Information Security Policy

This Information Security Policy details eConnect Inc. systems used to plan, guide, manage and secure internal and external company data, customer internal and external data,  and end users of eConnect software and systems and how we protect and manage those systems, and the corresponding data. 

Table of Contents

Purpose

Scope

History

Responsibilities

General Policy Definitions

IT Assets Policy

Policy Statement

Terms & Definitions

Ownership & Administration

Applicability

Security Policies

Data Protection & Encryption

Password Policy

Authorized Software

Physical Security

Business Continuity and Disaster Recovery

Backups

Virus and Malware Protection

Access Control

Logging, and Monitoring

Vulnerability Management

Security Awareness, Vulnerabilities, Weaknesses, Events, and Incidents

Auditing and Assessments

Server Security

Patch Management

Endpoint Security

Mobile Computing

Network Security

Routers, Hubs and Switches

Cabling

Wireless Network Security

Clock Synchronization

Test, Development and Production Environments

Development

Transfer of Information

Data Classification, Labeling, and Handling

Messaging Security

Removable Media

Voice System Security

Inventory Management

Background Checks

Vendor/Partner Risk Management

Introduction

 

eConnect provides software and solutions to hundreds of commercial enterprises around the US and the world.  This policy addresses procedures and protections outlined to protect, secure, and provide access to systems, software, and subscriber data.

 

This policy reasonably adheres to industry standards and best practice and provides safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to covered data. This policy is designed to provide a consistent application of security controls for eConnect and eConnect subscribers. 

 

Protection of eConnect proprietary software and other managed systems shall be addressed to ensure the continued availability of data, systems, and applications to all authorized parties, and to ensure the integrity and confidentiality of impacted data and configuration controls.

Scope

 

This document applies to all the users in the Organization.  The organization employs no temporary users or visitors with temporary access to services and when working with partners those partners have limited or access to monitored services. Compliance with policies in this document is mandatory for this constituency.

Author : Jack Coronel - General Counsel   Version   1.0   Published 11-01-2020 

 

Roles & Responsibilities

Chief Executive Officer

Accountable for all aspects of the Company’s 

Information Security Policy.

Chief Technology Officer

Responsible for the security of the IT infrastructure.

Plan against security threats, vulnerabilities, and risks.

Respond to information security incidents.

Help in disaster recovery plans.

Information Owners

Help with the security requirements for their specific area.

Determine the privileges and access rights to the resources within their areas. 

IT Team Leaders

Implements and operates IT security.

Implements the privileges and access rights to the resources.

Implement and maintain Security Policy documents.

Ensure security training programs.

Ensure IT infrastructure  and team supports Security Policies.

Users

Meet Security Policies.

Report any attempted security breaches.

 

General Policy Definitions

All the IT services should be used in compliance with the technical and security requirements defined in the design of the services. 

 

eConnect uses reasonable efforts to protect the security and privacy of all information received by though or on behalf of eConnect or it’s customers. In cases where a system or provider cannot meet these requirements, exceptions will be noted and alternate controls will be implemented.

 

Infractions of the policies in this document may lead to disciplinary actions. In some serious cases they could even lead to termination, and or prosecution.

 

Data Protection & Encryption

 

To provide data confidentiality in the event of accidental or malicious data loss, all Personal Data, PII, SCI or Subscriber Data shall be encrypted at rest.

 

Encryption of data at rest shall use at least AES 256-bit encryption.

 

Strong cryptography and security protocols, such as TLS 1.2 or IPSEC, are required to safeguard Personal Data, PII, SCI or Subscriber Data during transmission.

 

Key exchange shall use RSA or DSA cryptographic algorithms with a minimum key length of 2048 bits and minimum digest length of 256.

 

Digital signatures shall use RSA, DSS with a minimum key length of 2048 bits and minimum digest length of 256.

 

Hashed data shall use bcrypt for the hashing algorithm. Bcrypt incorporates an algorithmic salt to protect against rainbow table attacks and is an adaptive function. As such, the iteration count shall be balanced to ensure an appropriate security vs. performance balance in order to resist brute-force search attacks.

