SnowBe Online Security Plan

Version: 5.0

Date: 1/27/2023

1
Table of Contents

Introduction ......................................................................................................................... 3
Scope ................................................................................................................................... 3
Definitions ........................................................................................................................... 3
Roles & Responsibilities ................................................................................................... 5
Statement of Policies, Standards, and Procedures ...................................................... 8
Policies ...........................................................................................................................................8

Standards & Procedures..............................................................................................................9

Exceptions/Exemptions .................................................................................................... 9
Version History ..................................................................................................................10

2
 Introduction

SnowBe Online is a multi-million public company that sells lifestyle brands for those who love
the beach and snow. They have multiple storefronts in the U.S. and Europe, which accept
checks, cash, or credit cards. The credit card transactions are processed using bank-provided
credit card terminals in each store. The goals for managing, conducting, and overseeing
information security activities are laid forth in this document, which also creates SnowBe
Online's information security plan. Policies, procedures, standards, guidelines, and controls will
be established as necessary to support and sustain the information security plan. Information
security use, management, and application are all governed by policies. The principle of least
privilege and need-to-know guides procedures, standards, and access controls.

Scope

This plan guides employees in recognizing and reporting suspicious or unusual activities that
could be sabotaged. This Policy applies to all (Utility) personnel, contractors, and vendors. This
Policy sets the direction, gives broad guidance, and defines the requirements for cybersecurity-
related processes, programs, and actions across the (Utility). This Policy should be considered
in conjunction with administrative policies regarding internal compliance.

Definitions

Amazon Web Services (AWS) – It provides on-demand cloud computing platforms and APIs to
individuals, companies, and governments on a metered pay-as-you-go basis. These cloud
computing web services provide distributed computing processing capacity and software tools
via AWS server farms.

Cardholder - Individual who owns and benefits from using a membership card, particularly a
payment card.

Cardholder Data (CHD) - Elements of payment card information that must be protected,
including primary account number (PAN), cardholder name, expiration date, and the service
code.

Cardholder Name - The name of the individual to whom the card is issued.

Confidential – Intended to be kept secret.

Dictionary Attack - An attempted illegal entry to a computer system that uses a dictionary
headword list to generate possible passwords.

3
Disposal - CHD must be disposed of in a particular manner that renders all data unrecoverable.
This includes paper documents and any electronic media, including computers, hard drives,
magnetic tapes, and USB storage devices, by the Record Retention and Disposition Policy. The
approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved
shredding and disposal service.

Expiration Date - The date on which a card expires and is no longer valid. The expiration date
is embossed, encoded, or printed on the card.

HIPAA – A federal law that requires the creation of national standards to protect sensitive
patient health information from being disclosed.

Information System – An individual or collection of computing, networking equipment, and

software used to perform a discrete business function. Examples include the desktop computers
used to perform general duties in a department.

Merchant - A department or unit (including a group of departments or a subset of a department)

approved to accept payment cards and assigned a merchant identification number.

Mobile Device Management (MDM) – This manages mobile devices, mainly in terms of usage
and security.

Payment Card Industry Data Security Standards (PCI DSS) - The security requirements are
defined by the Payment Card Industry Data Security Standards Council and the major credit
card brands, including Visa, MasterCard, Discover, American Express, and JCB.

Personal Information - may include your name, street, email address, phone numbers, and
financial information, such as credit card or other bank account data.

Primary Account Number (PAN) - A number code of 14 or 16 digits embossed on a bank or

credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and
the account and includes a check digit as an authentication device.

Self-Assessment Questionnaire (SAQ) - Validation tools to assist merchants and service

providers in reporting the results of their PCI DSS self-assessment.

Sensitive Authentication Data - Additional payment card information elements must be

protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID,
or CVV2 data, and PIN or PIN block.

CAV2, CVC2, CID, or CVV2 data - The three- or four-digit value printed on or to the right
of the signature panel or on the face of a payment card is used to verify card-not-present
transactions.

