Policy Reference


Category Monitoring and Reporting
Approval Date  
Scope All Personnel

 

Purpose

The purpose of this policy is to  ensure integrity, confidentiality and availability of information and resources, investigate possible security incidents and monitor system activity where appropriate.      


Policy


 

  1. ITS  will run network vulnerability scans at least quarterly or after any material changes in the network.
  2. ITS  will perform penetration testing on all externally facing application systems at least yearly or after any material changes.
  3. ITS  will test for the presence of wireless access points, resulting in an identification of all wireless devices in use.
  4. Test for unvalidated input as a part of secure code testing and accreditation.
  5. Test for broken access control and the malicious use of user IDs as a part of secure code testing and accreditation.
  6. Test for the malicious use of account credentials and session cookies as a part of secure code testing and accreditation.
  7. Test for secure communications as a part of its assessment and vulnerability testing.
  8. Test for cross site scripting (XSS) attacks as a part of secure code testing and accreditation.
  9. Test for buffer overflows due to unvalidated input and other causes as a part of secure code testing and accreditation.
  10. Test for SQL injection and other command injection flaws as a part of secure code testing and accreditation.
  11. Test for proper error handling, ensuring that there are no flaws in the identification, processing, and notification of errors as a part of secure code testing and accreditation.
  12. Test the system for insecure data, file, or record storage techniques as a part of secure code testing and accreditation.
  13. Test for denial of service of the system, application, and database as a part of secure code testing and accreditation.
  14. Test the application, database, and system for insecure configuration management parameters as a part of secure code testing and accreditation.
  15. Develop, disseminate, and review: 1) a formal standard for availability and non repudiation of audit results that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy.
  16. Ensure that audit trails are limited to a need to know basis unless when properly documented in an exceptions list.
  17. Ensure  audit trails are protected from unauthorized modifications.
  18. Ensure that all audit trails are backed up according to organizational policy in order to ensure that they cannot be modified.
  19. Ensure that all logs from wireless networks are copied onto a central server within the LAN.
  20. Use file integrity and change modification tools to ensure that all logs are not being altered (other than through additions by the logging mechanism itself).

Compliance

  1. The system's security should be reviewed periodically to ensure it complies with the organization's security policy, system availability policy, system processing integrity policy, and system confidentiality policy. Any noncompliance should be documented, and a corrective action plan should be developed. ¶ .17 § 4.1, ¶ .20 § 4.1, ¶ .24 § 4.1, ¶ .29 § 4.1, AICPA Suitable Trust Services Principles and Criteria
  2. The organization must ensure that internal and external network vulnerability scans are run at least quarterly and when significant changes are made to the network. The organization must ensure that external scans are performed by an Approved Scanning Vendor (ASV). § 11.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
    entifies the city, state, federal or other rules, contractual obligations, laws and reasons for having this policy.   List them each, with reference to specifics and links if possible.
  3. Wireless sniffers should be used periodically within the facility to check for rogue APs and unauthorized access. The wireless security policy should include the procedures to be used when misconfigured or rogue devices are identified.   6.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1
  4. When new security vulnerabilities are discovered, all software provided with the payment application should be tested to ensure the vulnerability does not exist on the system.   7.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1
  5. The organization must ensure the development of web applications are based on secure coding guidelines and prevents common coding vulnerabilities.   6.5.10, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2