Web Courseworks Security Policy
To safeguard Web Courseworks’ information technology resources and protect the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Web Courseworks’ commitment to comply with required standards governing the security of sensitive and confidential information.
Web Courseworks can minimize inappropriate exposures of confidential and/or sensitive information, loss of data, and inappropriate use of computer networks and systems by complying with reasonable standards (such as Payment Card Industry Data Security Standard), attending to the proper design and control of information systems, and applying sanctions when violations of this security policy occur.
Security is the responsibility of everyone who uses Web Courseworks’ information technology resources including employees, contractors, business partners, and agents of Web Courseworks. Each should become familiar with this policy’s provisions and the importance of adhering to them when using Web Courseworks’ computers, networks, data and other information resources. Each is responsible for reporting any suspected breaches of its terms. As such, all information technology resource users are expected to adhere to all policies and procedures mandated by the IT department.
2. Purpose / Scope
The primary purpose of this security policy is to establish rules to ensure the protection of confidential and/or sensitive information stored or transmitted electronically and to ensure protection of Web Courseworks’ information technology resources. The policy assigns responsibility and provides guidelines to protect Web Courseworks’ systems and data against misuse and/or loss.
This security policy applies to all users of computer systems, centrally-managed computer systems, or computers that are authorized to connect to Web Courseworks’ data network.
It may apply to users of information services operated or administered by Web Courseworks (depending on access to sensitive data, etc.). Individuals working for institutions affiliated with Web Courseworks are subject to these same definitions and rules when they are using Web Courseworks’ information technology resources.
This security policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of hardware, software, networks and/or data.
This security policy has been written to specifically address the security of data used by the Payment Card Industry. Credit card data stored, processed or transmitted by Web Courseworks must be protected, and security controls must conform to the Payment Card Industry Data Security Standard (PCI DSS).
Sensitive credit card data is defined as the Primary Account Number (PAN), Card Validation Code (CVC, CVV2, CVC2), and any form of magnetic stripe data from the card.
This policy provides coverage for required SAQ C policy elements. There are also some additional “best practice” policy items included.
3. Security Policy Ownership and Responsibilities
It is the responsibility of the custodians of this security policy to publish and disseminate these policies to all relevant Web Courseworks system users (including vendors, contractors, and business partners). Also, the custodians must see that the security policy addresses and complies with all standards Web Courseworks is required to follow (such as the PCI DSS). This policy document will also be reviewed at least annually by the custodians (and any relevant data owners) and updated as needed to reflect changes to business objectives or the risk environment.
4. Build and Maintain a Secure Network Infrastructure
To protect sensitive and/or confidential data, it is critical to design and maintain a secure network infrastructure where this data may be stored, processed, or transmitted.
The following polices cover the network infrastructure as well as requirements for the secure configuration of all system components (network configurations, servers, workstations, etc.).
4.1. Install and Maintain a Firewall Configuration
Firewalls control computer traffic allowed between Web Courseworks’ network (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within a company’s internal trusted network.
A firewall examines all network traffic and blocks those transmissions that do not meet Web Courseworks’ specified security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connections such as business to business connections, via wireless networks, from less secure to more secure network segments on an internal corporate network, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
4.1.1. Firewall/Router Configuration Documentation
Web Courseworks has firewall/router configuration standards that include the following:
- A firewall must be present between each “public” network segment and the cardholder data network. Public network segments would include the Internet or any other corporate “out-of-scope” Intranet segments (i.e. less secure internal corporate segments where credit card data is not stored, processed, or transmitted). (PCI-DSS Requirement 1.1.1)
- A firewall must present between each “public” network segment and the cardholder data network. Public network segments would include the Internet or any other corporate “out-of-scope” Intranet segments. (PCI-DSS Requirement 1.1.3)
- Firewall configuration documentation must contain the groups and/or individuals responsible for logical management of the firewalls. (PCI-DSS Requirement 1.1.4)
- Firewall configuration documentation must contain a detailed list of inbound and outbound services, protocols, and ports required for daily business. This list must contain a description and justification for use of the required services, protocols, and ports on all firewall interfaces. (PCI-DSS Requirement 1.1.5)
4.1.2. Restrict Connections Between Untrusted Network Segments and the Cardholder Data Environment
An “untrusted network” is any network that is external to the networks belonging to Web Courseworks, and/or which are out Web Courseworks’ ability to control or manage (e.g., the Internet, connected vendor networks, public wireless networks).
