The SafePass IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the business which must be followed by all staff. It also provides guidelines SafePass will use to administer these policies, with the correct procedure to follow.

SafePass will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures according to SafePass business needs.

Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are welcome.

These policies and procedures apply to all employees and applicable contractors.

2. TECHNOLOGY HARDWARE PURCHASING POLICY

Computer hardware refers to the physical parts of a computer and related devices. Internal hardware devices include motherboards, hard drives, and RAM. External hardware devices include monitors, keyboards, mice, printers, and scanners.

2.1 PURPOSE OF THE POLICY

This policy provides guidelines for the purchase of hardware for the business to ensure that all hardware technology for the business is appropriate, value for money and where applicable integrates with other technology for the business. The objective of this policy is to ensure that there is minimum diversity of hardware within the business.

2.2 PROCEDURES

2.2.1 Purchase of Hardware

The purchase of all desktops, servers, portable computers, computer peripherals and mobile devices must adhere to this policy.

2.2.2 Purchasing desktop computer systems

The desktop computer systems purchased must run a Windows or Mac OS and integrate with existing and planned hardware.

The desktop computer systems must be purchased as standard desktop system bundle and must include:

Desktop tower
Desktop screen
Keyboard and mouse
webcam
printer/scanner

Any change from the above requirements must be authorised by SafePass President.

All purchases of desktops must be supported by all current operating parameters and be compatible with the business’s server system.

2.2.3 Purchasing portable computer systems

Portable computer systems purchased must run a Windows or Mac OS and integrate with existing and planned hardware.

Any change from the above requirements must be authorised by Company Technical Director.

All purchases of all portable computer systems must be supported by all current operating parameters and be compatible with the business’s server system.

2.2.4 Purchasing server systems

Server systems can only be purchased by Company Technical Director.

Server systems purchased must be compatible with all other computer hardware in the business.

All purchases of server systems must be compatible with the business’s other server systems.

Any change from the above requirements must be authorised by Company Technical Director.

2.2.5 Purchasing computer peripherals

Computer peripherals can only be purchased where they are not included in any hardware purchase or are considered to be an additional requirement to existing peripherals.

Computer peripherals purchased must be compatible with all other computer hardware and software in the business.

The purchase of computer peripherals can only be authorised by Company Technical Director.

Any change from the above requirements must be authorised by Company Technical Director.

2.2.6 Purchasing mobile telephones

A mobile phone will only be purchased once the eligibility criteria is met. Refer to the Mobile Phone Usage policy in this document.

The mobile phone must be compatible with the business’s current hardware and software systems.

The mobile phone purchased must be Apple or Samsung.

The use of a mobile phone must be approved by Company Technical Director prior to purchase.

Any change from the above requirements must be authorised by Company Technical Director.

3. POLICY FOR PROCURING SOFTWARE

3.1 PURPOSE OF THE POLICY

This policy provides guidelines for the purchase of software for the business to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technology for the business. This policy applies to software obtained as part of hardware bundle or pre-loaded software.

3.2 PROCEDURES

3.2.1 Request for Software

All software procured must be approved by Company Technical Director prior to the use or download of such software.

3.2.2 Purchase of software

The purchase of all software must adhere to this policy.

All purchased software must be purchased by Company Technical Director.

All purchased software must be purchased from a vendor approved by Company Technical Director.

All purchases of software must be compatible with the business’s server and/or hardware system.

Any changes from the above requirements must be authorised by Company Technical Director.

3.2.3 Obtaining open source or freeware software

Open source or freeware software can be obtained without payment and usually downloaded directly from the internet.

In the event that open source or freeware software is required, approval from Company Technical Director must be obtained prior to the download or use of such software.

All open source or freeware must be compatible with the business’s hardware and software systems.

Any change from the above requirements must be authorised by Company Technical Director.

4. POLICY FOR USE OF SOFTWARE

4.1 PURPOSE OF THE POLICY

This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.

4.2 PROCEDURES

4.2.1 Software Licensing

All computer software copyrights and terms of all software licences will be followed by all employees of the business.

Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of Company Technical Director to ensure these terms are followed.

Company Technical Director is responsible for completing a software audit of all hardware twice a year to ensure that software copyrights and licence agreements are adhered to.

4.2.2 Software Installation

All software must be appropriately registered with the supplier where this is a requirement.

SafePass is to be the registered owner of all software.

Only software obtained in accordance with the Procuring Software Policy is to be installed on the business’s computers.

All software installation is to be carried out by Company Technical Director or someone the Company Technical Director appoints. A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.

4.2.3 Software Usage

Only software purchased in accordance with the Procuring Software Policy is to be used within the business.

Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.

All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of Company Technical Director.

Employees are prohibited from bringing software from home and loading it onto Company computer hardware.

Unless express approval from Company Technical Director is obtained, software cannot be loaded on any non-registered computer systems.

Where an employee is required to use software on a non-registered computer system, an evaluation of providing the employee with a portable computer should be undertaken in the first instance. Where it is found that software can be used on the employee’s non-registered computer, authorisation from Company Technical Director is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the business and must be recorded on the software register by Company Technical Director.

Unauthorised software is prohibited from being used in the business.

The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorised copies of software will be referred to Company Technical Director for review and further disciplinary action. The illegal duplication of software or other copyrighted works is not condoned within this business and Company Technical Director is authorised to undertake disciplinary action where such event occurs.

4.3 BREACH OF POLICY

Where there is a breach of this policy by an employee or contractor, that employee will be referred to Company Technical Director for review and further disciplinary action.

Where an employee or contractor is aware of a breach of the use of software in accordance with this policy, they are obliged to notify Company Technical Director immediately. In the event that the breach is not reported, and it is determined that an employee or contractor failed to report the breach, then that employee will be referred to Company Technical Director for review and further disciplinary action.

5. BRING YOUR OWN DEVICE POLICY

At SafePass we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members have requested the option of connecting their own mobile devices to SafePass’ network and equipment. This policy must be read and carried out by all staff.

5.1 PURPOSE OF THE POLICY

This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and other types of mobile devices for business purposes. All staff who use or access SafePass’ technology equipment and/or services are bound by the conditions of this Policy.

5.2 PROCEDURES

5.2.1 Current mobile devices approved for business use

The following personally owned mobile devices are approved to be used for business purposes:

Apple or Samsung mobile phones
Apple or Samsung mobile tablets
Other mobile devices as determined on a case-by-case basis and approved by Company President.

5.2.2 Registration of personal mobile devices for business use

Employees when using personal devices for business use will register the device with Company Technical Director and will record the device and all applications used by the device.

Each employee who utilises personal mobile devices agrees:

Not to download or transfer business or personal sensitive information to the device. Sensitive information includes any information relating to SafePass operations, personnel or any other Company-related material or subject matter
Not to use the registered mobile device as the sole repository for SafePass’ information. All business information stored on mobile devices should be backed up
To make every reasonable effort to ensure that SafePass’ information is not compromised through the use of mobile equipment in a public place. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected
To maintain the device with current security software
Not to share the device with other individuals to protect the business data access through the device
To abide by SafePass’ internet policy for appropriate use and access of internet sites
To notify SafePass immediately in the event of loss or theft of the registered device
Not to connect USB memory sticks from an untrusted or unknown source to SafePass’ equipment

All employees who have a registered personal mobile device for business use acknowledge that the business:

Owns all intellectual property created on the device
Can access all data held on the device, including personal data
Will regularly back-up data held on the device
Will delete all data held on the device in the event of loss or theft of the device
Has first right to buy the device where the employee wants to sell the device
Will delete all data held on the device upon termination of the employee. The terminated employee can request personal data be reinstated from back up data
Has the right to deregister the device for business use at any time.

5.2.3 Keeping mobile devices secure

The following must be observed when handling mobile computing devices (such as notebooks and iPads):

Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away
Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended
Mobile devices should be carried as hand luggage when travelling by aircraft.

5.3 EXEMPTIONS

This policy is mandatory unless Company President grants an exemption. Any requests for exemptions from any of these directives, should be referred to the Company President.

5.4 BREACH OF THIS POLICY

Any breach of this policy will be referred to Company President who will review the breach and determine adequate consequences, which can include any action up to and including termination.

5.5 INDEMNITY

SafePass bears no responsibility whatsoever for any legal action threatened or started due to conduct and activities of staff in accessing or using these resources or facilities. All staff indemnify SafePass against any and all damages, costs and expenses suffered by SafePass arising out of any unlawful or improper conduct and activity, and in respect of any action, settlement or compromise, or any statutory infringement. Legal prosecution following a breach of these conditions may result independently from any action by SafePass.

