Page 22 - Information_Security_Program
P. 22

APPLICATION AND WEBSITE SECURITY [DP260]
        Back to Table of Contents

        Scope: Enterprise
        Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; IT Staff, All Directors,
        Managers and Supervisors
        Purpose: To restrict access to the organization’s applications and websites to authorized entities and to maintain stable systems.
        External Regulation or Standard: PCI DSS 2.1, 3.2, 3.3, 4.1, 5.1, 6.145 CFR 164.312(a)(2)(iii) ‐ Access Control

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Exec Team               DP260.1     Chief Officers will assign an individual to each managed information system (i.e.,
                                             Raiser’s Edge, GoodTrak and others) to ensure that the managed system meets policy
                                             requirements.
         IT Staff                DP260.2     All line‐of‐business software installed in the organization's network will comply with
                                             the organization's technical and security standards.
         Director of Information   DP260.3   The organization will review security requirements prior to new system
         Technology, Privacy                 implementations.
         and Data Security and
         IT Staff
         IT Staff                DP260.4     The organization will maintain a defined, documented, and systematic change‐
                                             management process for organization information systems.
         IT Staff with report to   DP260.5   The organization requires system changes to be tested before implemented.
         Director of Information
         Technology, Privacy
         and Data Security

         IT Staff with report to   DP260.6   The organization requires system changes to be accompanied by back‐out procedures
         Chief Financial Officer             that could restore the system to the previous state.
         IT Staff                DP260.7     Install an application‐layer firewall in front of web‐facing applications.
         Executive Leadership    DP260.8     The organization will maintain data‐retention policies that include eliminating data
         Team                                that is no longer needed for business or regulatory purposes.
         Chief  Financial  Officer   DP260.9   The organization will not store the card verification code, card validation code, or PINs
         with IT Staff                       from credit cards.
         IT Staff                            Even though we don’t have access to credit card data, if we did, we would mask the
                                             payment card Primary Account Number so that the first six and last four digits are the
                                             maximum number of digits to be displayed except for those with a legitimate business
                                             need to see the full Primary Account Number.
         Chief Financial Officer   DP260.10   The organization will restrict access to encryption keys to the fewest number of people
         with IT Staff                       possible, and store keys in the fewest number of locations.




















                                                                                                         21 | P a g e
        GES CONFIDENTIAL
   17   18   19   20   21   22   23   24   25   26   27