Page 11 - Information_Security_Program
P. 11
RETAIL AND OFFSITE SECURITY [DP221]
Back to Table of Contents
Scope: Retail and offsite locations
Distribution: All retail and offsite employees; GESM Leadership team, Directors and Managers
Purpose: To limit access to physical and electronic information and systems, to authorized employees.
External Regulation or Standard: 45 CFR 164.310(a)(2)(ii);45 CFR 164.310(a)(2)(iii) ‐ Facility Access Controls, PCI DSS 4.3.1.2, 4.3.1.3
– Network Access Points
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Director of Asset DP221.1 The Director of Assets Protection and off‐site Directors and Managers are responsible
Protection and off‐site for the physical security of the organization’s Retail and offsite locations.
Directors and
Managers
Director of Asset DP221.2 Entrances to rooms or facilities where privacy‐restricted data is stored or processed
Protection, and off‐site must be locked or monitored and accessed by authorized personnel only. If facilities
Directors and or rooms themselves cannot be locked individually when unattended, all unencrypted
Managers privacy‐restricted data will be stored in a cabinet in a secured area or moved to
another secure area when unattended.
Director of IT and Chief DP221.3 Point‐of‐sale systems must not retain credit‐card information.
Financial Officer
Employees with access DP221.4 Paper documents containing privacy‐restricted information must be locked away
to Privacy‐Restricted when unattended and shredded when no longer needed.
Data
Employees with access DP221.5 Computers containing privacy‐restricted information must be maintained in a secure
to Privacy‐Restricted GESM location or encrypted using a GESM approved method.
Data
Employees with access DP221.6 Rooms containing file cabinets with PFIU must be in a secure location.
to Privacy‐Restricted
Data
9| P a g e
GES CONFIDENTIAL