An “untrusted network” may also include lower security Web Courseworks networks that are used for normal business purposes but are not used for the storing, processing, or transmitting of sensitive data (e.g., corporate office networks).
Web Courseworks will restrict connections from untrusted network segments to system components within the cardholder data environment by doing the following:
- Firewall rules must limit all inbound and outbound traffic to/from the cardholder data network to only that which is necessary for business. (PCI-DSS Requirement 1.2.1a)
- When wireless networking is used, require a firewall between any wireless network and the cardholder data environment. Firewall rules must prohibit insecure traffic and restrict traffic from the wireless segment to only that which is necessary for business. (PCI-DSS Requirement 1.2.3)
4.1.3. Prohibit Direct Public Access between the Internet and the Cardholder Data Environment
Web Courseworks will prohibit direct public access between the Internet and any system component in the cardholder data environment by doing the following:
- Create a DMZ (using appropriate firewall configuration) to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment. (PCI-DSS Requirement 1.3.1)
- Limit all inbound traffic from the Internet to addresses within a DMZ. (PCI-DSS Requirement 1.3.2)
- Direct network routes are prohibited (inbound or outbound) between the Internet and the segment of the cardholder data network where sensitive card data is persistent. (PCI-DSS Requirement 1.3.3)
- Do not allow internal IP addresses (e.g., RFC 1918 address ranges) to pass from the Internet into the cardholder data network. (PCI-DSS Requirement 1.3.4)
- Outbound traffic from any cardholder data environment zone must be explicitly authorized (PCI-DSS Requirement 1.3.5)
- Use firewall hardware that implements stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) (PCI-DSS Requirement 1.3.6)
- Hide the structure of the internal network from the Internet using technologies such as NAT, PAT, RFC 1918 address space, etc. (PCI-DSS Requirement 1.3.8)
4.1.4. Personal Firewall Required on Mobile Computers
- Personal firewalls must be installed and active on all mobile and/or employee computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the cardholder data network. (PCI-DSS Requirement 1.4a)
- Personal firewall software is to be configured by Web Courseworks to specific standards and is not alterable by mobile computer users. (PCI-DSS Requirement 1.4b)
4.2. Change Vendor-supplied Defaults
- System components used in sensitive networks often will come with default vendor settings (usernames, passwords, configuration settings, etc.). Web Courseworks’ policy is to always change vendor-supplied defaults for system passwords or other security parameters before systems are installed in the secure network environment (cardholder data network).
- Individuals with malicious intent (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well-known by hacker communities and are easily determined via public information.
4.2.1. Change Vendor-supplied Defaults
- All vendor-supplied defaults must be changed on all system components before being used in the cardholder data network. Examples include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts, etc. (PCI-DSS Requirement 2.1)
- All default settings for wireless environments (equipment) connected to the cardholder data environment or transmitting cardholder data must be changed before enabling the wireless system for production use. (PCI-DSS Requirement 2.1.1)
- Require that all wireless devices be configured to support strong encryption technologies (i.e. WPA/WPA2) for both authentication to the network and transmission of data. (PCI-DSS Requirement 2.1.1)
4.2.2. Remove Unnecessary Functionality
All unnecessary functionality or software is to be removed from system components in the cardholder network. (PCI-DSS Requirement 2.2)
4.2.3. Use Secure Protocols for Non-Console Access
Strong cryptography must be used for any non-console and/or web-based management interface used for administration of systems and/or system components. (Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.) (PCI-DSS Requirement 2.3)
5. Protect Sensitive Data
Sensitive and/or confidential data (e.g., Cardholder Data) must be protected when stored and when it is in transmitted over public (or untrusted) networks. Strong industry standard encryption methodologies must be used to protect data stored on hard drives, removable media, backups, etc. The following policies ensure proper encryption of stored data and data in transit over open, public networks.
5.1. Protect Stored Data
Protection methods such as encryption, truncation, masking, and hashing are critical components of sensitive data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable.
5.1.1. Storage of Sensitive Credit Card Account Number
Sensitive cardholder data such as the Primary Account Number (PAN) on any system component of the cardholder data network will never be stored.
5.1.2. Storage of Sensitive Credit Card Authentication Data
- Never store sensitive cardholder data such as the authentication data (Track, CVC, PIN) after an authorization event has taken place (even if encrypted). (PCI-DSS Requirement 3.2).