6. INFORMATION TECHNOLOGY INTERNAL SECURITY POLICY

6.1 PURPOSE OF THE POLICY

This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets.

6.2 PROCEDURES

6.2.1 Physical Security

For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access through a keyed door lock, at a minimum.

It will be the responsibility of Company Technical Director to ensure that this requirement is followed at all times. Any employee or contractor becoming aware of a breach to this security requirement is obliged to notify Company Technical Director immediately.

All security and safety of all portable technology will be the responsibility of the employee or contractor who has been issued with the portable technology. Each employee or contractor is required to use keyed locks (or other equivalent security device) and to ensure the asset is kept safely at all times to protect the security of the asset issued to them.

In the event of loss or damage, Company Technical Director will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage.

All portable devices when kept at the office desk is to be secured by keyed lock provided by Company Technical Director.

6.2.2 Information Security

All sensitive, valuable, or critical business data is to be backed-up.

It is the responsibility of Company Technical Director to ensure that data back-ups are conducted once per month and the data backup is kept on a secure off-site data center.

All technology that has internet access must have anti-virus software installed. It is the responsibility of Company Technical Director to install all anti-virus software and ensure that this software remains up to date on all technology used by the business.

All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be subject to review and possible termination.

7. TECHNOLOGY ACCESS AND PASSWORDS POLICY

All individuals are responsible for safeguarding their system access login and password credentials and must comply with the password parameters and standards identified in this policy. Passwords must meet the complexity requirements outlined and must not be shared with or made available to anyone in any manner that is not consistent with this policy and procedure.

7.1 PURPOSE OF THE POLICY

Assigning unique user logins and requiring password protection is one of the primary safeguards employed to restrict access to the SafePass network and the data stored within it to only authorized users. If a password is compromised, access to information systems can be obtained by an unauthorized individual, either inadvertently or maliciously. Individuals are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and are designed to be complex and difficult to breach. The parameters in this policy are designed to comply with legal and regulatory standards, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

7.2 INDIVIDUAL RESPONSIBILITIES

Individuals are responsible for keeping passwords secure and confidential. As such, the following principles must be adhered to for creating and safeguarding passwords:

SafePass passwords must be changed immediately upon issuance for the first-use. Initial passwords must be securely transmitted to the individual.
SafePass passwords must never be shared with another individual for any reason or in any manner not consistent with this policy. A shared or compromised is reportable as a security incident.
SafePass personnel must never ask anyone else for their password. If you are asked to provide your password to an individual or sign into a system and provide access to someone else under your login, you are obligated to report this immediately.
SafePass passwords must never be written down and left in a location easily accessible or visible to others. This includes both paper and digital formats on untagged (unsupported) devices. Passwords should not be stored in a web browser’s password manager on an untagged device.
Individuals must never leave themselves logged into an application or system where someone else can unknowingly use their account.
In the event that a password needs to be issued to a remote user or service provider, the password must never be sent without the use of proper safeguards (e.g., do not send passwords through email without encryption).
If a password needs to be shared for servicing, SafePass Technical Director should be contacted for authorization and appropriate instruction.
Passwords must be unique and different from passwords used for other personal services (e.g., banking).
SafePass passwords must meet the complexity requirements outlined in this policy.
SafePass passwords must be changed regularly, as outlined in this policy, at the regularly scheduled time interval or sooner if there is suspicion of a compromise.
In the event a breach or compromise is suspected, the incident must be reported to SafePass Technical Director immediately using one of the methods outlined in the Procedures section below.

7.3 RESPONSIBILITIES OF SYSTEMS PROCESSING PASSWORDS

All SafePass systems—including servers, applications, and websites that are hosted by or for SafePass—must be designed to accept passwords and transmit them with proper safeguards.

Passwords must be prohibited from being displayed when entered.
Passwords must never be stored in clear, readable format (encryption must always be used).
Passwords must never be stored as part of a login script, program, or automated process.
Systems storing or providing access to confidential data or remote access to the internal network should be secured with multifactor authentication.
Encrypted password hashes must never be accessible to unauthorized individuals.
Where possible, salted hashes should be used for password encryption. Exceptions should be filed and reviewed on a regular basis.
Where any of the above items are not supported, appropriate authorizations and access control methods must be implemented to ensure only a limited number of authorized individuals have access to readable passwords.

7.4 PASSWORD REQUIREMENTS

The following parameters indicate the minimum requirements for passwords for all individual accounts where passwords are:

At least eight (8) characters;
Not based on anything somebody else could easily guess or obtain using person related information (e.g., names, CWID, telephone numbers, dates of birth, etc.);
Not vulnerable to a dictionary attack (see Recommendations for Creating Compliant Passwords section); and,
A combination of at least one character from each of the following four listed character types (older passwords require at least one character from three of the following four types):

o English uppercase letters (A-Z),

o English lowercase letters (a-z)

o Base 10 digits (0-9)

o Non-alphanumeric (such as ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | \ : ” ; ‘ < > ? , . / and space)

7.5 PASSWORD EXPIRATION

In order to prevent an attacker from making use of a password that may have been discovered, passwords are deemed temporary and must be changed regularly. SafePass reserves the right to reset a user’s password in the event a compromise is suspected or reported. Passwords must be changed every six (6) months and not be reused for at least four (4) generations.

7.6 ACCOUNT LOCKOUT

In order to limit attempts at guessing passwords or compromising accounts, an account lockout policy is in effect for all systems. Accounts will be locked out after eighteen (18) invalid password attempts in fifteen (15) minutes and will be locked out for a duration of fifteen (15) minutes.

8. INFORMATION TECHNOLOGY CUSTOMER INTERFACING SECURITY POLICY

8.1 PURPOSE OF THE POLICY

This Policy defines physical, logical information and organizational security controls and requirements (the “Requirements”) for SafePass performing services for, or providing services to, SafePass Customer(s) (“Services”). In specific customer cases, if conflicts between this section (Information Technology External Security Policy) and other sections in this document arise, this section will prevail.

8.2 STANDARDS

SafePass utilizes industry-best G-Suite, Google drive and Amazon Web Services for all SafePass communications both internally and externally, all document storage and retention, and all hosted services and platforms for the use of Customer interaction or storage of any potential Confidential Information or any other data. The certifications for these systems are listed and included in Appendix B: System Certifications.

8.3 PROCEDURES

8.3.1 Information Security Program.

SafePass will maintain an information security program consistent with the following requirements:

One or more qualified SafePass employees must be designated with responsibility to maintain the SafePass information security program.
The program must be endorsed/approved by SafePass’ executive management and must, at a minimum, cover the protection of Confidential Information against Loss or Misuse and the prevention against Misuse of rights and privileges associated with SafePass’ performance with Customer.
Documented information security policies and standards that conform to all applicable data protection laws and regulations. SafePass’ Security policy and standards must include provisions that require assessments of various information security related risks, vulnerabilities and threats to Confidential Information, and the management of those risks, vulnerabilities and threats consistent with SafePass’ security and policy standards.
SafePass Staff who is assigned to Customer account or who has access to Customer systems or Confidential Information will receive periodic training (at least annually) in SafePass’ security policy and standards and must acknowledge their adherence to same.
Non-compliance by SafePass Staff with SafePass’ security policy and standards must be addressed through appropriate discipline imposed by SafePass or its subcontractors, as applicable.
SafePass must regularly review, at least annually, its information security program and SafePass’ security policy and standards, including whenever there is a material change in business practices.
SafePass must require all permitted subcontractors to comply in writing with these Requirements and shall provide a copy of such written compliance to Customer promptly upon request, together with a list of the subcontractors’ name, address, service provided, Confidential Information shared, and/or Customer Systems accessible. SafePass shall notify Customer prior to using new subcontractor personnel who will have access to Confidential Information. SafePass shall conduct periodic reviews of permitted subcontractors’ security controls, including any third-party hosting providers, to determine that such controls are in compliance with these Requirements. In the event SafePass identifies deficiencies in any subcontractor’s security controls, SafePass shall maintain a report of such findings and ensure that such deficiencies are remediated within reasonable timeframes, commensurate with their severity.
SafePass will maintain and comply with a risk assessment program that includes identification, tracking and remediation of all identified risks and vulnerabilities to its corporate infrastructure and Confidential Information on an ongoing basis.

