Introduction
This document explains Digital Upline's information security requirements for all employees. Digital Upline, LLC management has committed to these policies to protect information utilized by Digital Upline, LLC in attaining its business goals. All employees are required to adhere to the policies described within this document.
Regulatory Compliance
The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder information for all credit card brands.
In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.
The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, from manual to computerized; the most comprehensive and demanding of which apply to e-commerce websites, and retail POS systems that process credit cards over the internet.
During normal course of compliance and reporting activities %Company% will ensure that proper scoping of compliant PCI operations and reporting are in effect.
Scope of Compliance
This Information Security Policy applies to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the company’s information environment. The company information environment is that part of the network that possesses company information. For example, the following types of systems would be in scope for compliance within any environment:
- Systems storing company information (e.g. databases, PC’s used by accounting for generating reports)
- Systems processing company information (e.g. web servers, application servers, etc.)
- Network devices transporting or directing company information traffic (e.g. border router, DMZ firewall, intranet firewall, etc.)
- Devices that create media containing company information (e.g. fax machine, printer, backup tape silo)
- Support systems (e.g. Active Directory, PC’s performing support functions such as system administration, etc.)
POLICY ROLES AND RESPONSIBILITIES
Policy Applicability
All employees, contractors, vendors and third-parties that use, maintain or handle
%Company% information assets must follow this policy.
Role of Chief Technical Officer
The Chief Technical Officer is responsible for coordinating and overseeing Digital Upline's compliance with policies and procedures regarding the confidentiality, integrity and security of its information assets.
The Chief Technical Officer will work closely with the other Digital Upline, LLC managers and staff involved in securing the company’s information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed. Specific responsibilities of the Chief Technical Officer include:
- Make high-level decisions pertaining to the information security policies and their content. Approve exceptions to these policies in advance on a case-by-case basis.
- On an annual basis, coordinate a formal risk assessment to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
- At least annually review the Information Security policies and procedures to maintain adequacy in light of emergent business requirements or security threats.
- Make sure that third parties, with whom company information is shared, are contractually required to adhere to the PCI DSS requirements and to acknowledge that they are responsible for the security of the company information which they process.
- Assure that connections to third parties are managed per PCI requirements via the relationship procedures described in Management of Connected Entities (Appendix O)
- Complete tasks as required by the Periodic Operational Security Procedures (Appendix N).
- Disseminating Digital Upline, LLC information security policies and acceptable use guidance, and other user policies to all relevant system users, including vendors, contractors and business partners.
- Ensure background checks are carried out on potential employees who will have access to systems, networks, or data, for example background, pre-employment, criminal, or reference checks.
- Work with the Information Security Team on disseminating security awareness information to system users.
- Work with the Information Security Team to administer sanctions and disciplinary action relative to violations of Information Security Policy.
- Notify Access Management personnel when any employee is terminated Maintain all Security Awareness and Acceptable Use (Appendix A) and Authorization Request Forms (Appendix B) in employee files.