Information Security Policy
I. POLICY
A. It is the policy of ISA-ECASH that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 36 (thirty six) months after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within ISA-ECASH.
C. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.
II. SCOPE
A. The scope of information security includes the protection of the confidentiality, integrity and availability of information.
B. The framework for managing information security in this policy applies to all ISA-ECASH entities and workers, and other Involved Persons and all Involved Systems throughout ISA-ECASH as defined below in INFORMATION SECURITY DEFINITIONS.
C. This policy and all standards apply to all protected financial information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION.
III. RISK MANAGEMENT
A. A thorough analysis of all ISA-ECASH information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.
From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.
B. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.
IV. INFORMATION SECURITY DEFINITIONS
Availability: Data or information is accessible and usable upon demand by an authorized person.
Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.
Integrity: Data or information has not been altered or destroyed in an unauthorized manner.
Involved Persons: Every worker at ISA-ECASH -- no matter what their status. This includes employees, contractors, consultants, temporaries, volunteers, interns, etc.
Involved Systems: All computer equipment and network systems that are operated within the ISA-ECASH environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.
Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.
V. INFORMATION SECURITY RESPONSIBILITIES
A. Compliance Officer: The Compliance Officer (CO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of ISA-ECASH Management. Specific responsibilities include:
1. Ensuring security policies, procedures, and standards are in place and adhered to by entity.
2. Providing basic security support for all systems and users.
3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification.
4. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
5. Providing on-going employee security education.
6. Performing annual security audits.
7. Reporting regularly to ISA-ECASH Management on entity’s status with regard to information security.
8. With ISA-ECASH’s Management, conduct an annual Risk Assessment review using the Vendor Risk Management Procedures on any vendor that has access to Confidential Information as defined below. This review will evaluate the vendor based upon the following criteria:
Vendor’s compliance with VISA and MasterCard rules and regulations if applicable.
Vendor’s compliance with the U.S. Patriot Act as it pertains to “know your customer”.
Vendor’s compliance with ISA-Ecash’s Vendor Risk Management Procedures.Evaluate the Vendor under any other criteria that the Compliance Officer may deem necessary.
B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner of information has the responsibility for:
1. Knowing the information for which she/he is responsible.
2. Determining a data retention period for the information, relying on advice from ISA-Ecash Management.
3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.
4. Authorizing access and assigning custodianship.
5. Specifying controls and communicating the control requirements to the custodian and users of the information.
6. Reporting promptly the loss or misuse of ISA-ECASH information.
7. Initiating corrective actions when problems are identified.
C. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include:
1. Providing and/or recommending physical safeguards.
2. Providing and/or recommending procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
5. Evaluating the cost effectiveness of controls.
6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO.
7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
8. Reporting promptly the loss or misuse of ISA-ECASH information.
9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
D. User Management: ISA-ECASH management who supervise users as defined below. User management is responsible for overseeing their employees' use of information, including:
1. Reviewing and approving all requests for their employees access authorizations.
2. Initiating security change requests to keep employees' security record current with their positions and job functions.
3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
5. Providing employees with the opportunity for training needed to properly use the computer systems.
6. Reporting promptly the loss or misuse of ISA-ECASH information.
7. Initiating corrective actions when problems are identified.
E. User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:
1. Access information only in support of their authorized job responsibilities.
2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
3. Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.
4. Report promptly the loss or misuse of ISA-ECASH information.
5. Initiate corrective actions when problems are identified.
VI. INFORMATION CLASSIFICATION
Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:
A. Confidential Information
1. Confidential Information is very important and highly sensitive material. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.
Examples of Confidential Information may include: personnel information, key financial information, proprietary information, system access passwords and information file encryption keys.
2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for ISA-ECASH, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.
B. Internal Information
1. Internal Information is intended for unrestricted use within ISA-ECASH, and in some cases within affiliated organizations such as ISA-ECASH business partners. This type of information is already widely-distributed within ISA-ECASH, or it could be so distributed within the organization without advance permission from the information owner.
Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages.
2. Any information not explicitly classified as Confidential or Public will, by default, be classified as Internal Information.
3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.
C. Public Information
1. Public Information has been specifically approved for public release by a designated authority within each entity of ISA-ECASH. Examples of Public Information may include marketing brochures and material posted to ISA-ECASH entity internet web pages.
