deluxe requirements for information security
TRANSCRIPT
Deluxe Requirements for Information Security
These requirements are intended to detail obligations of Third Party Service Providers (The TPSP) under applicable law and agreements in effect between The TPSP and Deluxe or affiliates. These requirements are not intended to be comprehensive statements of how The TPSP should implement or meet requirements, or comply with their contractual obligations to Deluxe and affiliates and/or with applicable law. Where local laws and regulations require controls that are more restrictive than, or in conflict with, those identified in these requirements, The TPSP shall comply with those control requirements.
A material breach of these requirements is a material breach of the agreement(s) under which a TPSP agrees to comply. These requirements do not limit the scope of an audit by Deluxe, since compliance with these requirements will not necessarily be sufficient to protect Deluxe information resources. Nothing in these requirements shall create rights for The TPSP or impose liability on Deluxe or its affiliates by contract, reliance or otherwise. Costs of compliance with these requirements and those defined in the agreement(s) shall be paid by The TPSP without additional charge to Deluxe or affiliates unless expressly stated in the applicable Statement of Work or pre-approved in writing.
1. ADMINISTRATIVE SECURITY STANDARDS
a. Due Diligence
The TPSP shall provide assurance that the appropriate level of Information Security is present and maintained including, but not limited to:
• Within 30-days of request and on an annual basis, completion of the Deluxe Risk Assessment, with submission of requested supporting artifacts.
• If appropriate, TPSP participation in Security Awareness Training activities.
• Ad hoc requests to fulfill due diligence if:
o Changes in laws or applicable regulatory require compliance
o TPSP incurs material changes as relevant to work, such as but not limited to significant network and/or system changes, acquisition, divestiture, etc.
o Agreed upon by Deluxe and TPSP in consideration of new Deluxe client agreements
Concerns identified by Deluxe in The TPSP responses shall be discussed and evaluated by relevance.
b. Deluxe Confidential data Protection
The TPSP shall have appropriate disclosure risk categories that are assigned to systems, applications and/or locations where Deluxe Confidential data is accessed, stored or processed. Examples of Deluxe Confidential data include but are not limited to: Cardholder information, financial information, SSN, employee records, medical and health information.
Access and distribution to Deluxe Confidential data shall be limited to those with an authorized need.
Non-production environments shall use obfuscated cardholder (PCI) and personally identifiable information (PII/NPI). Deluxe must approve in writing the use of any financial or personal information in
non-production environments. Such approved instances shall be secured using controls commensurate with those of the production environment.
c. Human Resource Security
The TPSP shall have a recruitment process for staff that performs work for Deluxe, have access to Deluxe Confidential data and/or apply for remote access to Deluxe’s network. Such staff shall be subject to security background checks, including drug testing, where permitted by law.
The TPSP shall ensure all Services, Deliverables, and/or Documentation hereunder will be prepared, completed and performed by trained, experienced and qualified personnel
The TPSP shall maintain appropriate staffing to support the control environment.
d. Third Party Compliance Program
The TPSP shall not release Deluxe’s information to subcontractors or other Third Parties without Deluxe’s written approval and/or implementation of mutually agreed upon due diligence requirements.
The TPSP’s subcontractors or other Third Parties shall adhere to Deluxe TPSP requirements, standards and guidelines as stated in this agreement or specified between Deluxe and TPSP.
The TPSP shall be responsible for assessing the security of their Third Party providers prior to release of Deluxe’s Confidential data or system connectivity to ensure compliance with requirements, standards, and guidelines as stated in this agreement. A TPSP shall have a process to periodically re-review subcontractors to validate information security is maintained.
The TPSP’s subcontractors may be subject to Deluxe’s review at Deluxe’s discretion.
2. INFRASTRUCTURE SERVICE STANDARDS
a. Operating Systems
The TPSP shall ensure that the operating systems and network devices are logically protected from unauthorized access and transactions. The TPSP shall ensure hosted solutions continue to meet or exceed requirements as specified in this Agreement.
System standard builds shall include appropriate security settings for authentication, authorization, and audit services used to control and record access to systems.
Global security settings or parameters shall be documented as appropriate to each operating system and network device in use. Operating systems should be maintained at a vendor-supported level. Operating systems not maintaining a vendor-supported level shall be evaluated for appropriate compensating controls and approved by Deluxe.
