Guarding the Gates: Crafting an Effective Information Security Policy

The use of digital currency has brought with its numerous financial fraud challenges that call for organizations to develop information security policies to promote, enhance and protect cardholders’ data security. One particular organization is Payment Card Industry Data Security Standard (PCI DSS) has the mandate to develop standards that guide merchants on secure ways of protecting cardholders’ data through its six control objectives and 12 requirements (PCI Security Standard Council, 2010). 

The first PCI DSS objective of maintaining a secure network has two requirements. The first requirement is the installation of a firewall which will protect the cardholders’ information as firewalls are configured to filter incoming and outgoing traffic based on defined security policies. The second requirement prohibits the use of vendor-supplied passwords on network hardware that hold and protect cardholders’ information. 

            The second PCI DSS goal is to protect the cardholder data under requirement three and four. According to requirement three, merchants should implement protective measures such as encryption to safeguard cardholders data stored in their devices from unauthorized access. Requirements four provides recommendations for protecting cardholders’ data in transits over the network through encryption as it is at risk from interception or modification attack.

            The third goal of PCI DSS is to have a way of assessing, identify and remediating vulnerabilities by implementing the fifth and sixth requirement. The fifth requirement entails installing and updating anti-malware and anti-virus software which protect cardholders’ data from known threats. The sixth requirement aims at addressing hardware security risk through the development of a secure system and application environment which involves patching vulnerabilities.

            The fifth goal of PCI DSS is monitoring, and testing networks for vulnerabilities and potential data breach fall under requirement ten and eleven. Under the tenth requirement organization should track and control access to cardholders’ data by recording all loggings, access, and modifications.

The last objective of PCI DSS is creating and maintaining an information security policy. The twelfth requirement requires that all personnel should have a security policy which governs them on how they should act and the consequences of their actions when handling cardholders’ data.  

Password Construction Guidelines

1. Overview

Passwords are crucial for access control to prevent unauthorized users from accessing restricted content. This policy provides the best practice guidelines that should be used by all user accounts for secure passwords.

2. Purpose

Provides the best practice guidelines on the creation of a strong and easy to remember passwords.

3. Scope

This policy applies to all our employees, third party contractors, and individuals who have user accounts in our systems.

4. Policy

4.1    compliance measurement

The information security department (ISD) is responsible for sensitization and verification of compliance through online tutorials, auditing among other approaches they deem suitable.

4.2 exceptions

Any exception to this guidelines must be approved by ISD and filed for future reference.

4.3 non-compliance

Any employee or independent contractors that violate this policy risk facing disciplinary actions.

Password Protection Policy

1. Overview

The process of protecting our systems does not end with creating strong passwords as protecting them from unauthorized access is of equal importance.

2. Purpose

The purpose of this policy is to provide guidelines for securing our passwords.

3. Scope

This policy applies to all our employees, third party contractors, and customers that created user accounts with our company.

4. Policy

4.1 password creation

All individuals under the scope of this policy should review the Password construction guidelines

4.2 password protection

Do not share your password with anyone

Do not enable the remember password feature on any computer that you use.

4.3 password change

You should notify the information security department if you suspect that your password has been compromised and make changes immediately.

5. Policy Compliance

5.1

compliance measurement

The information security department (ISD) oversights on compliance with password protection and can conduct password guessing periodically, and those with compromised passwords will have to change their passwords. Password construction guidelines.

5.2 exceptions

Any exception to this guidelines must be approved by ISD and filed for future reference.

5.3 non-compliance

Any employee or independent contractors that violate this policy risk facing disciplinary actions.

6. Related Standards, Policies, and Processes

Password Construction Guidelines

Remote Access policy

1. Overview

Our organization allows for remote access to increase on productivity; however, such freedom comes with security risks as one can access our systems from compromised networks. To protect our systems from cyber attacks, all individuals under the scope of this policy should follow the following guidelines whenever one has to access our systems remotely.

2. Purpose                 

The purpose of this policy is to define rules and requirements that should be followed to minimize security risks before one can access our systems remotely.

3. Scope

This policy applies to our employees and independent contractors who have privileges to access our systems remotely.

4. Requirements

Access should be done only through secure and encrypted systems using virtual private networks.

Users must ensure that their logins are secure and protected from unauthorized access.

5. Policy compliance

5.1 compliance measurement

The information security department (ISD) is responsible for sensitization and verification of policy compliance through online tutorials, auditing among other approaches they deem suitable.

5.2 exceptions

The ISD must approve any expectations regarding remote access to our systems

5.3 non-compliance

Any employee or independent contractors that violate this policy risk facing disciplinary actions that may end up in termination of employment or contracts.

6 Related Standards, Policies, and Processes

Please review the following policies to be conversant with the requirement of Remote Access policy

Acceptable Encryption Policy

Password Protection Policy

Third Party Agreement

7 Revision History

Date Change

Responsible

Summary of Change

August 2017

ISD

Updated and converted to new format.

September 2018

ISD

Creation of a policy to cover third-party contractor after outsourcing of various responsibilities.

References

Payment Card Industry Security Standard Council. (2010). PCI DSS Quick Reference Guide

Understanding the Payment Card Industry Data Security Standard version 2.0

[Ebook]. Retrieved from https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf