denial of Service activities.

3.0 Policy

When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of <Internal or External Audit Name>. <Company Name> hereby provides its consent to allow of <Internal or External Audit Name> to access its networks and/or firewalls to the extent necessary to allow [Audit organization] to perform the scans authorized in this agreement. <Company Name> shall provide protocols, addressing information, and network connections sufficient for <Internal or External Audit Name> to utilize the software to perform network scanning.

This access may include:

· User level and/or system level access to any computing or communications device

· Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on <Company Name> equipment or premises

· Access to work areas (labs, offices, cubicles, storage areas, etc.)

· Access to interactively monitor and log traffic on <Company Name> networks.

3.1 Network Control.

If Client does not control their network and/or Internet service is provided via a

second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the <Company Name’s> LAN. By signing this agreement, all involved parties acknowledge that they authorize of <Internal or External Audit Name> to use their service networks as a gateway for the conduct of these tests during the dates and times specified.

3.2 Service Degradation and/or Interruption. Network performance and/or availability may be affected by the network scanning. <Company Name> releases <Internal or External Audit Name> of any and all liability for damages that may arise from network availability restrictions caused by the network scanning,

unless such damages are the result <Internal or External Audit Name>’s gross negligence or intentional

misconduct.

3.3 Client Point of Contact During the Scanning Period. <Company Name> shall identify in writing a person to be available if the result <Internal or External Audit Name> Scanning Team has questions regarding data discovered or requires assistance.

3.4 Scanning period. <Company Name> and <Internal or External Audit Name> Scanning Team shall identify in writing the allowable dates for the scan to take place.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Revision History

1.0 Purpose

2.0 Scope

This policy covers appropriate use of any email sent from a <COMPANY NAME> email address and applies to all employees, vendors, and agents operating on behalf of <COMPANY NAME>.

3.0 Policy

3.1 Prohibited Use. The <COMPANY NAME> email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any <COMPANY NAME> employee should report the matter to their supervisor immediately.

3.2 Personal Use.

Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a <COMPANY NAME> email account is prohibited. Virus or other malware warnings and mass mailings from <COMPANY NAME> shall be approved by <COMPANY NAME> VP Operations before sending. These restrictions also apply to the forwarding of mail received by a <COMPANY NAME> employee.

3.3 Monitoring

<COMPANY NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. <COMPANY NAME> may monitor messages without prior notice. <COMPANY NAME> is not obliged to monitor email messages.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.

Forwarded email Email resent from an internal network to an outside point.

Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.

Sensitive information Information is considered sensitive if it can be damaging to <COMPANY NAME> or its customers' reputation or market standing.

Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.

Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside <COMPANY NAME>, who do not have a need to know that information.

6.0 Revision History

Remote Access

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2006 All Ri

Removable Media

1.0 Overview

Removable media is a well-known source of malware infections and has

been directly tied to the loss of sensitive information in many

organizations.

2.0 Purpose

To minimize the risk of loss or exposure of sensitive information

maintained by <Company Name> and to reduce the risk of acquiring malware

infections on computers operated by <Company Name>.

3.0 Scope

This policy covers all computers and servers operating in <company

name>.

4.0 Policy

<Company Name> staff may only use <Company Name> removable media in

their work computers. <Company Name>removable media may not be

connected to or used in computers that are not owned or leased by the

<Company Name> without explicit permission of the <Company Name> info

sec staff. Sensitive information should be stored on removable media

only when required in the performance of your assigned duties or when

providing information required by other state or federal agencies. When

sensitive information is stored on removable media, it must be

encrypted in accordance with the <Company Name> Acceptable Encryption

Policy:http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.pdf

Exceptions to this policy may be requested on a case-by-case basis by

<Company Name>-exception procedures.

5.0 Enforcement

Any employee found to have violated this policy may be subject to

disciplinary action, up to and including

termination of employment.

6.0 Definitions

Removable Media: Device or media that is readable and/or writeable by

the end user and is able to be moved from computer to computer without

modification to the computer. This includes flash memory devices such

as thumb drives, cameras, MP3 players and PDAs; removable hard drives

(including hard drive-based MP3 players); optical disks such as CD and

DVD disks; floppy disks and any commercial music and software disks not

provided by <Company Name>.

Encryption: A procedure used to convert data from its original form to

a format that is unreadable and/or unusable to anyone without the

tools/information needed to reverse the encryption process.

Sensitive Information: Information which, if made available to

unauthorized persons, may adversely affect <Company Name>, its programs,

or participants served by its programs. Examples include, but are not

limited to, personal identifiers and , financial information,

Malware: Software of malicious intent/impact such as viruses, worms,

and Spyware.

7.0 Revision History

Original Issue Date:

Rasmussen College