Operating systems shall be updated to the latest security release: critical and high security patches and service packs shall be updated within no more than thirty (30) days of release; other security patches and service packs shall be updated within no more than sixty (60) days of release. Operating systems not maintaining the latest security release shall be evaluated for appropriate compensating controls and approved by Deluxe.
Systems shall have their internal clocks set accurately and synchronized, directly or indirectly, to an official time source.
b. Security Acknowledgement Banner
The TPSP shall discourage inappropriate use of and unauthorized access to Deluxe Confidential data by providing a security banner on workstations and internal networking devices to warn against unauthorized and inappropriate access. It shall be displayed to users prior to system logon and remain on the screen until user action is taken to acknowledge the message. A similar security acknowledgement banner shall be displayed to users accessing publicly accessible interfaces that provide access to internal systems, including the remote-access VPN.
3. NETWORKING AND PERIMETER CONTROLS
a. General Network Security
The TPSP shall manage and control network security to adequately protect the environment from threats and unauthorized access; meet legal, regulatory, and contractual requirements; and maintain security for systems, connected services, and applications to include Deluxe Confidential data in transit. Controls shall include but not be limited to the following:
• Network and security infrastructure devices shall be configured with an approved and authorized baseline for required security controls, implementation and management oversight of services. Authentication, authorization, and audit services used to control and record access to network and security devices shall be deployed, such that a failure of a particular instance of the service does not cause an interruption to, or reduce the reliability of, authentication, authorization and audit functionality.
• Unused network interfaces and physical ports on network and security infrastructure devices shall be disabled. Simple services, such as FTP and Telnet, require Deluxe written approval on systems where Confidential data is accessed, processed or stored.
• Network and security infrastructure devices shall be configured to prevent unauthorized access (whether in- or out-of-band) to management, administrative, or monitoring functions.
• Network and security infrastructure devices shall have their internal clocks set accurately and synchronized, directly or indirectly, to an official time source
• The TPSP shall have a process to prevent unauthorized infrastructure devices from being added to their network without formal approval.
• Networks and control requirements for access between networks shall be segregated to ensure appropriate authorized and controlled communications (e.g., create domain classifications).
• Security gateways will fail “closed,” such that no unauthorized traffic passes through the security gateway.
• A Quality Assurance process shall be defined to minimize the risk of errors or unauthorized functionality being configured into security gateways.
• The TPSP shall ensure hosted solutions continue to meet or exceed standards as specified in this agreement.
b. Firewall
The TPSP shall protect networks from unauthorized access by blocking intrusions or prevent malware while permitting legitimate communications.
Firewall controls shall include but not be limited to the following:
Firewall strategies shall be multi-tiered, with well-defined functionality for logging, management, and enforcement in each respective layer.
Firewalls shall be capable of stateful packet inspection of OSI layers 3 (Network) and 4 (Transport).
A resilient firewall infrastructure solution shall be used to reduce or eliminate network and operational downtime due to a single point of failure.
Firewalls shall:
• Be protected from unnecessary access;
• Be set to “deny” access unless specifically allowed;
• Not provide for unnecessary functions or services.
Firewall rule sets and configurations shall be re-certified on a regular basis.
Firewall rule sets and strategy shall be documented to facilitate recertification and allow consistent enforcement of rules.
Administration of firewall devices, policy, and configuration changes shall be limited to authorized users and based on necessary job responsibilities.
c. Router/Switch
The TPSP shall provide a secure infrastructure for management servers to minimize the threat of unauthorized access to network devices. Controls shall include but not be limited to the following:
Access to routers/switches shall be controlled from both a network perspective and physical (in secure facilities and communications rooms).
Roles and responsibilities of users accessing network devices shall be clearly defined and permissions specifically granted to individual user Ids and only to meet the assigned responsibilities.
Users shall be centrally authenticated.
A separate network managing device shall be in place.
Router management traffic shall pass through a firewall, which has filtering and logging enabled.
Configuration baselines and procedures shall be established and documented to verify and certify network devices before placement into production environments.
