Table of Contents Copyright Janco Associates, Inc. 2

Transcription

1

2

3 Table of Contents License Conditions... 1 Table of Contents... 2 Compliance Management... 3 Compliance Requirements... 3 Record Classification, Management, Retention, and Destruction... 3 ISO Security Domains... 5 ISO HIPAA General Data Protection Regulation (GDPR) Gramm-Leach-Bliley (Financial Services Modernization) FTC Information Safeguards Sarbanes-Oxley Act State Security Breach Notification Laws California Consumer Privacy Act California SB 1386 Personal Information Privacy Massachusetts 201 CMR Data Protection Requirements Implementation Understand the enterprise s requirements Compliance Management Kit Version Silver Edition Gold Edition Platinum Edition COBIT Edition Version History Copyright Janco Associates, Inc. 2

4 Compliance Management Compliance is not an isolated IT project; it s an enterprise-wide endeavor that requires cooperation between business units and a deep understanding of the requirements, regulations, mandates and IT controls necessary for your industry and business. Compliance is as a business requirement that requires a cross-functional approach, involving people, processes and technology across the enterprise. Taking the steps necessary to understand, define and implement the appropriate IT controls and frameworks for your business will simplify compliance and reduce the costs and resources involved in completing compliance related tasks. More small and mid-sized business are impacted by state-mandated (i.e. California, Massachusetts, New York, and others) than federal and SEC mandates. Compliance Requirements Record Classification, Management, Retention, and Destruction The reality is that while regulatory compliance data, including Sarbanes-Oxley, ISO, financial or HIPAA medical, require long-term retention, many other common application data for almost every business, including those that do not fall under regulatory requirements, can benefit from - if not require - long term data retention. The notion is to think beyond regulatory compliance. In other words, organizations of all sizes need and rely on information, both current and past. A record is essentially any material that contains information about your company s plans, results, policies or performance. In other words, anything about your company that can be 2019 Copyright Janco Associates, Inc. 3

5 represented with words or numbers can be considered a business record and you are now expected to retain and manage every one of those records, for several years or even permanently depending on the nature of the information. The need to manage potentially millions of records each year creates many new challenges for your business, and especially for your IT managers who must come up with rock-solid solutions to securely store and manage all this data. Record Classification Types Accounts Payable Ledger Accounts Payable Transactions Accounts Receivable Ledger Accounts Receivable Transactions Accountant Audit Reports Bank Statements Capital Stock and Bond records Charts of Accounts Contracts and Leases Correspondence (legal) Deeds, Mortgages, Bills of Sale Employee Payroll Records Contractor Payment Records Employment Applications Inventory Records (products) Insurance Records Invoices to Customers Invoices from Vendors Patents Payroll Records and Tax Returns Purchase Orders Safety Records Time Cards and Reports Training Manuals Union Agreements Retention Period 7 years 7 years 7 years 7 years Permanently 7 years Permanently Permanently Permanently Permanently Permanently Permanently 7 Years 3 years 7 years Permanently 5 years 5 years Permanently 7 years 5 years 6 years 7 years Permanently Permanently 2019 Copyright Janco Associates, Inc. Record Classification and Retention Periods Janco ( has a Record Classification, Management, Retention, and Destruction policy. It is a detail template which can be utilized on day one to create a records management process. Included with the policy are forms for 2019 Copyright Janco Associates, Inc. 4

6 establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration. ISO Security Domains The International Standards Organization (ISO) has developed two specifications on the governance of information security, ISO and ISO Both have originated from British Standards, BS7799 parts 1 and 2, which have been used to certify over 2,500 organizations around the world. ISO is an international code of practice, or implementation framework, for information security best practices. ISO serves as the auditing and certification standard for the ISO framework with 133 information security controls covering eleven domains and also specifies how to design an ISO-certified Information Security Management System (ISMS). Further, ISO also specifies the Plan-Do-Check-Act (PDCA) model for continuous quality improvement, which is the same PDCA model used in ISO 9001 Total Quality Management (TQM) initiatives. According to the Institute of Internal Auditors (IIA), the PDCA cycle helps the organization to know how far and how well it has progressed and influences the time and cost estimates to achieve compliance. BSI Management Systems, the world s largest ISO certification body and the author of BS7799 standards, defined the ISMS as a systematic approach to managing sensitive company information so that it remains secure. ISMS encompasses people, processes, and IT systems. The ISO Domain standard is comprised of 11 distinct domains of information security. The Security Manual Template addresses each throughout the template with particular emphasis in the sections outlined below: ISO Security Domain Security Manual Template Sections Security Policy Security General Policy Chapter Organization of Information Security Responsibility Chapter Asset Management Insurance Chapter Physical Control Chapter Human Resources Security Facility design, construction, and operational considerations Chapter Physical Control Chapter Physical and Environmental Security Data and Software Security Chapter Communications and Operations Management Responsibilities Chapter Physical Control Chapter Access Control Access Control Chapter Information Systems Acquisition, Development Processes, Forms, and Checklist - Appendix and Maintenance Information Security Incident Management Incident Reporting Procedure - Appendix Business Continuity Management Internet and IT Contingency Planning Chapter Compliance Minimum and Mandated Security Standards and Best Practices to Manage Compliance Chapters 2019 Copyright Janco Associates, Inc. 5

7 ISMS (Information Security Management System). The purpose of this proposed development is to provide help and guidance in implementing ISMS. This will be a quality control standard when it is released. ISO will focus on utilizing the Plan-Do-Act-Check (PDCA) method when establishing, implementing, reviewing, and improving the ISMS. ISO This is the designated number for a PROPOSED standard covering information security, system management, measurement, and metrics. ISO This is the name of a PROPOSED standard emerging standard covering information security risk management. As with the other standards within the ISO series, no firm dates have been established for its release. However, it will define the ISMS risk management process, including identification of assets, threats, and vulnerabilities. This is the ISO number assigned for an emerging standard for information security risk management. ISO This standard offers guidelines for the accreditation of organizations that offer certification and registration with respect to ISMS. Information is an asset that, like other important business assets, is essential to an enterprises business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. Because of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities (see OECD Guidelines for the Security of Information Systems and Networks). Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in 2019 Copyright Janco Associates, Inc. 7

8 HIPAA The U.S. Department of Health and Human Services (HHS) has published a final rule amending Health Insurance Portability and Accountability (HIPAA) regulations by adding provisions that require notice to patients and others of a "breach," or disclosure of unsecured protected health information (PHI), by HIPAA-covered entities and business associates (the "HIPAA Rule"). The Federal Trade Commission published the Health Breach Notification Rule to address breach notification by personal health-records vendors (the "FTC Rule"). See In general, the HIPAA Rule requires that a HIPAA-covered entity (a healthcare provider, payer or clearinghouse) notify an individual when unsecured PHI has been improperly disclosed. The entity must also notify HHS regarding confirmed breaches, either through an annual report or sooner, depending on the number of individuals affected. In some instances, the media must also be notified. The HIPAA Rule specifies the content of the notice. Integral components of the HIPAA Rule are definitions of "unsecured PHI" and "breach," which exclude unauthorized uses and disclosures that do not violate the HIPAA Rule and do not significantly harm an individual. The HIPAA Rule and its preamble reveal a new twist in HHS's perspective on when, for notice purposes, a business associate is acting as an agent, as opposed to an independent contractor a potentially confusing aspect of the HIPAA Rule Copyright Janco Associates, Inc. 12

9 State Security Breach Notification Laws The landscape for CIOs and protection of personal information continues to become more complex as more states add breach notification laws. Currently, forty-six states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. State Notification Requirements Table Alaska Alaska Stat et seq. Arizona Ariz. Rev. Stat Arkansas Ark. Code et seq. California Cal. Civ. Code 56.06, , , Colorado Colo. Rev. Stat Connecticut Conn. Gen Stat. 36a-701b Delaware Del. Code tit. 6, 12B-101 et seq. Florida Fla. Stat Georgia Ga. Code , -911 Hawaii Haw. Rev. Stat. 487N-2 Idaho Idaho Stat to Illinois 815 ILCS 530/1 et seq Copyright Janco Associates, Inc. 22