 

Encryption of wireless networks shall be enabled using the following encryption levels:

 

Corporate Network: At a minimum, WPA2-Enterprise with PEAP (802.1x w/AES) and 2FA using domain joined machines.

 

Extranet Network (isolated from Corporate and Guest Network): WPA2-Enterprise with PEAP (802.1x w/AES)

 

Guest Network (isolated from Corporate and Extranet Network): Captive Portal (requires eConnect Personal to authorize access) with guests required to connect over secure connections (https) for encrypted transit.

 

Any additional required wireless networks that cannot be addressed by the identified wireless network types above must be approved and adhere to data protection and encryption policy.

 

Personal Data, PII, SCI or Subscriber Data shall not be stored on equipment not owned or managed by eConnect, Inc.

 

Data shall be transferred only for the purposes determined/identified in eConnect’s Data Security & Privacy Statement.

 

Documented policies and processes shall be implemented to ensure appropriate encryption and key management is in place.

 

If you are unsure regarding the level of required encryption or specific encryption policies, you shall contact Information Security for guidance and approval.

 

Data loss prevention processes and tools shall be implemented to identify and/or prevent data loss.

 

Password Policy

 

Unless otherwise specified within this IT Security Policy, the following security requirements shall be adhered to when creating passwords:

 

Minimum of eight (8) characters in length, containing characters from the following three categories:

 

English uppercase characters (A through Z)

 

English lowercase characters (a through z)

 

Base 10 digits (0 through 9)

 

The use of non-alphabetic characters (e.g., !, $, #, %) is optional but is highly recommended.

 

Passwords history shall be kept for the previous six (2) passwords and passwords shall be unique across the password history.

 

Maximum password age is ninety (180) days.

 

Shall not be the same as or include the user id.

 

Passwords shall not be visible by default when entered.

 

Passwords shall not be easily guessable.

 

Set first-time passwords to a unique value for each user and change immediately after the first use.

 

User accounts shall be locked after seven (7) incorrect attempts.

 

Lockout duration shall be set to a minimum of thirty (30) minutes or until an administrator resets the user’s ID upon proper user identity verification.

 

If a session has been idle for more than ten (10) minutes, the user shall be required to re-enter the password to re-activate access.

 

The following shall be adhered to when managing user passwords:

 

Verify user identity before performing password resets.

 

Where possible, these requirements shall be automatically enforced using management tools such as Active Directory Group Policy or specific system configuration(s).

 

Access to shared network/service/system power user/root/admin passwords shall be controlled and limited to no more than three administrators. Usage of these accounts shall be monitored.

 

Role based access to all systems shall be implemented, including individually assigned username and passwords.

 

Usernames and passwords shall not be shared, written down or stored in easily accessible areas.

 

Assigning multiple usernames to users shall be limited. However, when multiple usernames are assigned to personnel, different passwords shall be used with each username.

 

Group, shared, or generic accounts and passwords shall not be used unless approved (e.g., service accounts) and shall follow approved information security standards.

 

Special administrative accounts, such as root, shall implement additional controls, such as alerting, to detect and/or prevent unauthorized usage.

 

Administrator, superuser, and service account passwords shall be stored in a secure location, for example a fire safe in a secured area. If these are stored on an electronic device, the device and/or data shall be encrypted following eConnect encryption policy and access restricted accordingly.

 

Change any default passwords on systems after installation.

Render all passwords inaccessible during transmission using encryption.

 

Passwords shall be protected in storage by hashing.

 

Remove custom application accounts, user IDs, and passwords before applications become active or are released to subscribers.

 

Authorized Software

 

Only authorized, supported, and properly licensed software shall only be installed on eConnect owned or managed systems.

 

Only IT administrators or specific personnel approved and who have been granted administrator access shall install authorized and licensed software.

 

The use of unauthorized software is prohibited. Immediate removal of unauthorized software is required if discovered.

 

Workstation configurations or build standards defined by the IT Department are required to be followed. Change of definitions is only allowed by the IT Department, or authorized parties who have been specifically granted administrator access.

 

A security review and approval of all software shall be completed prior to production release. The review shall be based on system criticality and data type. Free, shareware, and open source software as well as software as a service (SaaS) shall be reviewed as well.