2. This information may be disclosed outside of ISA-ECASH.
VII. COMPUTER AND INFORMATION CONTROL
All involved systems and information are assets of ISA-ECASH and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.
A. Installed Software: All software packages that reside on computers and networks within ISA-ECASH must comply with applicable licensing agreements and restrictions and must comply with ISA-ECASH acquisition of software policies.
B. Virus Protection: Virus checking systems approved by ISA-Ecash Management must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
C. Access Controls: Physical and electronic access to Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by ISA-ECASH Management. Mechanisms to control access to Confidential and Internal information include (but are not limited to) the following methods:
1. Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy:
a. Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc.
b. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the user.
2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id.
a. At least one of the following authentication methods must be implemented:
1. strictly controlled passwords (Attachment 1 – Password Control Standards),
2. tokens in conjunction with a PIN.
b. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager.
c. The user must log off or secure the system when leaving it.
3. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented:
a. integrity controls and
b. encryption, where deemed appropriate
4. Remote Access: Access into ISA-ECASH network from outside will be granted using ISA-ECASH approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the ISA-ECASH network.
5. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.
The following physical controls must be in place:
a. File servers containing Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
b. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will:
1. Position workstations to minimize unauthorized viewing of protected financial information.
2. Grant workstation access only to those who need it in order to perform their job function.
c. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:
1. Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
2. Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
3. Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
6. Emergency Access:
a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.
b. Procedures must be documented to address:
1. Authorization,
2. Implementation, and
3. Revocation
E. Equipment and Media Controls: The disposal of information must ensure the continued protection of Confidential and Internal Information. The following specification must be addressed:
1. Information Disposal / Media Re-Use of:
a. Hard copy (paper and microfilm/fiche)
b. Magnetic media (floppy disks, hard drives, zip disks, etc.) and
c. CD ROM Disks
2. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
3. Data backup and Storage: When needed, create a retrievable, exact copy of electronic information before movement of equipment.
F. Other Media Controls:
1. Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as Confidential Information. Further, external media containing Confidential Information must never be left unattended in unsecured areas.
2. Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented:
a. Power-on passwords
b. Auto logoff or screen saver with password
Further, mobile computing devices must never be left unattended in unsecured areas.
3. If Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of ISA-ECASH Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with ISA-ECASH.
H. Data Transfer/Printing:
1. Electronic Mass Data Transfers: Downloading and uploading Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research purposes that include Confidential information must be approved ISA-Ecash Management. All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. Applicable Business Associate Agreements must be in place when transferring Confidential information to external entities (see ISA-ECASH policy B-2 entitled “Business Associates”).
2. Other Electronic Data Transfers and Printing: Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. Financial information that is downloaded for educational purposes where possible should be de-identified before use.
I. Oral Communications: ISA-ECASH staff should be aware of their surroundings when discussing Confidential Information. This includes the use of cellular telephones in public areas. ISA-ECASH staff should not discuss Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
J. Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use Confidential information must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews must be documented and maintained for six (6) years.
K. Evaluation: ISA-ECASH requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic information to ensure its continued protection.
L. Contingency Plan: Controls must ensure that ISA-ECASH can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain Confidential, or Internal Information. This will include developing policies and procedures to address the following:
1. Data Backup Plan:
a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.
b. Backup data must be stored in an off-site location and protected from physical damage.
c. Backup data must be afforded the same level of protection as the original data.
2. Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.
3. Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
4. Testing and Revision Procedures: Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary.
5. Applications and Data Criticality Analysis: The criticality of specific applications and data in support of other contingency plan components must be assessed and documented.
--- ATTACHMENT 1 ---
Password Control Standards
The ISA-ECASH Information Security Policy requires the use of strictly controlled passwords for accessing Confidential Information (CI) and Internal Information (II). (See ISA-ECASH Information Security Policy for definition of these protected classes of information.)
Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls.
Standards for accessing CI, II:
Users are responsible for complying with the following password standards:
1. Passwords must never be shared with another person, unless the person is a designated security manager.
2. Every password must, where possible, be changed regularly – (between 45 and 180 days depending on the sensitivity of the information being accessed)
3. Passwords must, where possible, have a minimum length of eight characters.
4. Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by ISA-Ecash Management. This feature should be disabled in all applicable systems.