Network device configuration files shall be regularly reviewed to ensure compliance with Security Standards.
d. Intrusion Prevention, Detection and Monitoring
The TPSP shall ensure that network and security infrastructure devices transmitting Deluxe Confidential data are monitored to verify compliance with approved baselines, and that Event monitoring is near real time in frequency and Events are responded to in a timely manner. Controls shall include but not be limited to the following:
• Network security monitoring devices, shall monitor traffic within the security domain processing Deluxe Confidential data or critical systems as defined in this agreement and shall be deployed in such a manner that a failure of a particular device does not cause an interruption to the monitoring functionality that the device provides.
• Intrusion Prevention, Detection, and Monitoring (IDS/IPS) devices shall be placed at entry and exit points of the security gateways for networks transmitting Deluxe Confidential data
• Network devices shall have an event-monitoring processes followed to respond to Events reported by the monitoring solutions.
• Compliance monitoring tools shall be actively running on or against the device or appliance to inspect the configuration of the operating system.
e. Vulnerability Assessment, Notification and Remediation
The TPSP shall obtain timely information about technical vulnerabilities of information systems being used to process Deluxe Confidential data, evaluate vulnerabilities, and take measures to address associated risk. Controls shall include but not be limited to the following:
• Devices attached to the network including network and security infrastructure devices and telecommunication connections shall be assessed.
• The frequency of assessment shall be based on The TPSP standard or a minimum of quarterly (120 days) for devices conducting Deluxe business or as explicitly defined in this agreement based on system criticality, information sensitivity, and regulatory requirements.
• Internal and external penetration testing shall be performed at a minimum annually or at times of material change to existing applications and/or the underlying infrastructure that would have an effect on applications processing Confidential data.
• The TPSP shall make available to Deluxe a summary of vulnerability and penetration test results for specific applications processing Deluxe Confidential data. For high and medium findings, The TPSP shall provide a remediation plan, timeline and monthly status. Remediation shall be within sixty (60) days unless agreed upon, and written approval is received from Deluxe.
f. Remote Access
The TPSP shall use appropriate authentication methods to control access by remote users. Controls shall include but not be limited to the following:
• Use of two-factor authentication for remote access for data classified as Confidential.
• Appropriate authorization and authentication for remote-access users and devices, using an approved two-factor authentication mechanism to reliably establish a user's identity and ensure accountability for actions performed under that identity.
• Use of encryption for remote access via a shared network.
g. File Transfer
The TPSP shall ensure that file transfer solutions are capable of terminating and ensuring the integrity of the data. Controls shall include but not be limited to the following:
• Termination of communications for file transfer devices that send or receive Deluxe data directly with Third Parties before passing the file along to other internal devices.
• Confirmation of delivery at the final destination for file transfer solutions.
• File transfer solutions shall provide a mechanism for ensuring the integrity of the data being transferred.
• Encryption of electronic Deluxe Confidential data and command transfers.
• Deluxe Confidential data transported on paper media shall be by a reputable, nationally-recognized common carrier and sealed and tracked via certified mail or similar tracking process while in transit.
h. Audit Trails
The TPSP shall take appropriate protection measures to provide a set of records that provide documentary evidence of a sequence of activities with destination and source that have affected a specific operation, procedure or event with given date and time. Controls shall include but not be limited to the following:
• Audit trails shall be preserved for at least ninety (90) days and archived and retrievable for a period of at least one (1) year.
• Auditing shall be enabled for network, system, and connection sessions.
• Audit trails (logging) shall be enabled on all systems processing Deluxe Confidential data while meeting the following standards:
o Reviewed in a periodic and timely manner;
o Exceptions investigated in accordance with defined standard or specified Service Level Agreement;
o Shall not be interrupted due to single point of failure;
o Shall not be stored solely on the device that created the records;
o Shall be audited and protected from unauthorized access, modification, destruction and activation/deactivation.
• Devices or systems processing Deluxe Confidential data shall perform logging at an industry standard level including but not limited to the following:
o User ID associated with the audit record;
o User logons;
o User account creation and deletion;
o Policy and configuration changes;
o Administrator logons via privileged management applications (e.g. su, sudo, operations, admin);
o Source and destination ports and IP addresses;
o Date and time (including time zone);
o Session termination;
o Action—permitted or denied;
o Network protocol.