10 Compliance Management Kit Version The Compliance Management Kit come is in 3 separate versions: Silver, Gold and Platinum. In addition each version can be acquired as a standalone item or with 12 or 24 months of update service. Silver Edition Compliance Management White Paper Security Audit Program - fully editable -- Comes in MS EXCEL and PDF formats -- Meets ISO 27001, 27002, Sarbanes-Oxley, PCI-DSS and HIPAA requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 39 separate task groupings including BYOD. PCI Audit Program - Word and PDF Job Descriptions (31 key positions) - Word Format - fully editable and PDF o Chief Compliance Officer (CCO), Director Electronic Commerce, Manager BYOD Support, Manager Internet - Intranet Activities, Manager Internet Systems, Manager Point of Sale, Manager Record Administration, Manager Transaction Processing, Manager Video and Website Content, Manager Web Content, Manager Wireless Systems, BYOD Support Specialist, e- Commerce Coordinator, e-commerce Coordinator Senior, e-commerce Specialist, Internet-Intranet Administrator, On-Line Transaction Processing Analyst, PCI-DSS Administrator, PCI-DSS Coordinator, POS Coordinator, POS Hardware Coordinator, POS Senior Coordinator, Record Management Coordinator, System Administrator - Linux, System Administrator - UNIX, System Administrator - Windows, Web Analyst, Web Site Designer, Webmaster, Wireless Coordinator, and Wi-Fi Administrator Order at Gold Edition Compliance Management White Paper Security Audit Program PCI Audit Program Job Descriptions (31 key positions) Record Classification and Management Policy - Word - Policy which complies with mandated US, EU, and ISO requirements Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act Order at Copyright Janco Associates, Inc. 29

11 Platinum Edition Compliance Management White Paper Security Audit Program PCI Audit Program Job Descriptions (31 key positions) Record Classification and Management Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act Security Manual Template - Word plus packed pages which are usable as is. Over 3,000 companies worldwide have chosen this as the basis for their best practices to meet mandated US, EU and ISO requirements Order at COBIT Edition A much more robust version of the Compliance Kit with contains Compliance Management White Paper Record Classification Management Retention and Destruction Policy IT Infrastructure, Strategy, and Charter Template Disaster Recovery Business Continuity Template Practical Guide for IT Outsourcing Service Level Agreement Policy Template with Sample Metrics Metrics for the Internet, Information Technology, and Service Management IT Service Management (ITSM) Service Oriented Architecture (SOA) Internet and Information Technology Position Descriptions HandiGuide Security Policies and Procedures Security Audit Program Business and IT Impact Questionnaire IT Salary Survey Order at Copyright Janco Associates, Inc. 30

12 Version History Version 3.2 Updated to meet the latest privacy and security mandates Added epub version to the standard offering Version 3.1 Updated to included GDPR Updated to include CaCPA Updated all mandated requirements Version 3.0 Updated meet the latest ISO requirements Updated to reflect the US, EU, and state-mandated requirements Added sections on FISMA, FCRA, FACTA and COPPA compliance requirement Version 2.2 Updated with a table of State Notification mandated requirements Version 2.1 Updated text to reflect compliance requirements as of January 2012 Added HIPAA section Version 2.0 Updated text to reflect compliance requirements as of January Copyright Janco Associates, Inc. 31

13 Compliance Management Job Descriptions HandiGuide Bundle

14 Table of Contents Chief Compliance Officer (CCO) Chief Mobility Officer Chief Security Officer Director Electronic Commerce Director IT Management and Controls Director Sarbanes-Oxley Compliance Manager BYOD Support Manager Compliance Manager E-Commerce Manager Enterprise Architecture Manager Internet - Intranet Activities Manager Internet Systems Manager Record Administration, Manager Transaction Processing Manager Video and Website Content Manager Web Content Manager Wireless Systems, PCI-DSS Administrator System Administrators - Linux, System Administrators - Windows System Administrators - UNIX Webmaster Wi-Fi Network Administrator