8.3.2 Basic Data Protection.

SafePass shall protect all Confidential Information as follows (additional controls are required for Sensitive Non-Public Information as set forth below):

Data Labelling: SafePass shall maintain any labelling or other designations applied by Customer on electronic and physical copies of data, and to any data set containing Confidential Information.
Least Privilege: SafePass must apply the “Principle of Least Privilege” (or “PLP”) model for access to Confidential Information, enabling access only to such information and other rights and privileges relating to Customer operations as are necessary for person or process to perform a legitimate business function. Annual review of PLP by SafePass is required.
Approved Devices: SafePass shall store Confidential Information only on devices meeting these Requirements. Where specified by Customer in an ordering document, Confidential Information shall be stored only in devices dedicated to Customer.
Authentication: SafePass shall ensure that authentication meeting these Requirements is required prior to granting access to Confidential Information stored in a system, application or database. Authentication resulting in access to a system, application or database containing Confidential Information must be logged consistent with these Requirements.
Encrypted Portable Media: Any Confidential Information stored on portable media (such as DVD, CD, magnetic tape media, removable hard drives, USB drives or similar portable storage), must meet Storage Encryption requirements.
Network Protection: SafePass shall use Industry Standard measures, including encryption, for preventing interception of or access to Confidential Information transiting networks. Transit over the public internet and other externally accessible networks requires Transport Encryption.
Controlled Spaces: Confidential Information contained in paper form or unencrypted electronic media must be stored in a controlled space (e.g., individual office with a door) with standard, after-business-hours locking; or in locked storage containers (e.g., locked drawer, cabinet).
Prohibiting Unintended Viewing: Confidential Information must be protected against casual, unintended viewing by unauthorized persons.
Prohibiting Non-Production Use: Use of Confidential Information in a non-production (test or development) environment is permitted only if approved by Customer.
Data Retention: Retention of Confidential Information will be in accordance with Customer’s records retention schedule that Customer provides to SafePass, regardless of information format or storage location.
Document Disposal: Sanitization of SafePass Devices containing Confidential Information must meet these Requirements. All hardcopy documents must be cross-cut shredded.
Secure Physical Media Transport: When physically transporting digital media containing Confidential Information, that information must be protected using Storage Encryption. If approved by Customer, transport using a qualified courier, with tracking and in a physically secure container. Physical transport of paper documents or other physical media containing Confidential Information must be protected against casual observation of the information and sent using reliable means which includes tracking.
Data Center/Server/Cloud Facilities: If Confidential Information is stored in or processed in server or data center facilities, those facilities must meet the Facility Standards set out in these Requirements for the particular class of Information. Confidential Information must not be processed or stored on a Public Cloud or the Public Cloud portion of a Hybrid Cloud solution unless there is Transport Encryption for communications with and among Cloud elements, and Storage Encryption is used with Sensitive Non-Public Information.
Cloud Environments: For all Cloud Environments, SafePass shall validate compliance, at least once annually, with either (i) the latest version of the Cloud Security Alliance Cloud Controls Matrix (CCM) at https://cloudsecurityalliance.org, or (ii) a Customer-approved equivalent set of security, privacy, and business continuity controls, which will meet Customer’s external and internal compliance requirements for protecting Confidential Information or Sensitive Non-Public Information. For any Private Cloud Environment, SafePass shall ensure that one organization’s uses and data are completely isolated from uses and data of other organizations.
Inventory: SafePass will maintain an inventory of assets (computers, firewalls, routers, security devices, filing cabinets, etc.) that collect, store, process or transmit Confidential Information.
Secure Build. SafePass shall maintain policies and standards for the secure build of desktops, laptops, servers and mobile devices accessing or storing Confidential Information.

8.3.3 Sensitive Non-Public Information Control Requirements.

In addition to all of the Basic Data Protection requirements above for Confidential Information, Sensitive Non-Public Information must be further protected using the following controls:

Encrypted Storage: All Sensitive Non-Public Information must be stored only using Storage Encryption.
PCI-DSS Compliance: In the event SafePass engages in payment card transactions as a part of the Services provided to Customer, or services requiring access to or receipt and/or storage of information relating to card payment processing for Customer’s customers, SafePass shall comply with the Payment Card Industry Data Security Standard (“PCI DSS”), and any amendments or restatements of the PCI DSS, and shall promptly implement all procedures and practices necessary to remain in compliance with PCI DSS, in each case, at SafePass’ sole cost and expense. SafePass acknowledges that it is responsible for the security of customer card data in its possession. In connection with SafePass’ obligations under PCI DSS, SafePass agrees to cooperate with Customer to determine and maintain records relating to the apportionment of responsibilities of SafePass and Customer under PCI DSS Requirement 12.8.5. SafePass will maintain and evidence PCI DSS compliance, and provide Customer with a copy of SafePass’ “Report on Compliance” and “Attestation of Compliance” (as those terms are defined by the PCI Security policy and standards Council) promptly upon Customer’s request.
Key Management: SafePass shall document, implement, and maintain enterprise-class Industry Standard encryption key and seed management procedures to ensure the integrity, security, and retrieval of any applicable Customer encryption keys or Customer encrypted data. These procedures should include generating, distributing, storing, changing, recovering, archiving, and destroying encryption keys and the implementation of periodic key rotation, revocation (at least annually or in the event of compromise), and dual knowledge (such that one person does not have the full key for any data encrypted at rest).
Verified Least Privilege: In addition to initial and periodic determinations of least privileged access undertaken for Confidential Information, with respect to Sensitive Non-Public Information, SafePass shall verify continued entitlement to access consistent with PLP at least annually (and at least every ninety (90) days for elevated privilege or administrator accounts for applications/systems/databases subject to Sarbanes Oxley 404 requirements or PCI requirements or equivalent non-USA international requirements), using processes that provide independent assurance.
Logging and Log Review: In addition to the logging and monitoring described elsewhere in these Requirements, SafePass must implement logging systems and log reviews reasonably sufficient to detect Loss or Misuse of Sensitive Non-Public Information. At a minimum, this includes:

o Logging and log reviews of operations that export or copy Sensitive Non-Public Information

o Developing a baseline of expected export/copy activity and

o Logging to detect activity exceeding baseline thresholds.

Display Controls: To prevent disclosure of Sensitive Non-Public Information when unnecessary to perform a required business function and when required by law, SafePass shall mask or truncate data in display.
System Segmentation: Except as otherwise approved by Customer, systems or devices storing, processing or transmitting Sensitive Non-Public Information must be logically isolated from systems that handle other companies’ information. For example, SafePass may use separate database server instances for the processing of Sensitive Non-Public Information or must use separate virtual operating system images than those used or accessed by other companies serviced by SafePass.
Data Loss Prevention: SafePass shall implement data loss prevention (DLP) controls to detect and prevent Sensitive Non-Public Information from being transmitted outside of SafePass Systems without Transport Encryption and Customer’s prior written approval.

8.3.4 Security Logging and Monitoring

SafePass must utilize the following logging and monitoring controls for all SafePass Systems:

SafePass must maintain electronic logs of all access to Confidential Information, depicting the details of the access.
SafePass must maintain a centralized security logging and monitoring process which provides for oversight to SafePass compliance or security personnel, and which maintains the integrity of the logs and identifies potential security violations in near-real time.
At a minimum, logs shall capture the following information for all access to Sensitive Non-Public Information:

o Unique user ID.

o Login/Logout time with local time zone or timestamp.

o System/data set accessed.

o Failed login attempts.

o Activity for privileged users (such as data base administers, system administrators, etc.) including changes to permissions, changes to data, etc.

o Client Network Address and any network address translation or dynamic host configuration protocol (NAT/DHCP) data required to identify.

o Geolocation data of accessing device if technically available.

Logs shall be regularly (with the period commensurate with risk) reviewed by SafePass, either manually or using log parsing tools.
SafePass Systems must generate event logs, which at minimum, capture the following events:

o Faults.

o Successful / Unsuccessful logon attempts.

o Logoffs.

o Additions and modifications to user accounts / privileges.

o Activity performed by privileged accounts.

o Modifications to logs.

o Modifications to system settings.

o Attempts to perform unauthorized functions.

o Users switching IDs during sessions

o All session activity.

o Access to operating system utilities and commands that bypass access controls.

o Modifications to Confidential Information, when Customer has advised SafePass that the integrity of the data must be preserved.

o The presence and activity of malware.

o Transactions or operations in excess of predetermined values/thresholds indicating malicious activity, such as mass data modifications, theft of information or disruption of service.

o Additions, deletions and modifications to security/audit/event log parameters.

o Mass data modification, movement, or deletion.