 

Software that is end-of-life and no longer supported is considered unauthorized software, and shall be addressed.

 

Physical Security

 

Physical security of computer equipment shall conform to recognized loss prevention guidelines.

 

Personnel and authorized third parties shall ensure that Sensitive Compartmented Information (SCI), Personal Identifiable Information (PII), Personal Information (PI), and customer data are only recreated in hardcopy format where absolutely needed for an identified purpose and are appropriately secured. All Personnel and authorized third parties shall follow clean desk/clean screen best practices, especially when stepping away from workspaces.

 

Facility entry controls shall be used to limit and monitor physical access to systems where PII, SCI and Subscriber Data are maintained, including but not limited to buildings, loading docks, holding areas, telecommunication areas, and cabling areas or media containing PII, SCI or Subscriber Data using appropriate security controls including, but not limited to:

 

Use of video cameras or other access control mechanisms to monitor individual physical access to sensitive areas.

 

Store video for at least ten (10) days, unless otherwise required by law.

 

Restriction of unauthorized access to network access points.

 

Restriction of physical access to wireless access points, gateways, and handheld devices.

 

Use of defined security perimeters, appropriate security barriers, entry controls and authentication controls, as appropriate.

 

Ensuring that all personnel with physical data center access to data centers containing PII, SCI or Subscriber Data wear visible identification that identifies them as employees, contractors, visitors, etc.

 

Restriction of non-personnel or Need to Know Parties (NKP) from being given virtual access to the Data Center without appropriate approvals in place.

 

Ensure that any physical access required by NKPs is supervised.

 

All visitors shall log in and receive the appropriate access, as necessary.

 

Any paper and electronic media that contain Subscriber Data, PII, SCI or Personal Data shall be physically secured.

 

Doors to physically secured facilities shall be kept locked at all times.

 

Power Availability

 

All servers are required to use universal power supplies (UPS).

All hubs, bridges, repeaters, routers and switches and other critical network equipment shall use UPS protected.

 

Sufficient power availability shall be in place to keep the network and servers running until the Disaster Recovery Plan can be implemented.

 

UPS software shall be installed on all servers to implement an orderly shutdown in the event of a total power failure.

 

All UPSs shall be periodically tested.

 

Environmental Protection

 

Consideration shall be taken to ensure environmental concerns are addressed such as fire, flood, and natural disaster (e.g., earthquake, flood, etc.)

 

Redundant air conditioning units shall be in place to ensure maintenance of appropriate temperature and humidity in the data center.

 

Data centers shall be required to perform SOC 1/2 or equivalent audits on an annual basis and vendors shall be required to remediate any findings in a reasonable timeframe.

 

Business Continuity and Disaster Recovery

 

Disaster recovery plans shall support customers business continuity plans and shall be in place and tested on a regular basis as set forth in the Support & Maintenance Policy (“SMP”).

 

A business continuity plan that considers information security requirements shall be implemented and tested at least once per calendar year.

 

Backups

 

Regular backups of data, applications, and the configuration of servers and supporting devices shall occur to enable data recovery in the event of a disaster or business continuity event and retained according to Data Retention Policy.

 

All backups shall be encrypted following Data Protection & Encryption Policy for data at rest and in transit.

Backups shall be encrypted and stored in a physically and logically secure geographically separate location

 

Backups for critical systems and systems that contain production Subscriber Data, Personal Data and/or PII shall be performed on at least a daily basis.

 

Virus and Malware Protection

 

Up to date anti-virus software for the detecting, removing and protecting of suspected viruses shall be installed on all servers, workstations, and laptops.

 

Anti-virus software shall be updated regularly for all workstations and servers with the latest anti-virus patches and/or signatures, where applicable.

 

Heuristic anti-virus software (signatureless) can be used, with the approval of Information Security.

 

All systems shall be built from original, clean master copies to ensure that viruses are not propagated.

 

Users shall be made aware of current anti-virus procedures and policies.

 

Personnel shall inform the IT Department immediately in the event of a possible virus infection.

 

Upon notification of a virus infection systems shall be isolated from the network, scanned, and cleaned appropriately. Any removable media or other systems to which the virus shall have spread shall be treated accordingly.

 

If a system has been identified as potentially infected and removal/quarantine of the virus/malware cannot be definitively proven, the system shall be completely wiped and re-imaged.

 

Users or Subscriber’s impacted by virus related security incidents shall be notified as soon as reasonably possible in alignment with incident response procedures.

 

Potential virus and malware infections shall be immediately reported to Information Security and escalated to the Security Incident Response Team (SIRT).

 

Access Control

 

Confidentiality of all data, both eConnect and Subscriber Data, shall be maintained through discretionary and mandatory access controls administered by eConnect or the respective customer, as applicable.

 

Establish a process for linking all access to system components (especially access with administrative privileges such as root) to each individual user.

 

The IT Department shall be notified of all personnel leaving eConnect’s employ by HR (human resources) prior to or at the end of their employment. As soon as possible after notification, not to exceed twenty-four (24) hours, rights to all systems shall be removed unless a specific exception request is received from Talent, Legal or Information Security.

 

Administrators shall only log into systems with user ids attributable to them or follow processes that would not break attribution. 

 

Access to databases containing Subscriber Data, Personal Data, PII or SCI shall always be authenticated. This includes access by applications/services, administrators, and all other users or sources.

 

All access shall be removed for users who administer or operate systems and services that process Personal Data and PII where their user controls are compromised (e.g., due to corruption or compromise of passwords, or inadvertent disclosure).

 

The reissuance of de-activated or expired user IDs for systems or services that process Personal Data and PII shall not be permitted.

 

All logins to the Subscription shall be secured through an encrypted connection (e.g., HTTPS) and appropriately authenticated.

 

Ensure proper user management for all users as follows:

 

Ensure that the Principle of Least Privilege using role-based access control (RBAC) is followed for all users.

 

Control addition, deletion, and modification of usernames, credentials, and other identifier objects.

 

Users (including temps, consultants, and contractors) shall formally request access to systems with only the rights necessary to perform their job functions.

 

A manager or above and the system owner shall formally approve user roles and access requests. System administrators shall act as the final gatekeeper to ensure access is granted appropriate to the identified role.

 

Usernames shall follow a consistent naming methodology to allow for proper attribution (e.g., generally consisting of the first initial and first five letters of the user’s surname).

 

Inactive user accounts are reviewed and disabled and/or removed at least every ninety (180) days. Exceptions shall be documented, reviewed, and approved by Information Security.

 

Enable accounts used by vendors for remote maintenance only during the time period needed. Ensure all vendor activity is monitored.

 

Ensure minimal, controlled use of administrator, local administrator, enterprise admin, and/or schema admin profiles.

 

Avoid assigning security equivalences that copy one user’s rights in order to create another’s.

 

Performance of periodic review of users’ access and access rights shall be conducted to ensure that they are appropriate for the users’ role.

 

Remote access to eConnect networks shall only be granted to personnel and/or authorized third parties and shall use two-factor authentication (TFA) or multi-factor (MFA) authentication.

 

Two-factor authentication (TFA) or multi-factor authentication (MFA) shall be used for any services remotely accessible by personnel and/or authorized third parties (e.g. Office365, VPN, etc.), unless personnel and/or authorized third parties are connected to the protected corporate network.

 

Remove external access to subscriber databases immediately upon notification that subscriber has terminated their relationship with eConnect.

 

Remove subscriber databases from the system within thirty (30) days of subscriber termination.

 

Overwrite all subscriber backup data within twelve (12) months of the subscriber’s termination date.

Access to the internet and other external services shall be restricted to authorized parties only based on the assigned role.

 

Revalidation timeouts for SaaS products and services used by eConnect Personnel must be set to 12 hours or less, in compliance with NIST 800-63b.

 

Logging, and Monitoring

 

System auditing/logging facilities shall be enabled and forward to a centralized logging system, which in the event of any applicable log restoration efforts shall capture the name of the person responsible for restoration and a description of the Personal Data and PII being restored.

 

Secure audit trails shall be protected so they cannot be altered.

 

Central repositories of security related logs shall be administered and managed by the Information Security Department.

 

Monitoring systems used to record login attempts/failures, successful logins and changes made to systems shall be implemented. Any exceptions shall be approved by Information Security.

 

Intrusion detection and logging systems shall be implemented to detect unauthorized access to the networks.

 

Security related monitoring tools and software shall only be used as required by role, and only when authorized by Information Security. This includes sniffing, vulnerability identification, and security incident event management tools.

 

Auditing features on wireless access points and controllers shall be enabled, if supported, and resulting logs shall be reviewed periodically Information Security.

 

All external ingress/egress connections shall be logged.

 

Logs shall be retained for one year.

 

The following automated audit trails shall be implemented for all system components to reconstruct the following events:

 

All individual accesses to PII.

 

Actions taken by any individual with root or administrative privileges.

 

Access to controlled audit trails.

 

Invalid logical access attempts.

 

Use of identification and authentication mechanisms.

 

Initialization of/changes to system logging.

 

Creation and deletion of system-level objects.

 

Record at least the following audit trail entries for all system components for each event:

 

User identification.

 

Type of event.

 

Date and time.

 

Success or failure indication.

 

Identity or name of affected data, system component, or resource.

 

Viewing of audit trails shall be limited to those with a job-related need.

 

Appropriate security monitoring tools shall be implemented to ensure that knowledge of the ongoing security posture is in place and that appropriate actions can be taken to mitigate security events/incidents.

 

Access logs shall be periodically reviewed, and immediate actions taken as necessary to mitigate issues found.

 

Vulnerability Management

 

The eConnect IT team shall perform external and application penetration testing at least once per calendar year or after any significant infrastructure or application upgrade or modification. These penetration tests shall include the following:

 

Network-layer/infrastructure penetration tests.

Application-layer penetration tests.

 

Mobile application penetration testing

 

Attestation of successful completion, including the remediation status of any findings.

 

Perform internally conducted internal and external vulnerability tests at least quarterly. Ensure findings are addressed in a timely manner.

 

Address newly identified threats and vulnerabilities on an ongoing basis based on severity and skill level required to take advantage of the identified vulnerability.

 

Ensure the following are implemented:

 

Static code testing

 

Dynamic code testing of the test and production environment

 

Manual testing after any significant changes

 

Processes to ensure that security vulnerabilities identified as Severity 2 or higher using the OWASP DREAD model or equivalent are not released into the production environment.

 

Processes to ensure identified vulnerabilities are addressed in a timely manner, based on risk.

 

30 days for high-risk critical and/or security vulnerabilities

 

14 days for zero-day vulnerabilities.

 

Security Awareness

 

Security awareness training shall be conducted at least once per calendar year. Training shall cover information security policies, as well as best practice. In addition, the following shall occur:

 

Security awareness training shall be given at the first onboarding session attended by new employees (usually within two weeks of employment)

 

Specialized training shall be given to key stakeholders (i.e., incident reporting and management, ISO 27001, security policy and process, assessment response best practice, etc.)

 

Identified Security Weaknesses or Security Vulnerabilities shall be immediately reported to the IT.

 

Unless authorized by the IT Department, at no time shall an attempt be made to take advantage of any Security Weakness or Security Vulnerability.

 

Security Weaknesses or Vulnerabilities that have been compromised could trigger a Security Event. Security Events shall be analyzed to determine whether or not they are considered Security Incidents.

 

Auditing and Assessments

 

The eConnect CTO shall verify eConnect’s compliance with the IT Security Policy through periodic audits, at least once per calendar year.

 

eConnect will maintain a high level of industry standards, ensuring that eConnect information security management system (ISMS) continues to perform in alignment with the standard.

 

Data center providers shall have SOC 2 audits performed regularly.

 

Customers can perform reasonable security assessments as needed following industry best practice.

 

Customer audits are generally not allowed, due to confidentiality, complexity, and resource requirements. However, attestation letters and certifications can be provided to demonstrate eConnect compliance with IT Security Policy

 

Server Security

 

Servers shall be physically secured.

 

All administrative access shall be encrypted in adherence with eConnect’s policy. Access via unencrypted protocols (i.e Telnet / FTP) is not allowed without prior IT approval.

 

Limit the number of concurrent connections to two (2), where possible.

 

Only one (1) primary function per server shall be implemented, where possible.