- Never store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere) in any database, log file, debug file, etc. after any type of card authorization event. (PCI-DSS Requirement 3.2.1).
- Never store the Card Validation Code (CVC) data (3- or 4-digit number located on the back or front of the customer’s plastic card) in any database, log file, debug file, etc. after any type of card authorization event. (PCI-DSS Requirement 3.2.2).
- Never store the cardholder’s Personal Identification Number (PIN) data (including the actual PIN number or Encrypted PIN block obtained during a debit card transaction from the PIN Entry Device) in any database, log file, debug file, etc. after any type of card authorization event. (PCI-DSS Requirement 3.2.3).
5.1.3. Mask Credit Card Numbers in Displays Wherever Possible
- Credit card PAN data will be masked or truncated when displaying card numbers on any media (exceptions may be made for those users who have a valid business need to see full PAN data.). (PCI-DSS Requirement 3.3)
5.2. Encrypt Transmission of Data Over Public Networks
Sensitive information must be encrypted during transmission over networks that are easily accessed by individuals with malicious intent. Improperly configured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of individuals with malicious intent who exploit these vulnerabilities to gain privileged access to sensitive data environments.
5.2.1. Transmission of Card Data Over Public Networks
- Strong encryption algorithms and protocols (ex: SSL/TLS, IPSEC) must be used whenever cardholder data is transmitted or received over open, public networks. (PCI-DSS Requirement 4.1).
- Any wireless systems used in the card network must prohibit the use of the WEP protocol. (PCI-DSS Requirement 4.1).
5.2.2. Transmission of Card Data Via End User Messaging Technologies
- Prohibit the transmission of unencrypted cardholder data via end-user messaging technologies (e.g., e-mail, instant messaging, etc.). (PCI-DSS Requirement 4.2).
6. Maintain a Vulnerability Management Program
System components within the sensitive data environment (cardholder data network) must be part of an active vulnerability maintenance program. This program will control the existence of malicious software (e.g., anti-virus software) and provide policies covering development efforts and system or software updates/upgrades such that security is maintained.
The following policies ensure system components are protected from malicious software and vulnerabilities that result from software bugs and improperly patched applications and operating systems.
6.1. Use Regularly Updated Anti-Malware Software
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters a sensitive network segment during many business-approved activities, including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-malware (anti-virus) software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
6.1.1. Use Anti-Virus Software to protect Systems
- Anti-virus software must be deployed on all systems in the card network that are commonly affected by malicious software. This includes personal computers, servers, etc. that are attached to the cardholder network segment. (PCI-DSS Requirement 5.1).
- Anti-virus programs must capable of detecting, removing, and protecting against all known types of malicious software (adware, spyware, etc.). (PCI-DSS Requirement 5.1).
6.1.2. Use Anti-Virus Software to protect Systems
- All anti-virus software and its associated definition files are to be kept up-to-date at all times. (PCI-DSS Requirement 5.2a).
- All anti-virus software must be actively running, and capable of generating audit logs. (PCI-DSS Requirement 5.2b & c).
- Anti-virus software audit logs must be retained for one year. (PCI-DSS Requirement 5.2d).
6.2. Develop and Maintain Secure Systems and Applications
Individuals with malicious intent use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities can be fixed by applying vendor-provided security patches. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of sensitive data (cardholder data) by individuals with malicious intent and the use of malicious software.
Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, the introduction of vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
6.2.1. Regularly Update Systems and Software
- All system components and software must have the latest vendor-supplied system security patches installed. (PCI-DSS Requirement 6.1).
- All critical system and software patches must be installed within 30 days of vendor release. (PCI-DSS Requirement 6.1).
6.2.2. System Administrator Duties
System administrators are to subscribe to outside sources for security vulnerability information and system configuration standards are to be reviewed and updated as new vulnerability information might dictate. (PCI-DSS Requirement 6.2b).
6.2.3. Protect Exposed Web Applications
All publicly-exposed web applications used to store, process, or transmit card data must be protected by a web application firewall that actively filters malicious traffic to prevent web-based attacks. (PCI-DSS Requirement 6.6).
7. Implement Strong Access Control Measures
Access to system components and software within the sensitive data environment (cardholder data network) must be controlled and restricted to those with a business need for that access. This is achieved through the use of active access control systems, strong controls on user and password management, and restricting physical access to critical or sensitive components and software to individuals with a “need to know.”