• The TPSP’s subcontractors must have the ability to access/review logs. Subcontractors shall be required to meet the requirements of this agreement and may be called-upon to supply Deluxe supporting artifacts if processing Deluxe Confidential data.
i. Backups
The TPSP shall take, regularly test, and secure backup copies of Deluxe data and software. Adequate backup facilities shall be provided to ensure that essential information and software can be recovered following a disaster or media failure. Controls shall include but not be limited to the following:
Backups for individual systems shall be regularly tested to meet SLA requirements of Business Continuity in this agreement.
Backup data shall be controlled with the same level of diligence as the original data.
Backups of Deluxe Confidential data shall be encrypted using a mutually agreeable encryption standard.
4. SYSTEM SECURITY STANDARDS (if processing, transmitting or storing Deluxe Confidential data)
a. Mobile Computing
The TPSP shall adopt appropriate security measures to protect against the risks of using mobile computing and communication facilities.
Deluxe shall review, determine if additional controls are required, and approve the baseline configuration for mobile computing that will access or process Deluxe Confidential data. Standard configuration shall include but not be limited to:
o Inbound communications to devices restricted to the assigned public IP address of the application.
o Services with source address restrictions shall not run on a device that has services open to the Internet.
o External and network traffic originating from a given security domain (or tier) shall terminate in the next security domain (or tier) before being passed on.
o Where no authentication is required, an application shall ensure that user sessions are contained within a given security domain.
o Generic proxy usage that forwards traffic beyond the internal network shall not be used.
o Payload shall be scanned for malicious code prior to relaying the file into the network.
Guidance shall be arranged for personnel using mobile computing, to raise their awareness of the additional risks resulting from this way of working.
b. Web and Client/Service Application Development
The TPSP shall ensure that application development procedures maintain appropriate controls to prevent malicious code and unauthorized access including, but not limited to:
Inspection of client-side data (data type, size, and composition), including URL parameters, cookies, and hidden fields before passing to command shells, interpreters, or external programs.
Scripts shall ensure buffer overflow conditions cannot be exploited.
Personal information (such as account number, National Identification or Social Security Number, and birth date) shall not be fully displayed on a screen.
Penetration testing shall be performed annually for Internet-facing applications processing Deluxe Confidential data.
c. Database Security
The TPSP shall ensure administrative segregation of duties to prevent individuals from performing unauthorized functions or fraudulent activities including, but not limited to:
Logical roles to perform key responsibilities for databases.
Protection of network services to databases using authentication controls.
Database products shall maintain transactional integrity of the database objects.
Maintenance of logical separation between Deluxe data and other customers’ data, or as defined in the Statement of Work.
5. OPERATIONS SECURITY STANDARDS
a. User Registration
The TPSP shall have formal provisioning and de-provisioning procedures in place for granting and revoking access to information systems and services.
b. Privilege Management
The TPSP shall restrict and control allocation and use of privileges. Multi-user systems that require protection against unauthorized access shall have the allocation of privileges controlled through a formal authorization process. Controls shall include but not be limited to the following:
• Documentation of user access procedures that identify user roles and their privileges; how access is granted, changed and terminated; and, logging and monitoring requirements and mechanisms.
• Minimum of annual user access re-certification for systems processing Deluxe Confidential data.
• User access shall employ “least privilege” access rights for systems that process Deluxe Confidential data.
• Assignment of unique user IDs to each person with access to Deluxe Confidential data or environments.
• Administrator accounts shall be renamed (or disabled), and responsibilities assigned to individual IDs.
• User IDs shall be:
o Documented, such that incidents can be traced to a specific individual;
o Assigned to a single user and may not be reassigned;
o Disabled after ninety (90) days and purged after one-hundred-eighty (180) days of logon inactivity.
• A maximum logon period shall be established, which disconnects remote users upon expiration.
• Access provisioning processes shall require proper log off, employ appropriate segregation of duties, and be documented.
• user IDs supplied with externally procured software (such as Guest) shall be disabled/changed, documented, and controlled.
c. Authentication Controls
The TPSP’s users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be used to substantiate the claimed identity of a user. Controls shall include but not be limited to the following:
• Error messaging shall not reveal authentication information back to a user, a server name, or addressing information.
• Logon credentials shall validate only upon completion of logon credentials.
• Logon attempts shall be limited to a maximum of five (5) prior to account lock.