Magnetic Stripe (i.e., track) data - Data encoded in the magnetic stripe or comparable
data on a chip used for authorization during a card-present transaction. Entities may not
retain complete magnetic-stripe data after transaction authorization.

PIN or PIN block - Personal identification number entered by the cardholder during a
card-present transaction or encrypted PIN block present within the transaction message.

4
Service Code - Permits where the card is used and for what.

Software Development Life Cycle (SDLC) Policy - Assists your company in ensuring that
software is tested and built as securely as possible and that all development work complies with
regulatory guidelines and business needs.

Strong Password – Difficult to guess in a short period, either through human or specialized
software. Following the recommendations on this standard.

Virtual Private Network (VPN) - A secure connection between a device and a network over the
Internet. The encrypted connection aids the secure transmission of sensitive data. It makes it
harder for unauthorized parties to eavesdrop on the traffic and enables remote work for the
user.

Weak Password – Passwords that unauthorized users easily guess.

Third-Party Payment Card Processors – They confirm compliance.

Roles & Responsibilities

All Members of the SnowBe Community – All are responsible for safeguarding cardholder
data. They must review and comply with SnowBe Online policies, such as SnowBe IT Password
and Protection of SnowBe Data. Also, for reporting occurrences of possible incidents and data
breaches to your supervisor or the SnowBe Information Security Officer.

Business or System Owners - Alignment to this procedure and any related standards.

Chief Information Officer - A CIO is a senior executive responsible for information technology
or system functions throughout all locations. Responsibilities include overall coordination and
operational oversight for compliances. Plans and directs information security risk assessments
for SnowBe Online. Provides management oversight for information security planning,
implementation, budgeting, staffing, program development, and reporting. It is the person to
report to for approval of changes in Software or methodologies.

Chief Information Security Office (CISO) - Assists in interpreting and applying SnowBe Online
information security policies. Reports information security incidents to SnowBe Online. Manages
the information security policy exception process and approves and documents exceptions.
Helps the IT team with cyber risks. Supports security tools, technologies, and methods
for SnowBe Online use, including, but not limited to, encryption, authentication, network security
controls, digital certificates, key escrow, event logging, and disposal of media. Responsible for
the approval of the Exception Request Form. Responsible for properly implementing the Secure
Address Resolution Service Policy. Responsible for approving and documenting all Request for
Change forms. Accountable for making password standard exceptions and procedures for
testing purposes.

5
Customer/Potential Customer - Anyone who visits and provides information on our website.

Department and Unit Heads – They review and comply with SnowBe Online policies, such as
Credit/Debit Card Merchant Requirements and Safeguarding Cash and Cash Equivalents. They
maintain departmental Standard Operating Procedures (SOP) for PCI compliance and verify
that the team understands the procedures and responsibilities. They complete the required
annual PCI self-assessment (SAQ). They also satisfy the yearly PCI training through Financial
Management. They need appropriate staff to meet the annual PCI training through Financial
Management.

Financial Management – They keep current with PCI DSS regulations and change processes
as appropriate. They maintain the inventory of all devices (i.e., cellular), merchant ids, and
terminal ids, along with activation status. They also evaluate compliance with PCI as part of
scheduled cash handling reviews; this is a shared responsibility with Policy, Compliance, and
Internal Controls.

Guest - Customers who pay online or use a store credit card. All customers have essential
responsibilities for protecting these resources, such as following minimum information security
standards. This applies to all devices connected to the SnowBe Online network.

IT Manager – They manage information technology and computer systems. Plans, organizes,
controls, and evaluates IT and electronic data operations. Manages IT staff by recruiting,
training, and coaching employees, communicating job expectations, and appraising their
performances.