15 Chief Compliance Officer (CCO) Position Purpose The Corporate Compliance Officer s role is to oversee and review all legal technology issues across the organization. This includes providing objective assessments of the company s compliance with legislation governing the organization s information technology systems and industry-specific regulations. The Corporate Compliance Officer also directs the development and implementation of policies and procedures to ensure that the organization s practices remain observant to all pertinent local, state/province/county, and federal laws. The Chief Compliance Officer oversees the Corporate Compliance Program, functioning as an independent and objective body that reviews and evaluates compliance issues/concerns within the organization. The position ensures the Board of Directors, management and employees are in compliance with the rules and regulations of regulatory agencies, that company policies and procedures are being followed, and that behavior in the organization meets the company s Standards of Conduct. The Corporate Compliance Office exists: As a channel of communication to receive and direct compliance issues to appropriate resources for investigation and resolution, and As a final internal resource with which concerned parties may communicate through other formal channels and resources have been exhausted. The Chief Compliance Officer (CCO) is responsible for overall direction of all compliance issues associated with Information Technology applications, communications (voice and data), and computing services within the enterprise. At the same time, the CCO must be aware of the implications of legislated requirements that impact security for the enterprise. This includes but is not limited to Sarbanes Oxley Section 404 requirements. The CCO has the responsibility for global and enterprise-wide information security; he/she is also responsible for the physical security, protection services and privacy of the corporation and its employees. The CCO oversees and coordinates compliance efforts across the enterprise, including information technology, human resources, communications, legal, facilities management, and other groups, to identify security initiatives and standards. The CCO works closely with the chief information officer and the chief security officer and must have a strong working knowledge of information technology Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

16 Problems and Challenges The Chief Compliance Officer acts as staff to the CEO and Board of Trustees Corporate Compliance Committee by monitoring and reporting results of the compliance/ethics efforts of the company and in providing guidance for the Board and senior management team on matters relating to compliance. The Chief Compliance Officer, together with the Corporate Compliance Committee, is authorized to implement all necessary actions to ensure achievement of the objectives of an effective compliance program. The major challenge for this individual is defining and managing the compliance issues of the enterprise with revenues in excess of $(sales volume supported) per year while balancing compliance issues with financial and marketing needs. This is to be accomplished with the use of information and compliance technology that supports both self-generated enterprise growth and growth through acquisition. Seamless integration of compliance requirement including data and information from the customer through financial statement and management reporting is one of the primary challenges of this position. Security is a critical issue in the standardization of technology, applications, office automation, and workstations for the enterprise. As such, it is extremely important to the enterprise s current and future business operations. The Chief Compliance Officer (CCO) ensures the continued success of these areas while simultaneously minimizing costs and maximizing equipment and employee performance. This position requires time management skills in directing a variety of projects in addition to an understanding of the ways in which security is an issue within all areas of the enterprise. The position requires supervisory/management experience and the flexibility to deal with people at a variety of levels; internally - enterprise staff, the board of directors, finance staff, other senior executive staff, and externally - auditors, employer groups, service providers and industry associations Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

17 Essential Position Functions Principal Accountabilities Develops, initiates, maintains, and revises policies and procedures for the general operation of the Compliance Program and its related activities to prevent illegal, unethical, or improper conduct. Sets the standards that are used to validate that the change control system complies with IT Service Management (ITSM) and Service-Oriented Architecture (SOA). Is knowledgeable and complies with mandated security, disaster recovery and business continuity, internal control, and financial reporting requirements including ISO 27031, Sarbanes-Oxley, GDPR, and HIPAA. Sets the policies and procedures that are used to validate the enterprise complies with standards and requirements. Manages day-to-day operation of the Program. Develops and periodically reviews and updates Standards of Conduct to ensure continuing currency and relevance in providing guidance to management and employees. Collaborates with other departments (e.g., Risk Management, Internal Audit, Employee Services, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution. Consults with the corporate attorney as needed to resolve difficult legal compliance issues. Responds to alleged violations of rules, regulations, policies, procedures, and Standards of Conduct by evaluating or recommending the initiation of investigative procedures. Develops and oversees a system for uniform handling of such violations. Acts as an independent review and evaluation body to ensure that compliance Issues/concerns within the organization are being appropriately evaluated, investigated and resolved. Monitors, and as necessary, coordinates compliance activities of other departments to remain abreast of the status of all compliance activities and to identify trends. Identifies potential areas of compliance vulnerability and risk; develops/implements corrective action plans for resolution of problematic issues, and provides general guidance on how to avoid or deal with similar situations in the future. Provides reports on a regular basis, and as directed or requested, to keep the Corporate Compliance Committee of the Board and senior management informed of the operation and progress of compliance efforts. Ensures proper reporting of violations or potential violations to duly authorized enforcement agencies as appropriate and/or required. Establishes and provides direction and management of the Compliance Hotline. Institutes and maintains an effective compliance communication program for the organization, including promoting (a) use of the Compliance Hotline; (b) heightened awareness of Standards of Conduct, and (c) understanding of new and existing compliance issues and related policies and procedures Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