 

Server administrators shall be limited to one primary administrator and two backup administrators, where feasible. Exceptions shall be approved by IT.

 

End-of-life and/or end-of-support servers shall not be used and, if discovered, removed from the network as soon as possible.

 

Define and implement server build standards that include, at a minimum, the following:

 

Hardening based on industry best practice (i.e. CIS standards);

 

Host based intrusion detection (HIDS)/ File integrity Management (FIM)

 

Anti-virus/anti-malware;

 

Centralized logging configuration

SIEM Security information and event management

 

Patch Management

 

Server operating systems shall be patched within 30 days of a critical and/or security patch release.

 

Workstations and Laptops shall be patched within 30 days of a critical and/or security patch release.

 

Network devices shall be patched within 30 days of the release of a critical and or security patch.

 

Zero-day patches shall be applied on all systems containing Subscriber Data and critical systems within 14 days, and all other systems within 30 days.

 

Patches shall be tested prior to rollout in the production environment. Less critical systems shall be patched first.

 

Failure to patch within defined timelines could result in disciplinary action, up to and including termination.

 

Endpoint Security

 

Users shall shutdown, logout or lock workstations when leaving for any length of time.

 

Workstations and laptops shall be restarted periodically.

 

Workstations and laptops shall adhere to virus and malware protection policy.

 

Define and implement endpoint build standards that include, at a minimum, the following:

 

Defined configurations based on industry best practice;

 

Authorized software

 

Anti-virus/anti-malware

 

Web Filtering/Cloud Access Security Broker (CASB)

 

SIEM agents (e.g. Rapid7 IDR)

 

Workstation access to the Internet shall be controlled based on assigned or departmental role.

 

Mobile & Remote Computing

 

Ensure appropriate controls are in place to mitigate risks to protected information from mobile computing and remote working environments.

 

Data loss prevention processes and tools shall be implemented to identify and/or prevent data loss.

 

eConnect data shall be removed from employee owned mobile devices within the timelines defined in termination policies.

 

Use of personally owned devices shall comply with acceptable use and information security policies if used to access Personal Data, PII or SCI data.

 

Devices owned by personnel shall never be used to access customer data, unless appropriate monitored controls, approved by IT have been implemented.

 

Devices owned by personal or authorized parties are not allowed to connect to corporate or production networks.

 

Employee owned mobile devices shall have the ability to connect to a network separate from the guest network, where feasible.

 

Network Security

 

Access to internal and external network services that contain Subscriber’s Data shall be controlled through:

 

Network access control lists (NACLs), or equivalent.

 

Firewall policies, or equivalent

 

Security groups, or equivalent.

 

IP whitelists, or equivalent

 

A multi-tier architecture that prevents direct access to data stores from the internet.

 

Usage of role-based access controls (RBAC) shall be implemented to ensure appropriate access to networks

 

Two-factor authentication for remote access shall be implemented using appropriate access control best practices.

 

Firewalls, routers, and access control lists, or equivalent access controls, shall be used to regulate network traffic for connections to/from the Internet or other external networks, as follows:

 

Configuration standards shall be established and implemented.

 

Access control policy shall limit inbound and outbound traffic to only necessary protocols, ports, and/or destinations.

 

Internal IP address ranges shall be restricted from passing from the Internet into the DMZ or internal networks.

 

All inbound internet traffic shall terminate in a DMZ.

 

Only IT approved connections shall be allowed into eConnect networks.

 

The use of all services, protocols, and ports allowed to access eConnect networks shall be reviewed on a periodic basis, at a minimum every twelve (12) months, for appropriate usage and control implementation.

 

All internet facing rule set modifications shall be reviewed and approved by the Information Security Department prior to implementation.

 

Direct access between the Internet and any system containing PII shall be prohibited.

 

Network equipment shall be configured to close inactive sessions.

 

Remote access servers shall be placed in the firewall DMZs.

 

Network intrusion detection systems (IDS) shall be implemented as needed and monitored by IT.

 

Routers, Hubs and Switches

 

LAN equipment, hubs, bridges, repeaters, routers and switches shall be kept in physically secured facilities.