Logs must be retained for a minimum of twelve (12) months.
Logs must be protected from unauthorized access, modification and accidental or deliberate destruction.
Log reviews must be undertaken by a designated trained individual or group of individuals, manually or through the use of tools, in order to detect unauthorized activity. Utilizing NIST Special Publication 800-92 as a guide for log review is encouraged and acceptable.
All log records must contain the following information:
Hostname

o Date / time stamp with time zone

o Event type

o Source / destination network address

o Type of browser used (in case of HTTP)

o User account

o Description of activity

o Reason for logging

o Referring page (in case of HTTP)

o Detail necessary to recreate the sequence of events for debugging

o Latitude / longitude, if technically available

8.3.5 Access Control

SafePass must utilize logical access controls for all access to Confidential Information and to other rights and privileges relating to Customer operations, including access to Customer Systems, as follows:

Use of PLP, such that SafePass enables access to only such information and other rights and privileges relating to Customer operations as are necessary to perform a legitimate business function for the role assigned to an authorized user. SafePass must also employ a secure and reliable method of enforcing authorization controls to limit access consistent with PLP. Compliance with PLP also requires a process which will promptly terminate access by SafePass Staff which no longer requires access (e.g., a terminated or reassigned employee/contractor).
A process of controlling user IDs and other identifiers to ensure they are unique among users and are not shared.
SafePass Staff sensitive personal information, such as social security numbers, birth dates, mother’s maiden names, must not be used as the authentication or authorization mechanism to obtain a password, or for log in rights or for access to any application, system, website or database owned or operated by Customer or on Customer’s behalf.
SafePass shall implement multi factor authentication for all SafePass Staff remote access to Confidential Information hosted by SafePass. Multi factor authentication will consist of at least two (2) of the following authentication factors: something the user knows, has, or is.
Industry Standard password selection and aging procedures to limit opportunities for compromise of password security must be utilized. Such password procedures must at least include the following controls:

o A secure method of assigning and selecting passwords or other unique identity validation values, such as biometric registration values or the issuance of one-time-password token devices.

o Limit repeated access attempts by locking out the user ID after not more than five (5) attempts with a thirty (30) minute minimum lockout duration.

o Verification of user identity before any password resets.

o Accounts remaining inactive for ninety (90) days must be disabled.

o If a session has been idle for more than fifteen (15) minutes, require the user to re-enter the password to reactivate the terminal.

o Control and encrypt passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect.

o SafePass must not automate authentication procedures to Customer environments.

o Password changes must be accomplished through a secure procedure.

o Passwords must never be transmitted in clear text.

o Display and printing of passwords must be masked.

o User IDs and passwords are never transmitted together within the same electronic transaction unless communications are encrypted.

o Passwords are at least 8 characters and have at least three (3) of the following four-character types: upper case letters, lower case letters, westernized Arabic numerals (1, 2, 9), non-alphanumeric (special) characters (e.g. ?, |, %, $, #, etc.) or equivalent international language representations.

o Passwords cannot be identical to the last eight (8) previously used passwords.

o Minimum password age must be set to 3 days or greater.

o Passwords have a maximum validity of ninety (90) days.

o Default, temporary or pre-set passwords are set to unique values and changed immediately after first use.

o Where a secret question/answer method is used for authentication, no more than three (3) attempts are permitted before lockout.

SafePass must implement mobile device management (MDM) controls for all mobile devices with access to Confidential Information that include passwords with at least 6 characters, automated lockouts after five (5) minutes, encrypted containers on the mobile device for data storage and remote wipe capabilities in the event the device is lost or stolen.
SafePass must implement Customer single sign on (SSO) authentication for all hosted applications accessible by Customer personnel.
Administrative or elevated privileged access to servers must be encrypted in accordance with Transport Encryption.
Shared or elevated privileged account activity must be monitored; minimum required monitoring includes recordation of failed access attempts and changes to user rights.
Shared or elevated privileged accounts shall not be used unless the usage can be reliably tracked back to an individual SafePass Staff person.
When any user’s access privileges are removed or disabled, all related privileges must be purged from the application to avoid inheritance of privileges.
SafePass will notify Customer immediately when SafePass Staff no longer require access to Customer Systems.
When an error occurs during logon, it must not allow circumvention or breaking out of the login process and access must be denied.
Access to the command-line of SafePass Devices and SafePass Systems must be limited to only when access/services are needed.

8.3.6 Application Management

In the event SafePass engages in development or application management Services for Customer, SafePass must utilize the following application management controls:

Regardless of development methodology (traditional, agile, other), SafePass must maintain a software development life cycle (“SDLC”) process that incorporates security vulnerability and malicious code assessments throughout each stage of the development process.
SafePass Staff shall receive regular training on coding and design in application security.
Within the SafePass’ SDLC, a security vulnerability and malicious code assessment must be performed prior to initial application deployment.
Application development activities must not occur on systems also that perform live production operations.
Compilers and development tools must not be installed on production environment, or if there is no other practical alternative to doing so, then access/execution rights must be strictly controlled.
Application source code can only be permanently stored on systems dedicated to the storage of source code (such as a source code repository). Permanent storage of source code on laptops, desktops and other mobile computing devices is prohibited.
Access to the application source code must be limited to SafePass Staff in accordance with PLP.
Application source code must be maintained using version control.
Application documentation must be kept up to date, held in accessible form, and protected from loss or damage.
Information security requirements must be integrated with the design and specification documentation for SafePass Systems.
A documented change management process must be in place that includes documenting changes made to systems and applications, the process will include types of changes, appropriate approval workflows, testing, communication, separation of duties, documentation and retention of changes.
Automated user input checks (error checking) must be incorporated into any application design to detect out-of-range values, invalid characters, missing, incomplete data or inappropriate or malicious content.
SafePass must subject operating system, software and firmware updates to a security review to screen for vulnerabilities and to verify the source of the items, prior to implementation and be able to validate that the update is from an approved source.
SafePass must receive approval from Customer before using production/real Confidential Information for testing.
SafePass must disclose to Customer in advance, and secure Customer approval, for all “open source” code incorporated in or used to derive any deliverable provided to Customer.
In the event SafePass is developing or customizing software or applications for Customer, such application or software will be developed in compliance with Open Web Application Security Project (OWASP), http://www.cert.org/secure-coding/ and SANS Top 25 Most Dangerous Software Errors secure coding practices. At least annually and prior to implementing changes to applications in production, SafePass will work with Customer to conduct static code analysis testing or provide the most recent report of the static code analysis test completed by the SafePass to Customer upon request.

8.3.7 Physical Security

SafePass must utilize the following physical security measures where Confidential Information is stored or is accessible:

SafePass must have controls in place to allow only access by authorized individuals with a reasonable business need for access into SafePass facilities and areas with SafePass facilities where Confidential Information is stored or is accessible (“Facility Access Control”).
SafePass Systems providing Facility Access Control must be secured from tampering, circumvention or destruction, must be maintained at all times in functional order and must be updated or changed if they become compromised or ineffective (for example, if keys or access codes are stolen).
SafePass must notify Customer prior to using a new facility which will have access to Confidential Information.
Facility Access Controls must meet or exceed Industry Standards to prevent and detect physical compromise and include at least the following elements:

o Issuance of temporary or permanent photo identification badges;

o Use of smartcards or other electronic or physical identity verification systems (pin/key access locks, biometrics, etc.);

o Use of dedicated (to the facility) security personnel who control access to the SafePass’ facilities;

o Tracking and escorting of visitors;

o 24×7 main lobby security guard station;

o Locks on all ground floor windows;

o Use of structures/containment resistant to physical compromise;

o Alarms on all external doors;

o Use of CCTV on all entrances/exits with respect to areas that store or process Confidential Information.

o Video storage and retention of records/documents pertaining to Facility Access Controls shall be for no less than ninety (90) days.

o SafePass’ procedures must assure that access to a facility storing/processing Confidential Information or where services designated by Customer as “Mission Critical” are performed is removed immediately when no longer required or appropriate (e.g., reassignment of personnel, termination of employment).

o The Facility Access Control system should alert security staff in the event that a secured door has been open beyond a reasonable amount of time (for example, by being propped open and unattended).

o SafePass must periodically review access records and CCTV video to ensure that access controls are being enforced effectively, with any discrepancies or unauthorized access must be investigated immediately by SafePass.

If Customer provides SafePass with its prior written consent to access Confidential Information or Customer Systems from outside of the United States, then SafePass will implement clean rooms in all such locations (“Clean Rooms”) that include all of the controls set forth in clause 7(d) above. In addition, the Clean Rooms shall include at least the following elements:

o Prohibition of mobile devices;

o Prohibition of applications to save Confidential Information locally;

o Prohibition of paper and writing utensils;

o Disabling of all printing functions;

o Establishment of read-only settings for local drives and folders on workstations to prohibit Confidential Information from being saved locally with the exception of specific drives or folders required for Services-related applications;

o Restriction on use of any external instant messaging, email or social collaboration tools; and

o Restriction of administrator access on SafePass System end points.