18 Works with the Human Resources Department and others as appropriate to develop an effective compliance training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers. Monitors the performance of the Compliance Program and relates activities on a continuing basis, taking appropriate steps to improve its effectiveness. Manages all implications of mandated and regulated security requirements such as Sarbanes-Oxley. Works closely with both internal and external auditors. Conducts annual compliance assessments. Identifies protection goals and objectives consistent with the corporate strategic plan. Manages the development and implementation of global compliance policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Identifies key compliance program elements. Maintains relationships with local, state and federal law enforcement and other related government agencies. Oversees the investigation of compliance failures and assist with disciplinary and legal matters associated with such failures as necessary. Work with outside consultants as appropriate for independent security audits. Understands and applies processes that support new governmental initiatives such as laws like the Patriot Act. Provides a leadership role in the design and implementation of compliance procedures and processes in computer and communication hardware, operating system software and productivity tools. Manages development and implementation of global compliance policy, standards, guidelines and procedures to ensure ongoing compliance. Coordinates implementation plans, compliance product purchase proposals, and project schedules. Provides support to SBUs and external groups in the application the of enterprise s compliance policies. Develops plans for migration of compliance processes, procedures and policies to support necessary future directions of the enterprise. Develops long-range compliance strategy for the enterprise. Defines the direction of in-house technical training seminars to improve overall employee awareness, response time, and ability to look into the future compliance requirements of the enterprise. Participates in local and national user group presentations, and publishes articles describing enterprise activities and assessments of compliance requirements and how they relate to the business. Develops and manages effective working relationships with other departments, groups, and personnel with whom work must be coordinated or interfaced. Assists in evaluating the technical staff of enterprise and SBU compliance functions Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

19 Maintains external links to other companies in the industry to gain competitive assessments and share information, where appropriate. Identifies the emerging information technologies to be assimilated, integrated and introduced within the enterprise which could significantly impact the enterprise s compliance with mandated requirements. Interfaces with external industrial and academic organizations in order to maintain state-of-the-art knowledge in emerging compliance issues and to enhance the enterprise s image as a first-class enterprise utilizing the latest thinking in this field. Monitors the installed and planned-to-be installed compliance process and procedures. Monitors the set of standards that establish: Mandatory security standards; Security for classes of acquired equipment; Documentation procedures for each security process and/ or procedure in place within the enterprise; Identification of security processes/procedures maintenance standards; and Examination security procedures for all business functions developed as independent islands to ensure that they do not conflict with enterprise needs and that any necessary interfaces are constructed. Authority The CCO has the authority to recommend the implementation of and purchase of any of the equipment necessary for the security of the enterprise s operations (within the guidelines established by the enterprise). The CCO has the authority to engage external consultants as necessary to assist in large compliance projects (within the guidelines established by the enterprise). Hiring - The CCO will hire/terminate direct reports, as well as approve staff reporting to the direct reports. Included in this responsibility is the discipline, promotion, salary adjustment, etc., of staff including providing guidelines for all compliance functions within the enterprise including the SBUs that may not directly report to this position. Budgetary - The CCO is responsible for oversight and review of staffing, projects, and performance of all compliance functions of the organization. Contract Review - All contracts for compliance related expense and capital expenditures will be subject to a review by the CCO Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

20 Contacts Internal Contacts - The most frequent internal contracts are with the Board of Directors, Executive Management, Chief Information Officer, Chief Security Officer, and IT Staffs of all SBUs. In addition, there is significant contact with all functions within the enterprise including: Internal Legal Counsel Internal Audit Human Resources External Contacts - The primary external contacts are with contract service providers, customers, vendors, and industry peers. Contact with information technology product and service companies is also made on a periodic basis. In addition, there is significant contact with the all external support functions the enterprise including: External Legal Counsel External Audit Outsource Suppliers Position Requirements A minimum of 10 years experience, to include demonstrated leadership. Familiarity with operational, financial, quality assurance, and human resource procedures and regulations. Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff. Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation. Should have some background in law, law enforcement or intelligence. Must have a solid understanding of information technology and information security (including firewalls, VPNs, penetration testing and other security devices.) Ability to work and effectively prioritize in a highly dynamic work environment. Experience with disaster recovery planning, testing, auditing, risk analysis, business resumption planning, contingency planning; TCP/IP firewalls, VPNs, and other security devices; as well as contract and vendor negotiation experience. Generally, a graduate degree in business or a related field together with significant executive experience and knowledge of the business industry is required. Strong knowledge of, contracting, negotiating, organization development/change management, technology trends, the political and legislative process, strategic planning, action planning, and supervision are required for successful performance. Very strong conceptual, analytical, judgment and communication abilities are critical. Chief Compliance Officer 2019 Copyright Janco Associates, Inc. - ALL RIGHTS RESERVED

21 PCI Data Security Audit Page Copyright Janco Associates, Inc.

22 PCI Data Security Audit PCI Audit Program Table of Contents PCI Compliance Security Audit Program... 2 Introduction... 2 Policy - Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data... 3 Policy Record Management, Retention, and Disposition Policy... 3 PCI DSS Applicability Information... 4 Scope of Assessment for Compliance with PCI DSS Requirements... 5 Instructions and Content for Report on Compliance... 7 Revalidation of Open Items... 8 Build and Maintain a Secure Network... 9 Requirement 1: Install and maintain a firewall configuration to protect cardholder data... 9 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors.. 53 Appendix A: PCI DSS Applicability for Hosting Providers (with Testing Procedures) Requirement A.1: Hosting providers protect cardholder data environment Appendix B Compensating Controls Compensating Controls General Compensating Controls for Requirement Appendix C: Compensating Controls Completed Example/Worksheet Compensating Controls Worksheet What s New Page Copyright Janco Associates, Inc.

23 PCI Data Security Audit PCI Compliance Security Audit Program Introduction The PCI Security Audit Procedures 1 are designed for use by assessors conducting onsite reviews for merchants and service providers required to validate compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. The requirements and audit procedures presented in this document are based on the PCI DSS and the most recent set of privacy mandates including GDPR. This document contains the following: Introduction Policy Sensitive Information Policy Record Management, Retention, and Disposition PCI DSS Applicability Information The scope of Assessment for Compliance with PCI DSS Requirements Instructions and Content for Report On Compliance Revalidation of Open Items Security Audit Procedures Appendices o o o Appendix A: PCI DSS Applicability for Hosting Providers (with Testing Procedures) Appendix B: Compensating Controls Appendix C: Compensating Controls Worksheet/Completed Example With ever-increasing requirements placed by government legislatures and regulatory agencies, there are often competing and conflicting data retention/disposition requirements. For this reason, we have provided draft policies when can be utilized to create a customized Sensitive Information Policy and a Record Management, Retention, and Disposition Policy. 1 Portions of this test program were extracted from the published PCI requirements and have been enhanced by Janco Associates, Inc. Note we are not attorneys and do not express any legal nor PCI standards opinion in this document. The use of this audit program should consult with their own legal and PCI compliance staff. Page Copyright Janco Associates, Inc.

24 PCI Data Security Audit PCI DSS Applicability Information The following table illustrates commonly used elements of the cardholder and sensitive authentication data; whether the storage of each data element is permitted or prohibited; and if each data element must be protected. This table is not exhaustive but is presented to illustrate the different types of requirements that apply to each data element. At the same time compliance to Record Retention and Disposition standards (see needs to be coordinated with the PCI DSS requirements. A Sensitive Information policy (see for the enterprise should be implemented. Data Element Storage Permitted Protection Required PCI DSS Requirement 3.4 Primary Account Number (PAN) Yes Yes Yes Cardholder Data Cardholder Name* Yes Yes* No Service Code* Yes Yes* No Expiration Date Yes Yes* No Sensitive Authentication Data** Full Magnetic Stripe No N/A N/A CVC2/CVV2/CID No N/A N/A Pin / Pin Block No N/A N/A * These data elements must be protected if stored in conjunction with the PAN (Primary Account Number). This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data or proper disclosure of a company's practices if consumer-related personal data is being collected during business operations. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). Page Copyright Janco Associates, Inc.