 

Network equipment access shall be restricted to appropriate Personnel only. Other staff and contractors requiring access are required to be supervised.

 

Network equipment access shall occur over encrypted channels as defined in the Data Protection & Encryption Policy and Encryption and Key Management Policy. Access via unencrypted protocols (http, telnet, ftp, tftp) shall not occur. Unused channels shall be disabled.

 

Wireless access points and controllers shall not be allowed to connect to the production subscriber network.

 

Unnecessary protocols shall be removed from routers and switches.

 

Cabling

 

Network cabling shall be documented in physical and/or logical network diagrams.

All unused network access points shall be disabled when not in use.

Storing or placing any item on top of network cabling shall be avoided.

Redundant cabling schemes shall be used whenever possible.

Secure, encrypted VPN connections to other networks controlled by eConnect or outside entities, when required, shall be approved by Information Security.

Configuration of routers and switches shall be documented and aligned with industry best practice. This shall include changing any vendor-supplied defaults (passwords, configurations, etc.) before installing in production.

End-of-life and/or unsupported network devices shall not be used and, if discovered, removed from the network as soon as possible.

 

Wireless Network Security

 

Wireless networks shall be encrypted as typical in best practices and  by eConnect’s Policy.

 

Access to wireless networks shall be restricted to only those authorized, as follows:

Guest Network: Accessible by guests with appropriate employee approval or employees with minimal web-filtering in place (no direct access to corporate/production network).

Extranet Network: Only accessible by approved employee owned devices with minimal web-filtering in place (no direct access to corporate/production network)

Corporate Network: Only accessible by eConnect owned devices with controlled ingress/egress and web filtering (no direct access to the production network).

Personnel and authorized third parties are not allowed to install unauthorized wireless equipment.

All Wi-Fi bridges, routers and gateways shall be physically secured.

SSIDs and default usernames and passwords shall be modified or removed prior to implementation in a production environment.


 

Clock Synchronization

 

Clocks of information processing systems performing critical or core functions within the eConnect environment shall be synchronized to a single reference time source (i.e., external time sources synchronized to a standard reference, such as via NTP).

 

Test, Development and Production Environments

 

Test software upgrades, security patches and system and software configuration changes before deployment, including but not limited to the following:

Validate proper error handling.

Validate secure communications.

Validate proper role-based access control (RBAC).

Performance impact

 

Development, test, and production environments shall be segregated.

 

Separation of duties shall exist between development, test, and production environments.

 

Do not use Personal Data and PII for testing and/or development, and only use false/synthetic data (preferred) or Deidentified and strongly Pseudonymised Data for testing and/or development..

 

Remove test data and accounts before production systems become active.

 

Follow change control procedures for all changes to system components. The procedures shall include testing of operational functionality.

 

Development

 

Manage all code through a version control system to allow viewing of change history and content.

 

Ensure that a test engineering (i.e. quality assurance (QA)) methodology is followed using a multi-phase quality assurance release cycle that includes security testing.

 

Deliver security fixes and improvements aligning to a predetermined schedule based on identified severity levels.

 

Perform vulnerability testing as a component of QA testing and address any severity 2 or higher findings prior to software release.

Ensure that software is released only via production managed change control processes, with no access or involvement by the development and test teams.

 

Develop all web applications (internal and external, including web administrative access to application(s)) based on secure coding best practice. Cover, at a minimum, prevention of common OWASP Top 10 coding vulnerabilities in software development processes, including the following:

 

Injection

Broken Authentication

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

Security Misconfiguration

Cross-Site Scripting (XSS)

Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

 

Awareness training regarding secure coding shall be conducted at least once per calendar year. The curriculum shall be approved by Information Security.

 

Transfer of Information

 

To protect the confidentiality of PII in transit:

 

Ensure that all data in transit is either encrypted and/or the transmission channel itself is encrypted following Data Encryption Policy.

 

Monitor all data exchange channels to detect unauthorized information releases.

 

Use Information Security approved security controls and data exchange channels.

 

Data Classification, Labeling, and Handling

 

Data classification, labelling and handling policies shall be put in place in order to ensure that data is appropriately handled (e.g. Data Security and Privacy Statement, Data Classification Policy, etc.)