For any data center that stores or processes Confidential Information, SafePass must maintain the following environmental controls: climate control, raised floor, smoke, heat and water detection, CCTV at ingress and egress, fire suppression, uninterruptable power supply (UPS), power generators and fire extinguishers.
If SafePass is providing call center Services to Customer, SafePass Staff must work in an area designated for Customer.

8.3.8 Security Incident Management and Response

SafePass must include in its information security program a plan for security incident management and response in the event of (i) an actual or suspected Security Compromise with respect to Confidential Information or any operations providing services to Customer, (ii) other loss or misuse of Confidential Information or Sensitive Non-Public Information, or (iii) malware posing a significant threat to Confidential Information or any operations providing services to Customer (each, a “Security Incident”).
SafePass Security Incident management and response plan must have documented formal procedures that comply with Industry Standards and applicable laws addressing investigation and response to Security Incidents, including without limitation, government mandated notifications in the event of privacy breaches.
SafePass Security Incident management team must be available to respond to Security Incidents on a 24x7x365 basis.
SafePass must provide notification via electronic mail to [email protected] of a Security Incident described in 8(a)(i) and (ii) as soon as practicable after, but no later than twenty-four (24) hours, following awareness of the Security Incident. SafePass shall provide notification to the above address of a Security Incident meeting the criteria of 8(a)(iii) within three (3) days after discovery of same.
For any Security Incident, SafePass must provide regular updates to [email protected] or, if directed by Customer, to a security point of contact specifically designated by Customer for the Security Incident and shall cooperate with Customer or its regulators in its efforts to investigate the same.
For any Security Incident, Customer shall exclusively control the provision of any notices concerning such Security Incident to any person affected or potentially affected thereby and applicable domestic and international authorities.

8.3.9 Communications Management

SafePass must ensure that the following communications management controls are applied for communications pertaining to Confidential Information and Customer operations:

SafePass must implement Industry Standard security requirements for Electronic Data Interchange (EDI) connections, when SafePass interacts with Customer (or others on Customer’s behalf) using EDI. Any other electronic data interchange must also comply with applicable Industry Standards and be approved by Customer.
SafePass must use Industry Standard methods to prevent interception of, or improper access to (i) voice, email, voicemail and data communications, including collaboration and conferencing sessions, pertaining to Confidential Information, and (ii) Customer operations or communications with Customer.
SafePass must take appropriate measures to prevent the use of external personal email accounts, personal websites and social media in handling Confidential Information and that electronic mail is not utilized as archival storage for Confidential Information.
SafePass must ensure retention and restoral of electronic mail when directed by Customer in connection with actual or anticipated legal proceedings.
SafePass must ensure general purpose fax communications are secured through appropriate administrative procedures.

8.3.10 Operations Management

SafePass must utilize the following operations management controls for all operations pertaining to services to Customer and all SafePass Systems:

SafePass Systems and SafePass Devices involved in the performance to Customer must be maintained and configured securely in accordance with established baselines and standards.
SafePass must maintain an established change control process, ensuring only authorized changes are applied to systems used to perform for customer or that store, process or transmit Confidential Information. Emergency changes must be individually approved.
Standard operating procedures must exist for a patch management process to ensure patches are applied in a repeatable, prioritized and standardized way for all software layers (firmware, operating systems, desktop software, DLLs, libraries, applications, COTS, Open Source, and middleware) for all SafePass Devices and SafePass Systems.
SafePass must maintain separation/segregation of duties consistent with Industry Standard practices, in order to limit the potential for a single individual to cause excessive harm. Among other things, development functions and environments must be segregated/separated from production operations and environments.
Database administration accounts must be carefully monitored and managed consistent with Industry Standard practices.
SafePass must disable or restrict unnecessary functions, services, utilities and commands on systems.
System clocks must be synchronized to a trusted, centralized source clock.
File permissions must be configured to prevent unauthorized access or change.
SafePass network architectures must be documented.
Emergency access processes must be established, with access to emergency accounts controlled.
At least annually, and prior to implementing changes to any Internet-facing hosted production application that is Customer branded or accesses Confidential Information, SafePass will either (i) cooperate with Customer to conduct static analysis scanning, dynamic scanning, and/or penetration testing of the application code (collectively “Scans”), or (ii) provide to Customer the Current report of the Scans completed by SafePass.
SafePass will conduct network vulnerability scanning on a quarterly basis and after significant changes to SafePass Systems.
SafePass will conduct network penetration tests annually and after significant changes to SafePass Systems.
Vulnerability management processes must be in place to prioritize vulnerabilities based on nature/severity of the vulnerability and remediate or mitigate all vulnerabilities as soon as practicable thereafter, but in any event within the following timeframes (using the manufacture designated rating for third party software and otherwise using Industry Standards such as the Common Vulnerability Scoring System (CVSS) for risk rating):

o Seven (7) business days for any urgent vulnerabilities

o Thirty (30) business days for any critical risk vulnerabilities.

o Sixty (60) business days for all high-risk vulnerabilities and sixty (60) business days for PCI assets.

o Ninety (90) business days for all medium risk vulnerabilities and seventy-five (75) business days for PCI assets.

o One hundred and twenty (120) business days for all low risk vulnerabilities and ninety (90) business days for PCI assets.

Upon Customer’s request, SafePass shall provide Customer with an executive summary of the most recent network vulnerability scan, as well as evidence of SafePass’ vulnerability management processes, which shall validate that security flaws and vulnerabilities are identified and remediated pursuant to the timeframes set forth above.
SafePass use of software must be tested, including regression testing as applicable, prior to deployment. Software must be reviewed for security vulnerabilities.
Use of processes consistent with Industry Standards to review and approve the use of commercial off-the-shelf software (COTS) and open source software.
SafePass system administrators must review system logs regularly.
Security logs must be made available to SafePass security staff.
Access to sensitive SafePass documentation must be restricted.
An accurate inventory of SafePass Devices and SafePass Systems must be maintained.
SafePass must restrict use of system audit and security tools to authorized staff.
SafePass must implement Industry Standard patch/malware detection software and anti-virus/malware software. Anti-virus software must be configured to update virus definitions and scan daily. SafePass must provide training to employees on the use of virus/malware detection software.
SafePass must utilize electronic mail scanning technologies to control viruses, phishing attacks, etc.
SafePass must develop backup plans and schedules to protect against malicious destruction of information.
SafePass will maintain business continuity and disaster recovery plans that formally document recovery strategies to support any agreed upon service level agreements with Customer. In addition, Consultant will work with Customer to define recovery time objectives (RTO) and recovery point objectives (RPO) relative to the nature of the Services. SafePass will define alternate facilities as necessary to meet any agreed upon service level commitments and test its business continuity and disaster recovery plans at least annually.
SafePass must perform a business impact analysis at least annually, to evaluate potential impacts of an interruption to critical business functions.
SafePass must notify Customer immediately in the event of an outage that impacts SafePass’ ability to meet agreed upon service level commitments.
SafePass must maintain incident management procedures to address system issues and minimize downtime (e.g. issue identification, severity assignment, reporting, resolution and root cause analysis.

8.3.11 Network Security

SafePass must implement network security controls for networks that will access or transmit Confidential Information, access Customer Systems, or otherwise be used in the performance of Services.