Payment Card Handlers and Processors – They follow the established cash receipts
procedures for the appropriate funding source. They review and comply with SnowBe Online
policies, such as Credit/Debit Card Merchant Requirements and Safeguarding Cash and Cash
Equivalents. They follow the Payment Card Processing Options and use PCI-Compliant Devices
for all card transactions. They complete the Payment Card Authorization Form when applicable.
They also meet the annual PCI training through Financial Management.

PCI Compliance Committee – They monitor SnowBe Online’s compliance with PCI DSS
requirements. They act as a steering committee for PCI DSS and support PCI DSS compliance
efforts.

6
Policies, Compliance, and Internal Controls – They maintain an inventory of all SnowBe
Online departments that process payment card transactions using approved merchant
accounts. They provide and monitor annual training that meets the PCI DSS requirements. They
also coordinate the completion of the yearly self-assessment documents (SAQs). They are
responsible for collecting departmental PCI procedures as part of the annual SAQs and
evaluating compliance with PCI as part of scheduled cash handling reviews; this is a shared
responsibility with Financial Management.
Security Assurance - Responsible for implementing and executing this procedure.

Security Assurance Management (Code Owners) - Responsible for approving significant

changes and exceptions to this procedure.

SnowBe IT – They maintain security standards required by PCI DSS. They consult on technical
PCI DSS issues and assist with mandatory annual training sessions. They also keep current
with PCI DSS regulations and make appropriate changes to systems and processes.

Staff Members - Responsible for adhering to the requirements of this policy.

User - Any staff member and guest who uses or accesses SnowBe Online electronic
information resources, including connecting to the VPN or wi-fi, is considered a “User” of these
resources. All Users have specific essential responsibilities for the protection of these
resources:

• Ensuring all devices connected to the SnowBe Online network comply with the
compliances.
• You are engaging in the appropriate use of SnowBe Online electronic information
resources under SnowBe Online policies and the law.
• They are becoming knowledgeable about and following relevant security requirements
and guidelines.
• Protecting the resources under their control, such as passwords, computers, and data
they create, receive, or download on our website.
• They were promptly reporting security-related incidents and violations and responding to
official reports of security incidents involving their systems or accounts.

7
 Statement of Policies, Standards, and Procedures

Policies

AC-02 Account Management Policy – This policy applies to information systems at the
application and operating system layers, including networks and network services.

AC-16 Security and Privacy Policy – This policy applies to how we collect, use, and safeguard
the information provided to us and to assist in making informed decisions when using our
service.

AC-19 Mobile Device Policy - This policy applies to all SnowBe Online staff who use personal
devices for business purposes or business-issued mobile computing devices. It also establishes
the procedures and protocols for using mobile devices and their connection to the network.

CM-01 Change Management Control Policy - This process aims to govern the introduction of
a transition into production by ensuring that the correct procedures are followed. To minimize
harm and maximize success associated with making changes to an information system or
processes.

SC-20 Secure Address Resolution Service Policy – This policy establishes rules for
preserving the integrity, availability, and authenticity of SnowBe Online’s website.

SP-01 Remote Access Policy - This policy ensures that SnowBe Online data is not
inappropriately stored or shared using public cloud computing and file-sharing services.

SP-02 Cloud Services Policy - Today’s computing environments often require out-of-office
access to information resources. Remote access refers to connecting to internal resources from
an external source (home, hotel, district, or other public areas).

SP-03 PCI Compliance Policy - This policy guides the importance of protecting payment card
data and customer information.

SP-04 System Development Life Cycle - This policy applies to the SnowBe Online information
technology program and project. It integrates security into the process, resulting in the collection
of security requirements alongside functional requirements and risk analysis during the design
phase.

SP-05 Software Development Life Cycle - This policy defines the development and
implementation requirements for SnowBe Online products.

SP-06 Security Maturity Policy - This policy describes how SnowBe Online monitors and
assesses the maturity of its security capability and risk culture.

8
 Standards & Procedures

PS-01 Password Standard - Assigning unique user logins and requiring password protection is
one of several primary safeguards to restrict access to the SnowBe Online network and the data
stored within it to only authorized users.