7.1. Restrict Access to Sensitive Data
Systems and processes must be in place to limit access to critical data and systems based on an individual’s need to know, and according to job responsibilities.
|“Need to know” is when access rights are granted to the least amount of data and privileges needed to perform a job.|
7.1.1. Restrict Access to Systems in Cardholder Data Environment
- Access to cardholder data and systems handling cardholder data must be restricted by business need to know. (PCI-DSS Requirement 7.1).
- Automated role-based access control systems must be in place on all systems in the cardholder data network. User IDs must limit users’ rights to only those necessary for their job classification and function. (PCI-DSS Requirement 7.1.2).
7.2. Assign a Unique ID to Access System Components
It is important to assign a unique identification (ID) to each person with access to critical systems or software. This ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
7.2.1. Require Unique User IDs
Unique IDs will be used for all users that access system components in the cardholder data environment. (PCI-DSS Requirement 8.1).
7.2.2. Password Reset
All non-face-to-face password reset requests for users with access to the cardholder data network require a verification of employee identity. (PCI-DSS Requirement 8.5.2).
7.2.3. Vendor Management Accounts
Vendor accounts for remote or on-site maintenance are only enabled during the time period needed by the vendor and monitored by a Web Courseworks employee while being used. (PCI-DSS Requirement 8.5.6).
7.2.4. Password Reset
Use of group or shared User IDs or passwords is specifically prohibited. (PCI-DSS Requirement 8.5.8).
7.3. Restrict Access to Sensitive Data and System Components
Any physical access to data or systems that house sensitive data (cardholder data) provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.
7.3.1. Securing Hard Copy Materials
Web Courseworks will define procedures required for protecting paper and hard copy materials (which includes paper receipts, mail, reports, and faxes) containing cardholder data within all facility locations. (PCI-DSS Requirement 9.6).
7.3.2. Secure Media Containing Sensitive Data
- Web Courseworks will define specific procedures required for controlling the internal or external distribution of any kind of media containing cardholder data and will maintain strict control over the storage and accessibility of both hardcopy and electronic media that contains cardholder data. (PCI-DSS Requirement 9.7, 9.9)
- Media must be classified and labeled in such a way that it can be identified as “Confidential”. (PCI-DSS Requirement 9.7.1)
- All media containing sensitive cardholder data sent outside the facility must be transferred by secured courier or other delivery method that can be accurately tracked. Log all transfers of media containing cardholder data. Logs must show management approval, and tracking information. Retain media transfer logs. (PCI-DSS Requirement 9.7.2)
- Management approval is required prior to moving any and all media containing cardholder information out of a secured area (especially when media is distributed to individuals). (PCI-DSS Requirement 9.8)
- Periodic inventory of stored media containing cardholder data must be performed and documentation must be retained showing these inventories were performed. (PCI-DSS Requirement 9.9)
7.3.3. Media Destruction Policies
- Media containing cardholder data must destroyed when it is no longer needed for business or legal reasons. (PCI-DSS Requirement 9.10).
- Web Courseworks has defined specific procedures that will be used to destroy any hard copy materials containing cardholder data beyond reconstruction. Technologies such as shredding, incineration, pulping, etc must be used to destroy media. (PCI-DSS Requirement 9.10.1).
8. Regularly Monitor/Test Sensitive Data Networks
Important components of overall system security are the regular testing of networks for exposed vulnerabilities and the continuous monitoring of security indicators (logs, system events, etc.). The following policies address system monitoring and vulnerability testing.
8.1. Track and Monitor Access to Network Resources/Data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
8.1.1. Monitor System Components Within the Cardholder Data Network
- Enable audit trails (active system tracking logs) on all system components within the cardholder data network (e.g., server event logs, web server logs, firewall logs, payment application logs, etc.). (PCI-DSS Requirement 10.1).
- Retain audit trail logs for 12 months. (PCI-DSS Requirement 10.7).
8.2. Regularly Test Security Systems and Processes
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software must be tested frequently to ensure security controls continue to reflect a changing environment.