SafePass must utilize switched (i.e. non-hub) network technology for internal networks.
Servers that are accessible from untrusted networks must be isolated from servers on trusted networks.
Third party connections to SafePass’ networks must be monitored and reviewed by SafePass to ensure authorized access and appropriate usage.
SafePass must secure connections to external public networks utilizing De-Militarized Zones (DMZs) or similar security approved by Customer. Applications hosted on behalf of Customer that provide services via the Internet must reside in a DMZ (DMZ designs as defined in NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy, are acceptable).
SafePass must implement Industry Standard mechanisms to mitigate denial of service impacts.
SafePass must include the use of login/warning banners within its processes for providing awareness/notification of restrictions and information security related obligations to SafePass Staff.
All routers must be configured using Industry Standard secure configurations.
SafePass must use alarms to detect malicious events and malicious alarms must be communicated to one or more processes to appropriately handle alarms.
SafePass must conduct reviews consistent with Industry Standards (both in frequency and nature) of network-related log files.
SafePass must implement firewall controls at appropriate points in the SafePass network to control the ingress and egress of communications and data to environments containing Confidential Information and not allow bridging connections to Customer networks. At a minimum, firewalls must protect all connections to open, public networks. System and firewall application security patches and updates for firewalls must be implemented in a timely manner consistent with the criticality of the patch/update, but not to exceed thirty (30) days following release.
SafePass must employ Industry Standard intrusion detection systems (IDS) for any environment into which Confidential Information will be placed. Such network IDS must also be placed on network connection points between the SafePass environment containing Confidential Information and other network environments.
IDS must be configured with business rules appropriate to the environment and otherwise in keeping with Industry Standard configurations. As a default, IDS alerts must be near real time.
Signatures and software for IDS must be kept current and up to date.
IDS alerts must be reviewed by trained security personnel with a frequency consistent with the nature of the alert, but at least daily.
Internet-facing web servers must be dedicated to providing internet facing web services and must not host internal (intranet) applications.
Transport Encryption must be used for Confidential Information that traverses networks outside of the direct control of SafePass (including, but not limited to, the Internet, Wi-Fi and mobile phone networks).
Access to Confidential Information from a location outside of SafePass’ facilities requires Customer approval.
SafePass shall adhere to the following logical security requirements when connecting to a Customer network:

o SafePass must only access Customer Systems as necessary to perform Services.

o All SafePass Devices to be used to connect to a Customer network must be either provided by Customer or alternatively must be owned or leased by the SafePass or permitted subcontractors. Except as permitted by Customer, personally-owned equipment may not be used to perform work for Customer.

o SafePass Staff accessing a Customer network must not have any concurrent access to other non-Customer networks from their workstation(s) while connected to a Customer’s network unless that access is through that Customer network.

o Unless otherwise approved or directed by Customer, all remote access (i.e. access from outside a Customer owned or controlled facility) to a Customer network must utilize approved Customer virtual private networks including client-based access, Transport Encryption and Strong Authentication.

o As between SafePass and Customer, Customer shall control all access control mechanisms used to restrict access to Customer’s internal business network and located on Customer Systems.

o Wireless traffic from/to SafePass Devices must only traverse properly encrypted wireless networks while attaching to the Customer network. Proper encryption only permits WPA2 in enterprise or PSK mode at a minimum

Unless otherwise directed by Customer, SafePass shall not present identifying information such as Customer’s name, logo or address before a successful login into a system hosted by the SafePass for Customer.
If SafePass exchanges data through Customer’s firewalls, SafePass shall work with Customer to document the access and establish specific ports, rules and protocols acceptable to Customer.
All SafePass network traffic that passes through Customer’s firewalls must only utilize the defined protocols and services required to provide the intended functionality.
SafePass must not bypass or attempt to circumvent established Customer security controls, including when accessing external networks from a Customer System.
Where required to render SafePass support to Customer, remote maintenance ports and access lists created with the intent of providing remote maintenance must only be enabled during the needed support window. SafePass shall provide all assistance and cooperation reasonably necessary to facilitate Customer’s monitoring of any such access.
SafePass supplied default passwords must be changed during installation (e.g. SafePass default passwords).
SafePass must maintain data flows and network diagrams as they relate to any Services subject to this Section 11.
In the event SafePass is hosting Internet-facing applications on behalf of Customer, SafePass will decommission all applications upon expiration or termination of the relationship with Customer.

8.3.12 Personnel Security

SafePass must utilize the following personnel security controls for all SafePass Staff performing services to Customer:

To the extent SafePass Staff are provided access to Confidential Information or Customer Systems, SafePass must notify such SafePass Staff of their obligations with respect to such information and information resources and conditions of such access. Unless precluded by local law, SafePass must affirmatively communicate to SafePass Staff (and where required by law or contract obtain consent from such Staff) that they are not entitled to privacy protection if they access or use such Customer information resources, and that access to and use of Confidential Information or Customer information resources may be monitored.
SafePass must ensure that SafePass Staff surrenders Confidential Information, Customer information resources and other Customer property upon request and removal from working on Customer related activities in the same condition such property was provided to SafePass (normal wear and tear expected) or reimburse Customer for the replacement cost of said property, to be determined by Customer in its reasonable discretion.
Upon Customer’s request on a semi-annual basis, SafePass shall participate in user access reviews for all SafePass Staff who have access to Customer Systems.
In addition to revocation of privileges described elsewhere in these Requirements, SafePass must provide for process of escorting terminated SafePass Staff to prevent theft or misuse of Confidential Information.
Customer may terminate SafePass’ access to any Customer System without notice, if Customer believes that such access is adversely affecting the security of Customer or Customer Systems.

8.3.13 Asset Disposal and Reclamation

Asset disposal and reclamation of Confidential Information must meet the following requirements:

When (a) directed by Customer, or (b) unless specifically otherwise required by law or directed by Customer, upon conclusion or termination of Services or when no longer required for Services, SafePass must Sanitize or Destroy (or at Customer’s election return to Customer) all copies of all Confidential Information, including all backup and archival copies, in any electronic or non-electronic form.
All tapes with any Confidential Information must be degaussed with a degausser that meets the performance standards provided by the US National Security Agency (NSA), at: http://www.nsa.gov/ia/_files/Government/MDG/NSA_CSS-EPL-9-12.PDF.
When Sanitizing magnetic or flash media, the preferred method of Sanitization is to perform a Secure Erase (to be used only for ATA Drives and SCSI drives, where technically feasible, and available from the University of San Diego CMRR, at http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml). Alternatively, if Secure Erase is technically inappropriate, a minimum of a three-pass block erasure shall be utilized that removes the data from magnetic disk media by sequentially overwriting all addressable locations in the following manner, and then verifying the same by a disk read: (i) overwriting with a random pattern; (ii) overwriting with binary zeros; and (iii) overwriting with binary ones.
Non-functional electronic storage media (e.g., a failed drive) may not be capable of Sanitization, and therefore must be Destroyed. When removing non-functional electronic storage media from a Customer or SafePass facility, SafePass may destroy the media onsite prior to removal as specified herein. If the electronic storage media are not subject to Sanitization and must be removed from the Customer or SafePass premises without such sanitization or destruction, SafePass shall utilize Secure Transportation to a disposal site. SafePass shall track disposition of the media (e.g., Destroyed by SafePass, Sanitized by SafePass, conveyed to a Customer-authorized third party for Destruction, etc.) and provide to Customer a Certificate of Sanitization (COS) and/or Certificate of Destruction (COD) upon completion of the Sanitization, or Destruction.
SafePass shall maintain for no less than four (4) years records which specifically identify the media (or computing assets) that were Destroyed, subject to Sanitization or returned to Customer, and shall make those records available to Customer for inspection upon request.

8.3.14 Proof of Compliance; Audit Assistance

SafePass shall develop and retain documentation demonstrating compliance with these Requirements and shall maintain a Current SSAE-16 SOC2, or if a Current SSAE-16 SOC2 is not reasonably available, a SOC3 audit or a Current ISO-27001 certification of SafePass Systems. Upon request from Customer, SafePass must produce such documentation for Customer review.
SafePass shall reasonably cooperate with Customer’s efforts to verify SafePass’ compliance with these Requirements, which efforts may include periodic audits of SafePass’ operations, including onsite validation at a SafePass facility dedicated to providing services to Customer, by Customer or a third party at Customer request and on reasonable notice.
SafePass shall reasonably cooperate with security assessment activities that Customer may undertake from time to time in connection with SafePass’ performance and will provide a commitment to Customer within thirty (30) days of any security issues discovered by Customer, to address such issues in a timely manner. SafePass shall also participate, at its sole expense, in all regulatory inquiries or investigations, as reasonably requested by Customer.

9. INFORMATION TECHNOLOGY ADMINISTRATION POLICY

9.1 PURPOSE OF THE POLICY

This policy provides guidelines for the administration of information technology assets and resources within the business.

9.2 PROCEDURES

All software installed, and the licence information must be registered on the Company Software Registration Log. It is the responsibility of Company Technical Director to ensure that this registered is maintained. The register must record the following information:

What software is installed on every machine
What licence agreements are in place for each software package
Renewal dates if applicable.

Company Technical Director is responsible for the maintenance and management of all service agreements for the business technology. Any service requirements must first be approved by Company Technical Director.

Company Technical Director is responsible for maintaining adequate technology spare parts and other requirements.

A technology audit is to be conducted annually by Company Technical Director to ensure that all information technology policies are being adhered to.

Any unspecified technology administration requirements should be directed to Company Technical Director.

10. ACCEPTABLE USE POLICY

10.1 PURPOSE OF THE POLICY

The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources at SafePass in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

SafePass provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with company policies and protects the company against damaging legal issues.