SOP-01 Creating Account - This standard operating procedure explains creating a user
account on our website, SnowBeOnline.com. This procedure pertains to all staff creating a new
user account on our website, SnowBeOnline.com.

SOP-02 Password Procedure - This procedure aims to communicate the standard for solid
passwords, the protection of those passwords, and the frequency of change.

Exceptions/Exemptions

Exemptions must be approved by the CISO and the Department Manager, which is being
requested for.

Approved exemptions are valid for one year.

IT will send a copy of all approved exemptions to the Department manager.

9
Version History

Version Change Date Document Owner Approved By Description

1.0 8/31/22 Mireya Lugo Mireya Lugo Adding policies SP-01

and SP-02

1.1 9/1/22 Mireya Lugo Mireya Lugo Adding policy SP-03

1.2 9/3/22 Mireya Lugo Mireya Lugo Proof reading

1.3 9/8/22 Mireya Lugo Mireya Lugo Made corrections as

Professor suggested

2.0 9/12/22 Mireya Lugo Mireya Lugo Added 2 new policies:

AC-02 and AC-19

3.0 9/18/22 Mireya Lugo Mireya Lugo Added 3 new policies

& 1 procedure:

AC-16, CM-01, SC-20,

and SOP-01

3.1 9/19/22 Mireya Lugo Mireya Lugo Made corrections as

Professor suggested

3.2 9/21/22 Mireya Lugo Mireya Lugo Made corrections as

Professor suggested

4.0 9/22/22 Mireya Lugo Mireya Lugo Added Password

Standard PS-01 and
Password Procedure
SOP-02

4.1 9/23/22 Mireya Lugo Mireya Lugo Minor corrections

5.0 1/27/23 Mireya Lugo Mireya Lugo Added New policies

SP-04, SP-05, and

SP-06

10
Citations

https://www.uc.edu/content/dam/uc/infosec/docs/policies/Cloud_Computing_Policy_9.1.5.pdf

https://www.dnsstuff.com/what-is-sox-compliance

https://www.controlcase.com/what-are-the-12-requirements-of-pci-dss-compliance/

https://vita.virginia.gov/media/vitavirginiagov/commonwealth-security/docs/VITA-AGENCY-
TEMPLATE-IT-Security-Exception-and-Exemptions-Policy-v1_0.docx

https://security.berkeley.edu/roles-and-responsibilities-policy

https://www.sciencedirect.com/topics/computer-science/policy-enforcement

https://www.cde.state.co.us/dataprivacyandsecurity/remoteaccesspolicy

https://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/pci-compliance.html

https://www.mtu.edu/it/security/policies-procedures-guidelines/pci-dss-guidelines-
procedures/credit-card-acceptance-processing-procedures/

https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/PCI_Validation_
Exemption_Program_3-2021.pdf

https://www.cde.state.co.us/dataprivacyandsecurity/mobiledevicepolicy

https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-
mdm/#:~:text=Mobile%20Device%20Management%20(MDM)%20is,terms%20of%20usage%20and%20s
ecurity.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

https://preteshbiswas.com/2020/02/06/example-of-website-security-policy/

https://its.weill.cornell.edu/policies/1115-password-policy-and-guidelines

https://chfs.ky.gov/agencies/dph/dls/Documents/PasswordProcedureOutreach.pdf

https://resources.finalsite.net/images/v1643748858/sdcoenet/l2snudgl4hbtoy460lbz/SDCOEPas
swordProcedures.pdf

https://knowledge.exlibrisgroup.com/Cross-
Product/Security/Policies/Software_Development_Life_Cycle_(SDLC)_Policy_v1.2

https://www.opm.gov/about-us/our-people-organization/support-functions/cio/opm-system-
development-life-cycle-policy-and-standards.pdf

https://www.protectivesecurity.gov.au/system/files/2021-06/SnowBe Online-policy-4-security-
maturity-monitoring.pdf

11