25 PCI Data Security Audit The scope of Assessment for Compliance with PCI DSS Requirements The PCI DSS security requirements apply to all system components. A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from the rest of the network, may reduce the scope of the cardholder data environment. The assessor must verify that the segmentation is adequate to reduce the scope of the audit. A service provider or merchant may use a third party provider to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment. The relevant services of the third party provider must be scrutinized either in: 1. Each of the third party provider s clients PCI audits; or 2. The third party provider s own PCI audit. For service providers required to undergo an annual onsite review, compliance validation must be performed on all system components where cardholder data is stored, processed, or transmitted unless otherwise specified. For merchants required to undergo an annual onsite review, the scope of compliance validation is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed, or transmitted, including the following: All external connections into the merchant network (for example; employee remote access, payment card company, third party access for processing, and maintenance) All connections to and from the authorization and settlement environment (for example, connections for employee access or for devices such as firewalls and routers) Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored. Note: Even if some data repositories or systems are excluded from the audit, the merchant is still responsible for ensuring that all systems that store, process, or transmit cardholder data are compliant with the PCI DSS A point-of-sale (POS) environment the place where a transaction is accepted at a merchant location (that is, retail store, restaurant, hotel property, gas station, supermarket, or other POS location) If there is no external access to the merchant location (by the Internet, Wi-Fi, Bluetooth, a virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded. Wireless If wireless technology is used to store, process, or transmit cardholder data (for example, pointof-sale transactions, line-busting ), or if a wireless local area network (LAN) is connected to or part of the cardholder environment (for example, not clearly separated by a firewall), the Requirements and Testing Procedures for wireless environments apply and must be performed Page Copyright Janco Associates, Inc.

26 PCI Data Security Audit Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. PCI DSS Requirements Testing Procedures In Place Not in Place Target Date/ Comments 1.1 Establish firewall configuration standards that include the following: A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1 Obtain and inspect the firewall configuration standards and other documentation specified below to verify that standards are complete. Complete each item in this section 1.1.1a Verify that firewall configuration standards include a formal process for all firewall changes, including testing and management approval of all changes to external connections and firewall configuration 1.1.1b Verify that security policies are in place to control changes to the firewall c Verify logs are in place and are actively being monitored A current network diagram with all connections to cardholder data, including any wireless networks a Verify that a current network diagram exists and verify that it documents all connections to cardholder data, including any wireless networks b. Verify that the diagram is kept current Page Copyright Janco Associates, Inc.

27 PCI Data Security Audit What s New Version 3.1 Version 3.0 Version 2.1 Version 2.0 Updated to meet the latest privacy and security requirements Update to meet the latest requirements Updated graphics Added Policy Sensitive Information Updated tables Added Policy Record Management, Retention, and Disposition Modified style sheet and format to be CSS compliant Modified audit program to be compliant to the two added policies Page Copyright Janco Associates, Inc.

28

29 Table of Contents Introduction Security Audit Program Summary Security Audit Program Security Policy Management Objectives Information Security Policy... 1 Corporate Security Management Objectives Internal Security Organization... 2 External Use of the Enterprise Information... 3 Organizational Asset Management Objectives Responsibility for the Enterprise Assets... 4 Information Classification System... 4 Human Resource Security Management Objectives Security Prior to Employment... 5 Security During Employment... 6 Security at Termination... 7 Physical and Environmental Security Management Objectives Secure Areas... 8 Enterprise Equipment... 8 BYOD... 9 Communication and Operations Management Objectives Procedures and Responsibilities Third Party Service Delivery System Planning Activities Malicious and Mobile Code Back-up Procedures Computer Networks Media Exchange of Information Electronic Commerce Information Processing Facilities Information Access Control Management Objectives Access to Information User Access Rights Access Practices Access to Network Services Access to Operating Systems Access to Applications Mobile and Remote Facilities Systems Development and Maintenance Objectives Information System Application Security Application Processing Information Cryptographic Controls System Files Development and Support Processes Information Security Incident Management Objectives Security Events and Weaknesses Managing Security Incidents and Improvements Disaster Recovery and Business Continuity Objectives Disaster Recovery Plan / Business Continuity Compliance Management Objectives Mandated Security Requirements Security Compliance Reviews Security Audit Summary Security Audit Program Completed Sample Security Audit Program Summary Completed Sample