• A single user ID shall not be permitted to log on to a system or application from more than one physical location at a time, where technically feasible or shall be specifically authorized, based on documented business need.
• Authentication credentials that are stored to facilitate a secure logon process shall be protected from unauthorized access and where technically feasible in an unreadable state.
• Users shall change their authentication credentials at least once every ninety (90) days.
• Change to authentication credentials shall not be the same as the previous authentication credentials used in the last year.
• Workstations and user accounts shall invoke validation of the user credentials when inactive for longer than fifteen (15) minutes.
• Formal authentication reset procedures shall be documented and implemented.
• The same controls and standards shall be followed regardless of environment or system processing Deluxe’s information or connecting to the Deluxe security domain.
d. Password Controls
The TPSP shall control secure allocation and reset of passwords through a formal management process. Controls shall include but not be limited to the following:
• Passwords shall incorporate the following characteristics:
o At least eight (8) character length for single-factor authentication systems, or at least four (4) characters for both factors in two-factor authentication systems;
o Alphanumeric and where technically feasible special character;
o Not allow use of easily guessed words or be the same initial password assigned to multiple IDs;
o Not be a National Identifier or United States Social Security Number;
o Not be the user’s name, user ID, date of birth, telephone number, mother’s maiden name, or other easily guessed criteria.
• Password confirmation or resets shall force re-authentication upon the first logon.
• Application accounts that passwords cannot expire shall be documented for purpose and assigned an owner.
• Passwords shall not display on screen
e. Separation of Duties for Security-Related Functions
The TPSP shall segregate duties and areas of responsibility in a manner that reduces opportunities for unauthorized or unintentional modification or misuse of Deluxe assets. Controls shall include but not be limited to the following:
• Enforcement of separation of duties among individuals who authorize, enable and certify access.
Enforcement of separation of duties among:
o Users who request changes and those who create changes;
o Project Managers, Application Developers and User-Acceptance Testers who test changes;
o Production Processing Operations Managers and/or those who elevate changes into production;
o Additional as specified in the Statement of Work.
Application Developers shall not have ongoing update access to production environments.
f. Change Management
The TPSP’s operational systems and application software shall be subject to Change Management control. Formal management responsibilities and procedures shall be designed to ensure satisfactory control of changes to equipment and/or software. Controls shall include but not be limited to the following:
• Change control process documentation shall include key deliverables, roles, responsibilities and audit trail documentation.
• Scheduled changes shall be tested prior to production.
• Changes shall be tracked and approved prior to implementation.
• Changes shall be validated to ensure only approved changes are promoted.
• Back-out plan shall be established for changes.
• Emergency changes shall be controlled through a separate emergency change process.
• When changes are made, an audit log containing relevant information shall be retained.
g. Information and Media Retention and Destruction
The TPSP’s controls for Deluxe’s data shall be defined in each applicable Statement of Work. Controls shall include but not be limited to the following:
• Return or certification of the destruction of Deluxe information when it is no longer required in provision of the vendor services as defined in each applicable Statement of Work.
• Control and securing of Deluxe Confidential data from the time it is created until it is destroyed, including off-site storage locations and physical transportation.
• Physical media that is no longer required containing Confidential data shall be placed in locked receptacles and shredded.
• Labeling Deluxe media with a generic name that does not allow a reader to infer that the media contains Deluxe information.
h. Physical and Environmental
The TPSP shall maintain physical controls to prevent unauthorized physical access that could allow damage, loss, or interference to premises accessing, processing or storing Deluxe information. Controls shall include but not be limited to the following:
The TPSP shall have appropriate security controls as explicitly defined in the Statement of Work or have standards for information sensitivity or system criticality approved by Deluxe including:
o Secure, physical separation between environments used to perform Deluxe processing Confidential data from those used to perform processing for other customers;
o Physical security measures to ensure that only authorized personnel have access to the environment used to perform Deluxe processing or resources that house, access or process Deluxe Confidential data;
o Access control devices on each entry point of a TPSP’s facility, with additional levels of segregation to sensitive areas;
o Log access control activities to the facility and to sensitive areas within the facility for a minimum of sixty (60) days which are regularly reviewed;
o Use of surveillance equipment, personnel and/or monitoring devices to detect and provide the ability to investigate unauthorized or unusual access. Key areas to include for surveillance are data centers, control centers, ingress and egress points to the data center and/or control center, generators or uninterrupted power supply (UPS) storage room.