8.2.1. Rogue Wireless Network Detection
A wireless analyzer must be used at least quarterly to detect unauthorized wireless networks/devices within the card-processing environment. (PCI-DSS Requirement 11.1)
8.2.2. Vulnerability Assessment Scans
- Internal vulnerability assessment scans must be performed at least quarterly and after any significant change in the cardholder data network (e.g., changes in firewall rules, or upgrades to products within the environment, etc.). (PCI-DSS Requirement 11.2)
- External vulnerability scans are to be performed at least quarterly and after any significant change in the cardholder data network (e.g., changes in firewall rules, or upgrades to products within the environment, etc.). An Approved Scanning Vendor (ASV) must conduct all scans. Scans must be run on all external IP addresses that could be used to gain access to the cardholder data environment. (PCI-DSS Requirement 11.2)
- Systems failing a vulnerability assessment scan (either internal or external) are to be remediated and retested until a passing scan is achieved. (PCI-DSS Requirement 11.2)
- Results of each quarter’s internal and external vulnerability assessments are to be documented and retained for review. (PCI-DSS Requirement 11.2)
9. Maintain an Information Security Policy
Without strong security policies and procedures many of the layers of security controls become ineffective at preventing data breeches. Unless consistent policies and practices are adopted and followed at all times, security controls break down due to inattention and poor maintenance. The following documentation policies address maintaining the Web Courseworks security policies described above.
9.1. Maintain a Security Policy for Employees and Contractors
A strong security policy sets the security tone for Web Courseworks and informs employees and vendors what is expected of them. All employees and vendors should be aware of the sensitivity of data and their responsibilities for protecting it.
“Employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.
9.1.1. Publish the Information Security Policy
- Web Courseworks requires that the most recent version of the information security policy be published and disseminated to all relevant system users (including vendors, contractors, and business partners). (PCI-DSS Requirement 12.1)
- The Web Courseworks information security policy must be reviewed at least annually to keep it up to date with changes in the industry and with any changes in the cardholder network environment. (PCI-DSS Requirement 12.1.3)
9.1.2. Employee-Facing Technologies
Web Courseworks must develop usage policies for all critical employee-facing technologies (e.g., remote-access technologies, wireless technologies, removable electronic media, laptops, e-mail usage, and Internet usage). (PCI-DSS Requirement 12.3)
9.1.3. Assign Information Security Responsibilities & Train Employees
- The Web Courseworks information security policy and procedures must clearly define the information security responsibilities of both employees and contractors. (PCI-DSS Requirement 12.4)
- Responsibilities of information security at Web Courseworks must be formally assigned to a specific individual(s), position, or team. (PCI-DSS Requirement 12.5)
- Specifically, the following responsibilities must be assigned (see form in Appendix A):
- Responsibility of distributing the Web Courseworks information security policies and procedures must be formally assigned to a specific individual(s), position, or team. (PCI-DSS Requirement 12.5.1)
- Responsibilities to monitor, analyze, and distribute security alerts and information. (PCI-DSS Requirement 12.5.2)
- Generate detailed documentation security incident response and escalation procedures and formally assign the responsibility of creating and distributing these procedures to a specific individual(s), position, or team. (PCI-DSS Requirement 12.5.3)
- Responsibility to administer users in the cardholder data network. Includes all additions, deletions and modifications to user access. (PCI-DSS Requirement 12.5.4)
- Responsibility to monitor and control all access to sensitive cardholder data. (PCI-DSS Requirement 12.5.5)
- A formal security awareness program must exist, and participation is required for all employees working within the cardholder data environment. (PCI-DSS Requirement 12.6a).
9.1.4. Policies For Sharing Data With Service Providers
If cardholder data is shared with service providers (for example, back-up tape storage facilities, managed service providers such as Web hosting companies or security service providers, or those that receive data for fraud modeling purposes), the following policies and procedures must be followed:
- Web Courseworks must maintain a documented list of any service provider that is given cardholder data, provided direct access to the cardholder network, or can affect the security of the cardholder network. (PCI-DSS Requirement 12.8.1).
- Any written agreement with a service provider that is given cardholder data, provided direct access to the cardholder network, or can affect the security of the cardholder network, must include an acknowledgement of the service provider’s responsibility for securing all cardholder data they receive from Web Courseworks. (PCI-DSS Requirement 12.8.2).
- Prior to engaging with a service provider that is given cardholder data, provided direct access to the cardholder network, or can affect the security of the cardholder network, Web Courseworks will conduct due diligence and follow an established process to ensure that the security of cardholder data within the service provider’s network has been addressed. (PCI-DSS Requirement 12.8.3).
- Web Courseworks will have an ongoing program to monitor the PCI DSS compliance status of any service provider that is given cardholder data, provided direct access to the cardholder network, or can affect the security of the cardholder network. (PCI-DSS Requirement 12.8.4).