 

Strict control over the storage and accessibility of media that contains Personal Data shall be maintained.

 

Properly maintain inventory logs of all media and conduct media inventories at least annually.

 

Destroy media containing Personal Data when it is no longer needed for business or legal reasons by following procedures including, but not limited to:

 

Disposal of media containing Personal Data so that it is rendered unreadable or undecipherable, such as by burning, shredding, pulverizing, or overwriting. Media sanitization processes shall be implemented following best practices.

 

Disposal logs that provide an audit trail of disposal activities shall be securely maintained. Disposal logs will be kept for a minimum of ninety (90) days.

 

Certificates of destruction shall be maintained for at least one year.

 

Messaging Security

 

All incoming email shall be scanned for viruses, phishing attempts, and spam.

 

Outgoing email shall have data loss prevention (DLP) monitoring in place.

 

Any messaging service shall be approved by Information Security prior to usage and shall include appropriate audit trails and encryption of data at rest and in transit. Data loss prevention (DLP) tools and processes shall be implemented, where possible.

 

Removable Media

 

All removable media brought in from outside eConnect shall be scanned for viruses/malware prior to use. Any identified malware/viruses shall be removed with the assistance of End User Support prior to use.

 

Personal Data is prohibited on any kind of removable device, unless the device is approved and documented by the eConnect IT  team (support@eConnect.com) and is encrypted following Data Protection & Encryption Policy. Notwithstanding the foregoing, if stored or cached information resides on a removable device, Personnel will follow company policies and procedures, including acceptable use requirements as defined in the Employee Handbook and Data Security and Privacy Statement, to mitigate the risk of a Data Breach.

 

Individuals in sensitive positions, with access to Personal Data, SCI or Subscriber Data, shall not store such data on removable media, unless required by their role and approved by Information Security and Privacy in accordance with best practices.

 

In the rare event that physical media containing Personal Data and PII is approved for use in accordance with this Section 25, the Privacy team will document the applicable details, including the type of physical media, the authorized sender/recipients, the date and time, the number of physical media, and the type of encryption used

 

Voice System Security

 

The default and maintenance passwords on the voice system shall be changed to user defined passwords that meet eConnect’s password policy.

 

Call accounting shall be used to monitor access and abnormal call patterns.

Separate internal and external call forwarding privileges shall be in place to prevent inbound calls being forwarded to an outside line.

 

Use an access pin with a minimum length of six (6) digits shall be used for critical voice mail accounts.

 

Do not match voice mail access pins to the last six (6) digits of the phone number.

 

Lock out the caller to a voice mail account after three (3) attempts at pin validation.

 

Check telephone bills carefully to identify any misuse of the telephone system.

 

Inventory Management

 

An inventory of all computer equipment and software in use throughout eConnect shall be maintained.

 

Computer hardware and software audits shall be periodically carried out. Audits shall also be used to track:

 

Unauthorized copies of software

Unauthorized changes to hardware and software configurations

Accuracy of current inventory


 

Background Checks

 

Where required and/or permitted by applicable local law, eConnect will conduct a pre-employment background and/or criminal records check on all new hires. Employment at eConnect is contingent upon a satisfactory background and/or criminal records check, including where applicable:

Social Security number trace.

Education.

Work Experience.

Criminal Background Check.

Credit Check, if relevant to the position.

Reference Check.

Where required and/or permitted by applicable local law, eConnect may also conduct background and/or criminal records checks on its employees throughout the course of their employment. Generally, this will occur in circumstances involving transfer to a position of high-level security or responsibility.

Vendor/Partner Risk Management

 

Vendor and partner risk management policies and processes shall be defined to verify that vendors comply with eConnect’ security and policies.

 

Vendor and partner contracts shall include language requiring adherence to eConnect’ security and privacy policy requirements or their equivalent.

 

Critical vendors shall be reviewed at least once per calendar year, to ensure continued alignment with eConnect security and privacy policies.

 

Print Management

 

When Confidential Data, including Personal Data, SCI, PII or Subscriber Data is printed to centralized printers secure print or equivalent shall be used, where a PIN is required at the printer before the document is printed.

eConnect Inc. Information Security Policy