• Visitors shall be registered and sign in and out upon entry.
• Visitors shall be escorted at times.
• Fire controls shall provide automatic alerts that go directly to the fire department and have either automatic or manual suppression equipment.
• Water-based fire protection systems with damage and/or leakage detection.
• A service contract to provide power conditioning and an alternate power source for critical processing components.
• Bonded Service contract personnel, such as cleaning services and off-site storage services.
• Paper and computer media containing Deluxe Confidential data shall be stored in locked cabinets, rooms, and/or other forms of secured furniture or locations when not in use.
• Deluxe Confidential data shall be removed from printers and fax machines immediately.
i. Malicious Code Prevention
The TPSP shall maintain detection, prevention, and recovery controls to protect against malicious code and appropriate user Awareness Procedures. Controls shall include but not be limited to the following:
• The TPSP shall have established virus and security patch management processes that include the implementation of applicable industry-critical security patches within a prescribed time frame based on risk level for systems accessing, processing or storing Deluxe information.
• Multiple products shall be used to guard against malicious code, such that no single vendor inherently is a single point of failure.
• A malicious code program shall be established, defining roles and responsibilities as well as Events and responses to fully protect assets from damaging effects.
• Emergency response procedures shall be established and incorporated into overall Security Incident Response procedures.
j. Email
The TPSP shall protect data involved in electronic messaging to prevent unauthorized access, misuse or corruption during transportation beyond The TPSP’s physical boundaries. Controls shall include but not be limited to the following:
• The use of electronic mail and instant messaging shall be configured to prevent unauthorized access to Deluxe’s information.
• The use of electronic mail shall be configured to ensure accountability for Deluxe’s business.
• Emails shall be retained for three (3) years when conducting Security Exchange Commission-regulated business.
• Email shall not transmit Deluxe Confidential data unencrypted.
k. Business Resumption
The TPSP shall have a formal program to counteract interruptions to Deluxe business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. Controls shall include but not be limited to the following:
• The TPSP shall adhere to agreed-upon requirements related to Disaster Recovery and business resumption plans.
• Resiliency plans for services with a maximum allowable delay of seventy-two (72) hours or less shall be tested annually to ensure business requirements can be met during an Event that is disruptive to Deluxe-related services.
• Assurance of maximum loss tolerance of 48-hours for Deluxe information.
l. Security Event Management and Incident Response
The TPSP shall establish an Event Management and Incident Response Program to respond appropriately in the suspected or detected event of an information breach that may result in the loss or unauthorized access of Deluxe Confidential data. Controls shall include but not be limited to the following:
• Security Incident Management shall:
o Include processes for:
Reporting security related incidents;
Management reporting;
Evidence recovery and preservation;
Third Party (including law enforcement) coordination and communication.
o Be documented and communicated;
o Have formally defined roles and responsibilities;
o Establish priority levels of incident types;
o Ensure minimum exposure to legal liability by preserving evidence associated with an incident;
o Define a communication plan to ensure participation in incident resolution and management awareness.
• Event monitoring controls shall be implemented on configurable systems and devices transmitting or housing applications, databases, servers, networking gear, and security processing Deluxe Confidential data or critical systems to deliver work.
• Applications and databases shall provide logging for security Events that can only be detected within the application or database.
• Security Event log thresholds shall be defined to facilitate effective log reviewing processes.
• Security Events shall be documented and the following shall be included in the log:
o Event type;
o Time stamp;
o Address information associated with the originating device (such as terminal ID, port number, network address and/or device name);
o System or information resource accessed in the Event;
o Result of Event;
o Reason for failure, relative to information protection requirements, as applicable to security Event types resulting in failure;
o Old and new values associated with profile information, as applicable.
• TPSP shall have documented procedures for incident containment and recovery.
• Automatic Alerts shall notify network managers of high-risk or otherwise security-related Events.
Document Revision History
Version Number
Date Revised By Section(s) Summary of Change or Action
2 03/30/2012 Michelle Vitali
Sharon Rowe All Create
Same 12/31/13 Michelle Vitali Revision History Added section to track changes