30 ISO, Cobit, HIPAA, and SOX Compliant This audit program contains a list of tasks and and weights assigned to each task. The Excel sheet calculates the value of both positive and negative points. Based on the audit you place an "X" in the yes and/or no box and a value is automatically calculated. When the audit, which is on the worksheet 'Audit Program', is completed all of the results are them posted on the summary worksheet and graphic charts can be generated from those tables (see the attached sample). The worksheets Audit Program Summary, Audit Program, and Audit Program Graphic are integrated - if you change the name on the on any of those three worksheets then the Audit Program Summary Sheet and Audit Program Graphic will not be generated correctly. We suggest that you make a copy of the entire excel file and delete the "Sample" worksheets. We have assigned weights to each element of the audit, you are free to updated to weights to what you think they should be. We assume no liability for the weight assignment and leave that up to the user. Our weights are only recommendations and should be considered as such. The last three worksheets show a sample of the forms filled out with a set of summary graphic We assume that the individual completing the form is knowledgeable in the use of Excel spreadsheets. Included with the excel spread sheet are a PDF version of the audit program that can be duplicated and used in the process. For ease you can fill out the survey manually and then transfer the data to the excel worksheet. NOTE: An item can be marked both as a yes and a no, in which case it will impact both the positive and negative score. This audit program is not to be re-sold or redistributed without the expressed WRITTEN permission of Janco Associates, Inc. support@e-janco.com Security Audit Program Element Weights Disaster Recovery Plan and Business Continuity Objectives Security Policy Management Objectives Physical and Environmental Security Management Organizational Asset Management Objectives Communications and Operations Management Objectives Information Security Incident Management Objectives Human Resource Security Management Objectives Compliance Management Objectives Information Access Control Management Objectives Systems Development and Maintenance Objectives Corporate Security Management Objectives Janco Associates, Inc. Copyright - ALL RIGHT RESERVED

31 Security Audit Program Weight Negative Score Positive Score Security Policy Management Objectives Information Security Policy Corporate Security Management Objectives Internal Security Organization External Use of the Enterprise Information Organizational Asset Management Objectives Responsibility for the Enterprise Assets Information Classification System Human Resource Security Management Objectives Security Prior to Employment Security During Employment Security at Termination Physical and Environmental Security Management Objectives Secure Areas Enterprise Equipment BYOD Equipment -- Number Devices Communications and Operations Management Objectives Procedures and Responsibilities Third Party Service Delivery System Planning Activities Malicious and Mobile Code Back-up Procedures Computer Networks Media Exchange of Information Electronic Commerce Information Processing Facilities Information Access Control Management Objectives Access to information User Access Rights Access Practices Access to Network Services Access to Operating Systems Access to Applications Mobile and Remote Facilities Systems Development and Maintenance Objectives Information System Application Security Applications Processing Information Cryptographic Controls System Files Development and Support Processes Information Security Incident Management Objectives Security Events and Weaknesses Managing Security Incidents and Improvements Disaster Recovery Plan and Business Continuity Objectives Disaster Recovery Plan / Business Continuity Compliance Management Objectives Mandated Security Requirements Security Compliance Reviews Information System Audits Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

32 Comment Yes No Weight Negative Score Security Policy Management Objectives Information Security Policy Validate that your enterprise has a security policy in place Validate that the policy provides clear direction for the enterprise's information security program. Security Audit Program 1.03 Validate that the policy shows that your management is committed to information security Validate that management supports the enterprise's information security policy Validate that the policy shows that your management is prepared to support an ongoing commitment to information security Validate that the enterprise's information security policy is consistent with your business objectives Validate that the enterprise's information security policy meets the enterprise's business requirements Validate that the enterprise's information security policy complies with all relevant laws and regulations. Positive Score Copyright Janco Associates, Inc. ALL RIGHTS RESERVED Page 1