All employees, contractors, consultants, temporary and other workers at SafePass, including all personnel affiliated with third parties must adhere to this policy. This policy applies to information assets owned or leased by SafePass, or to devices that connect to a SafePass network or reside at a SafePass site.

10.2 PROCEDURES

Company Technical Director must approve exceptions to this policy in advance through Company President.

Employees/Contractors are responsible for exercising good judgment regarding appropriate use of SafePass resources in accordance with SafePass policies, standards, and guidelines. SafePass resources may not be used for any unlawful or prohibited purpose.

For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, and network traffic. Devices that interfere with other devices or users on the SafePass network may be disconnected. SafePass prohibits actively blocking authorized audit scans. Firewalls and other blocking technologies must permit access to the scan sources.

Employees/Contractors are responsible for the security of data, accounts, and systems under Employees/Contractors control. Keep passwords secure and do not share account or password information with anyone, including other personnel, family, or friends. Providing access to another individual, either deliberately or through failure to secure its access, is a violation of this policy.

Employees/Contractors must maintain system-level and user-level passwords in accordance with the Password Policy.

Employees/Contractors must ensure through legal or technical means that proprietary information remains within the control of SafePass at all times. Conducting SafePass business that results in the storage of proprietary information on personal or non-SafePass controlled environments, including devices maintained by a third party with whom SafePass does not have a contractual agreement, is prohibited. This specifically prohibits the use of an e-mail account that is not provided by SafePass, or its customer and partners, for company business.

Employees/Contractors are responsible for ensuring the protection of assigned SafePass assets that includes the use of computer cable locks and other security devices. Laptops left at SafePass overnight must be properly secured or placed in a locked drawer or cabinet. Promptly report any theft of SafePass assets to the Company Technical Director.

All PCs, PDAs, laptops, and workstations must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. Employees/Contractors must lock the screen or log off when the device is unattended.

Employees/Contractors are responsible for the security and appropriate use of SafePass network resources under Employees/Contractors control. Using SafePass resources for the following is strictly prohibited:

Causing a security breach to either SafePass or other network resources, including, but not limited to, accessing data, servers, or accounts to which Employees/Contractors are not authorized; circumventing user authentication on any device; or sniffing network traffic.
Causing a disruption of service to either SafePass or other network resources, including, but not limited to, ICMP floods, packet spoofing, denial of service, heap or buffer overflows, and forged routing information for malicious purposes.
Introducing honeypots, honeynets, or similar technology on the SafePass network.
Violating copyright law, including, but not limited to, illegally duplicating or transmitting copyrighted pictures, music, video, and software.
Exporting or importing software, technical information, encryption software, or technology in violation of international or regional export control laws.
Use of the Internet or SafePass network that violates SafePass policies, or local laws.
Intentionally introducing malicious code, including, but not limited to, viruses, worms, Trojan horses, e-mail bombs, spyware, adware, and keyloggers.
Port scanning or security scanning on a production network unless authorized in advance by Company Technical Director.
Inappropriate use of communication vehicles and equipment, including, but not limited to, supporting illegal activities, and procuring or transmitting material that violates SafePass policies against harassment or the safeguarding of confidential or proprietary information.
Sending Spam via e-mail, text messages, pages, instant messages, voice mail, or other forms of electronic communication.
Forging, misrepresenting, obscuring, suppressing, or replacing a user identity on any electronic communication to mislead the recipient about the sender.
Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Use of a SafePass e-mail or IP address to engage in conduct that violates SafePass policies or guidelines. Posting to a public newsgroup, bulletin board, or listserv with a SafePass e-mail or IP address represents SafePass to the public; therefore, Employees/Contractors must exercise good judgment to avoid misrepresenting or exceeding Employees/Contractors authority in representing the opinion of the company.

10.3 THREATENING COMMUNICATIONS

If any communication is received through any SafePass IT system or infrastructure, the employee/contractor will immediately notify Company Technical Director for analysis and review, with the appropriate authorities being notified according to local regulatory notification requirements.

11. WEBSITE POLICY

11.1 PURPOSE OF THE POLICY

This policy provides guidelines for the maintenance of all relevant technology issues related to the business website.

11.2 PROCEDURES

11.2.1 Website Register

The website register must record the following details:

List of domain names registered to the business
Dates of renewal for domain names
List of hosting service providers
Expiry dates of hosting

The keeping the register up to date will be the responsibility of Company Director of Marketing.

Company Director of Marketing will be responsible for any renewal of items listed in the register.

11.2.2 Website Content

All content on the business website is to be accurate, appropriate and current. This will be the responsibility of Company Director or Marketing.

The content of the website is to be reviewed once per month.

The following persons are authorised to make changes to the business website:

Company President
Company Technical Director
Company Director of Marketing

SafePass Branding Guidelines must be followed on all websites to ensure a consistent and cohesive image for the business.

12. ELECTRONIC TRANSACTIONS POLICY

12.1 PURPOSE OF THE POLICY

This policy provides guidelines for all electronic transactions undertaken on behalf of the business.

The objective of this policy is to ensure that use of electronic funds transfers and receipts are started, carried out, and approved in a secure manner.

12.2 PROCEDURES

12.2.1 Electronic Funds Transfer (EFT)

It is the policy of SafePass that all payments and receipts should be made by EFT where appropriate.

All EFT arrangements, including receipts and payments must be submitted to Company President.

EFT payments once authorised, will be entered into the transaction register by Company President.

EFT payments can only be released for payment once pending payments have been authorised by Company President.

All EFT receipts must be reconciled to customer records once per week.

Where EFT receipt cannot be allocated to customer account, it is responsibility of Company President to investigate. In the event that the customer account cannot be identified within one month the receipted funds must be reviewed and Company President must authorise this transaction.

It is the responsibility of Company President to annually review EFT authorisations for initial entry, alterations, or deletion of EFT records, including supplier payment records and customer receipt records.

12.2.2 Electronic Purchases

Where an electronic purchase is being considered, the person authorising this transaction must ensure that the internet sales site is secure and safe and be able to demonstrate that this has been reviewed.

All electronic purchases must be undertaken using business credit cards only.

13. IT SERVICE AGREEMENTS POLICY

13.1 PURPOSE OF THE POLICY

This policy provides guidelines for all IT service agreements entered into on behalf of the business.

13.2 PROCEDURES

The following IT service agreements can be entered into on behalf of the business:

Provision of general IT services
Provision of network hardware and software
Repairs and maintenance of IT equipment
Provision of business software
Provision of mobile phones and relevant plans
Website design, maintenance etc.

All IT service agreements must be reviewed by Company President before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by Company Technical Director.

All IT service agreements, obligations and renewals must be recorded in the IT Service Agreement Log.

Where an IT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorised by Company Technical Director.

Where an IT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, Company President shall review before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by Company Technical Director.

In the event that there is a dispute to the provision of IT services covered by an IT service agreement, it must be referred to Company Technical Director who will be responsible for the settlement of such dispute.

14. EMERGENCY MANAGEMENT OF INFORMATION TECHNOLOGY

14.1 PURPOSE OF THE POLICY

This policy provides guidelines for emergency management of all information technology within the business.

14.2 PROCEDURES

14.2.1 IT Hardware Failure

Where there is failure of any of the business’s hardware, this must be referred to Company Technical Director immediately.

It is the responsibility of Company Technical Director to respond immediately and correct the issue in the event of IT hardware failure.

It is the responsibility of Company Technical Director to undertake tests on planned emergency procedures quarterly to ensure that all planned emergency procedures are appropriate and minimise disruption to business operations.

14.2.2 Point of Sale Disruptions

In the event that point of sale (POS) system is disrupted, the following actions must be immediately undertaken:

POS provider to be notified
Company Technical Director must be notified immediately
All POS transactions to be taken using the manual machine located below the counter
For all manual POS transactions, customer signatures must be verified

14.2.3 Virus or other security breach

In the event that the business’s information technology is compromised by software virus or other security breach, such breaches are to be reported to Company Technical Director immediately.

Company Technical Director is responsible for ensuring that any security breach is dealt with within 24 hours to minimise disruption to business operations.