5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters are more difficult to guess.
Where possible, system software must enforce the following password standards:
1. Passwords routed over a network must be encrypted.
2. Passwords must be entered in a non-display field.
3. System software must enforce the changing of passwords and the minimum length.
4. System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes.
5. System software must maintain a history of previous passwords and prevent their reuse.
--- ATTACHMENT 2 ---
Anti-Skimming Prevention Procedures & Detection Processes
ISA-Ecash’s Anti-Skimming Procedures & Detection Processes require our employees and sub-contractors to inspect each ATM when the terminal is serviced to look for the evidence of foreign skimming devices and surveillance equipment on, around or in the machine.
ATM Machine Types:
ISA-Ecash deploys Nautilus Hyosung models NH2700 and NH HALOII. To assist in the snit-skimming process, for the MH2700 we install a Pin Pad Protector that shields the keypad when the cardholder is entering their Pin. This Protector effectively blocks the entry of the Pin from the view of an external camera. The NH HALOII has a recessed Pin Pad that performs the same function.
Standards for Surveying ATM Equipment:
ISA-Ecash’s employees and sub-contractors are responsible for complying and performing the following procedures.
1. Upon each Visit – Inspect the Card Reader and surrounding areas to determine if a skimmer is currently on the machine or for signs of sticky residue that a skimmer was on the machine.
2. Verify the Pin Pad Protector is over the keypad, secure, and no modifications have been made to the Protector.
3. Look for any Pin Hole cameras that could be hidden on the front fascia of the ATM.
4. Visually Scan the surrounding area that has a line of sight towards the keypad, card reader or front of the ATM for surveillance equipment.
5. Visually scan above, towards the ceiling, far left and right and for surveillance equipment.
6. Inspect the power cord and any cables leading to or coming from the interior of the ATM cabinet to insure only ATMB cables are attached to the machine.
7. Perform a transaction. Look for any alterations to the transaction procedures, screen prompts, etc. Make sure the transaction screen flow is as designed by the manufacturer.
Detection Procedures:
If, during the inspection of the ATM, a Skimming Device is found ISA-Ecash’s employees and sub-contractors are required to perform the following tasks:
1. Call 911. Provide the Police with your name, your employers name, your location and that you have found a skimming device on the ATM involved.
2. Inform the manager of the location in which the ATM is located about the incident.
3. Immediately take pictures of the device, email the pictures to ISA-Ecash.com and notify the compliance Officer at ISA-Ecash’s office.
4. Do not touch anything until the police arrive.
5. With the Police officer as your witness, open the top of the ATM and take pictures of the interior of the ATM. Send pictures to management immediately.
6. Stay on-site until the Detective arrives. Communicate with Detective until the report is complete.
7. Remove tampering evidence from machine after turning machine off.
8. Place large bag over ATM and place “Out of Service” notice on the bag.
9. Inform Property Management a team from ATMB will re-visit the location to remove and replace the current ATM with a new one as soon a practically possible.
ISA-Ecash Remediation Process.
1. Upon notification of skimming device detection, contact Branding Partner with the Terminal ID number and report the incident.
2. Contact the processor and place a request to suspend the Terminal ID number.
3. Working with the processor and internal ATMManager Pro software, create a report to provide the “PAN Numbers” of potentially affected customers.
4. Verify when our last site visit occurred.
5. Run reports since our last site visit
6. Inform Branding Partner, if any, of incident.
7. Inspect the ATM for altered hardware, completely reprogram the ATM, enter new encryption keys and bring the ATM back into service.
--- ATTACHMENT 3 ---
ATM Depolyment Policy
It is ISA-Ecash’s Policy to deploy only ATMs that conform to the following:
The 2010 Americans with Disabilities Act (ADA) standards for Accessability Design which includes Height and Reach, Privacy, Speech Output, Input Controls, Numeric Keys, Function Keys, Display Screen and Braille Instructions.
The PCI PIN Transaction Security Point of Interaction Security Perqirements (PCI PTS POI) for the EPP keypad in the ATM.
The ATM must be equipped with an EMV Card Reader and the card reader must have EMV enabled.
The ATM must display the required REG E surcharge notice on the screen if the user of the ATM will be charged a surcharge.