14.2.4 Website Disruption

In the event that business website is disrupted, the following actions must be immediately undertaken:

Website host to be notified
Company Director of Marketing must be notified immediately
Company Technical Director must be notified immediately

APPENDICES

APPENDIX A: TERMS AND DEFINITIONS

Authentication means the process by which a person, process or system is verified as a particular person, process or system or a member of a class of persons, processes or systems, typically for access to data or another right or privilege. Strong Authentication means Authentication using at least two different verification factors.
Confidential Information means non-public information received from Customer and non-public information generated for Customer in which SafePass provides products or services to Customer or to others at Customer’s request or direction, as well as any other information defined as “Confidential Information”. Some Confidential Information has increased sensitivity and is categorized as “Sensitive Non-Public Information,” further described below.
CPI means information acquired in connection with the provision of telecommunications service and includes individually identifiable customer proprietary network information (“CPNI”), personally identifiable information (“PII”), and content of communications. CPNI means information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service by a customer, and PII means any information that identifies a particular person.
Cloud Environment means a set of systems and processes acting together to provide services on a remote or outsourced basis, and includes the following subtypes:

Hybrid Cloud: A combination of Public Cloud and Private Cloud solutions.
Private Cloud: Provision of computing and/or storage capabilities as a service and use thereof either by a single organization or by multiple organizations that can use the same services (including infrastructure, platform and/or software) in an architecture, configuration and/or system.
Public Cloud: Provision of computing and/or storage capabilities as a service to external customers using Internet technologies. Public Cloud computing uses cloud computing technologies to support customers that are external to the provider’s organization.

Customer Systems means applications, computing assets, systems, databases, devices owned or operated by or for Customer.
Current means an age of one (1) year or less.
Days means calendar days unless otherwise specified.
Industry Standard means prescribed for use by an applicable nationally recognized standards body, and actually used or adopted by a substantial number of companies comparable in size, stature, and function to Customer.
Loss means the loss of control over Confidential Information, such that one or more actors may further disclose or Misuse Confidential Information.
Misuse means the inappropriate or wrongful exercise of a right or privilege, such as a right or privilege to access information, the wrongful disclosure of that information or the malicious or otherwise improper execution of a function or operation.
Sanitization means a process that removes information from media or that renders such information irretrievable, such that data recovery is not possible, and means to a level no less effective than as specified in Guidelines for Media Sanitization, National Institute of Standards and Technology, NIST Special Publication 800-88 (NIST 800-88), as revised.
Secure Destruction means a process that destroys media on which information is located and thereby makes recovery of such information impossible, consistent with Guidelines for Media Sanitization, National Institute of Standards and Technology, NIST Special Publication 800-88 (NIST 800-88), as revised. Incineration, shredding and pulverizing are all permissible physical destruction methods in accordance with minimum standards specified in NIST 800-88. Media that have been subject to such destruction are “Destroyed” and have achieved “Sanitization” under these Requirements.
Secure Transportation means transport utilizing a licensed, bonded, secure carrier that implements and adheres to an Industry Standard chain of custody program, for tracking the movement and disposition of storage media or other equipment from receipt to final disposition, including tracking the following specific items:

Ownership of the media
Serial number of the media
Verification at collection/pick-up location (owner/end user)
Driver name, date and time stamp
Receipt at SafePass’ location (date and time stamp)

Security Compromise means the acquisition or use of data, or execution of operations or function, without authorization and through an actual or suspected contravention of security measures.
Sensitive Non-Public Information means Confidential Information that also fits the following criteria:

any state, US federal or other non-US national identification number assigned to an individual (such as SSNs, driver’s license, state ID, work visa number, passport number, tribal ID, military ID), as well as last four SSN digits identifiable to an individual
financial/bank account information, credit card or debit card number, credit card validation (e.g., Cvv2 code) codes, credit card/debit card PIN numbers, magnetic stripe data,
date of birth (when identifiable to an individual),
set top box identification number, device MAC address, (or other similar hardware identifiers that can be associated to a customer),
set-top box data, network event data, usage data or activity data generated by a Customer customer’s interaction with any content distributed by or on a Customer System, or made available by Customer, information about Customer customer’s visit to (or failure to visit) any website or application,
information concerning an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, as well as an individual’s health insurance policy number or any unique identifier used to identify the individual for health/medical care purposes, claims history, including any appeals records,
Customer employee information, such as background and drug testing results; work limitations (involves physical limitations or mental health issues); disciplinary information; ethics/EEO case information; marital/domestic partner status; information about an individual’s national security clearance,
other information about a Customer that can be associated to that customer, including by way of example, call detail (calls made), subscription or purchase information and other CPI, email contents, voice mails, voice recordings, internet usage/navigation, geo-location information, customer or potential customer credit scores or credit status, and
any other SPI not specifically described.

Storage Encryption means data encryption using a non-proprietary Industry Standard algorithm.
SafePass Devices means devices (computing, storage, telecommunications or networking equipment) provided by SafePass that process, store, or transmit Confidential Information or are used to perform services.
SafePass Systems means any SafePass or third-party systems or applications, alone or used with SafePass Devices, that process, store, or transmit Confidential Information or to perform services.
SafePass Staff means employees, contract employees, and temporary staff of SafePass and any authorized subcontractors with access to Confidential Information.
Transport Encryption means transport encryption that is no less secure than encryption utilizing the then current IETF (www.ietf.org) ratified version of Transport Layer Security (TLS) protected by a minimum of 128-bit encryption with 1024-bit keys using Customer-approved digital certificates.

APPENDIX B: 3P SYSTEM CERTIFICATIONS

https://cloud.google.com/security/compliance/

https://aws.amazon.com/compliance/programs/

https://gsuite.google.com/security/

IT Policies and Procedures

1. INTRODUCTION

2. TECHNOLOGY HARDWARE PURCHASING POLICY

2.1 PURPOSE OF THE POLICY

2.2 PROCEDURES

2.2.1 Purchase of Hardware

2.2.2 Purchasing desktop computer systems

2.2.3 Purchasing portable computer systems

2.2.4 Purchasing server systems

2.2.5 Purchasing computer peripherals

2.2.6 Purchasing mobile telephones

3. POLICY FOR PROCURING SOFTWARE

3.1 PURPOSE OF THE POLICY

3.2 PROCEDURES

3.2.1 Request for Software

3.2.2 Purchase of software

3.2.3 Obtaining open source or freeware software

4. POLICY FOR USE OF SOFTWARE

4.1 PURPOSE OF THE POLICY

4.2 PROCEDURES

4.2.1 Software Licensing

4.2.2 Software Installation

4.2.3 Software Usage

4.3 BREACH OF POLICY

5. BRING YOUR OWN DEVICE POLICY

5.1 PURPOSE OF THE POLICY

5.2 PROCEDURES

5.2.1 Current mobile devices approved for business use

5.2.2 Registration of personal mobile devices for business use

5.2.3 Keeping mobile devices secure

5.3 EXEMPTIONS

5.4 BREACH OF THIS POLICY

5.5 INDEMNITY

6. INFORMATION TECHNOLOGY INTERNAL SECURITY POLICY

6.1 PURPOSE OF THE POLICY

6.2 PROCEDURES

6.2.1 Physical Security

6.2.2 Information Security

7. TECHNOLOGY ACCESS AND PASSWORDS POLICY

7.1 PURPOSE OF THE POLICY

7.2 INDIVIDUAL RESPONSIBILITIES

7.3 RESPONSIBILITIES OF SYSTEMS PROCESSING PASSWORDS

7.4 PASSWORD REQUIREMENTS

7.5 PASSWORD EXPIRATION

7.6 ACCOUNT LOCKOUT

8. INFORMATION TECHNOLOGY CUSTOMER INTERFACING SECURITY POLICY

8.1 PURPOSE OF THE POLICY

8.2 STANDARDS

8.3 PROCEDURES

8.3.1 Information Security Program.

8.3.2 Basic Data Protection.

8.3.3 Sensitive Non-Public Information Control Requirements.

8.3.4 Security Logging and Monitoring

8.3.5 Access Control

8.3.6 Application Management

8.3.7 Physical Security

8.3.8 Security Incident Management and Response

8.3.9 Communications Management

8.3.10 Operations Management

8.3.11 Network Security

8.3.12 Personnel Security

8.3.13 Asset Disposal and Reclamation

8.3.14 Proof of Compliance; Audit Assistance

9. INFORMATION TECHNOLOGY ADMINISTRATION POLICY

9.1 PURPOSE OF THE POLICY

9.2 PROCEDURES

10. ACCEPTABLE USE POLICY

10.1 PURPOSE OF THE POLICY

10.2 PROCEDURES

10.3 THREATENING COMMUNICATIONS

11. WEBSITE POLICY

11.1 PURPOSE OF THE POLICY

11.2 PROCEDURES

11.2.1 Website Register

11.2.2 Website Content

12. ELECTRONIC TRANSACTIONS POLICY

12.1 PURPOSE OF THE POLICY

12.2 PROCEDURES

12.2.1 Electronic Funds Transfer (EFT)

12.2.2 Electronic Purchases