Professional Documents
Culture Documents
Version: 5.0
Date: 1/27/2023
1
Table of Contents
Introduction ......................................................................................................................... 3
Scope ................................................................................................................................... 3
Definitions ........................................................................................................................... 3
Roles & Responsibilities ................................................................................................... 5
Statement of Policies, Standards, and Procedures ...................................................... 8
Policies ...........................................................................................................................................8
Exceptions/Exemptions .................................................................................................... 9
Version History ..................................................................................................................10
2
Introduction
SnowBe Online is a multi-million public company that sells lifestyle brands for those who love
the beach and snow. They have multiple storefronts in the U.S. and Europe, which accept
checks, cash, or credit cards. The credit card transactions are processed using bank-provided
credit card terminals in each store. The goals for managing, conducting, and overseeing
information security activities are laid forth in this document, which also creates SnowBe
Online's information security plan. Policies, procedures, standards, guidelines, and controls will
be established as necessary to support and sustain the information security plan. Information
security use, management, and application are all governed by policies. The principle of least
privilege and need-to-know guides procedures, standards, and access controls.
Scope
This plan guides employees in recognizing and reporting suspicious or unusual activities that
could be sabotaged. This Policy applies to all (Utility) personnel, contractors, and vendors. This
Policy sets the direction, gives broad guidance, and defines the requirements for cybersecurity-
related processes, programs, and actions across the (Utility). This Policy should be considered
in conjunction with administrative policies regarding internal compliance.
Definitions
Amazon Web Services (AWS) – It provides on-demand cloud computing platforms and APIs to
individuals, companies, and governments on a metered pay-as-you-go basis. These cloud
computing web services provide distributed computing processing capacity and software tools
via AWS server farms.
Cardholder - Individual who owns and benefits from using a membership card, particularly a
payment card.
Cardholder Data (CHD) - Elements of payment card information that must be protected,
including primary account number (PAN), cardholder name, expiration date, and the service
code.
Cardholder Name - The name of the individual to whom the card is issued.
Dictionary Attack - An attempted illegal entry to a computer system that uses a dictionary
headword list to generate possible passwords.
3
Disposal - CHD must be disposed of in a particular manner that renders all data unrecoverable.
This includes paper documents and any electronic media, including computers, hard drives,
magnetic tapes, and USB storage devices, by the Record Retention and Disposition Policy. The
approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved
shredding and disposal service.
Expiration Date - The date on which a card expires and is no longer valid. The expiration date
is embossed, encoded, or printed on the card.
HIPAA – A federal law that requires the creation of national standards to protect sensitive
patient health information from being disclosed.
Mobile Device Management (MDM) – This manages mobile devices, mainly in terms of usage
and security.
Payment Card Industry Data Security Standards (PCI DSS) - The security requirements are
defined by the Payment Card Industry Data Security Standards Council and the major credit
card brands, including Visa, MasterCard, Discover, American Express, and JCB.
Personal Information - may include your name, street, email address, phone numbers, and
financial information, such as credit card or other bank account data.
CAV2, CVC2, CID, or CVV2 data - The three- or four-digit value printed on or to the right
of the signature panel or on the face of a payment card is used to verify card-not-present
transactions.
Magnetic Stripe (i.e., track) data - Data encoded in the magnetic stripe or comparable
data on a chip used for authorization during a card-present transaction. Entities may not
retain complete magnetic-stripe data after transaction authorization.
PIN or PIN block - Personal identification number entered by the cardholder during a
card-present transaction or encrypted PIN block present within the transaction message.
4
Service Code - Permits where the card is used and for what.
Software Development Life Cycle (SDLC) Policy - Assists your company in ensuring that
software is tested and built as securely as possible and that all development work complies with
regulatory guidelines and business needs.
Strong Password – Difficult to guess in a short period, either through human or specialized
software. Following the recommendations on this standard.
Virtual Private Network (VPN) - A secure connection between a device and a network over the
Internet. The encrypted connection aids the secure transmission of sensitive data. It makes it
harder for unauthorized parties to eavesdrop on the traffic and enables remote work for the
user.
All Members of the SnowBe Community – All are responsible for safeguarding cardholder
data. They must review and comply with SnowBe Online policies, such as SnowBe IT Password
and Protection of SnowBe Data. Also, for reporting occurrences of possible incidents and data
breaches to your supervisor or the SnowBe Information Security Officer.
Business or System Owners - Alignment to this procedure and any related standards.
Chief Information Officer - A CIO is a senior executive responsible for information technology
or system functions throughout all locations. Responsibilities include overall coordination and
operational oversight for compliances. Plans and directs information security risk assessments
for SnowBe Online. Provides management oversight for information security planning,
implementation, budgeting, staffing, program development, and reporting. It is the person to
report to for approval of changes in Software or methodologies.
Chief Information Security Office (CISO) - Assists in interpreting and applying SnowBe Online
information security policies. Reports information security incidents to SnowBe Online. Manages
the information security policy exception process and approves and documents exceptions.
Helps the IT team with cyber risks. Supports security tools, technologies, and methods
for SnowBe Online use, including, but not limited to, encryption, authentication, network security
controls, digital certificates, key escrow, event logging, and disposal of media. Responsible for
the approval of the Exception Request Form. Responsible for properly implementing the Secure
Address Resolution Service Policy. Responsible for approving and documenting all Request for
Change forms. Accountable for making password standard exceptions and procedures for
testing purposes.
5
Customer/Potential Customer - Anyone who visits and provides information on our website.
Department and Unit Heads – They review and comply with SnowBe Online policies, such as
Credit/Debit Card Merchant Requirements and Safeguarding Cash and Cash Equivalents. They
maintain departmental Standard Operating Procedures (SOP) for PCI compliance and verify
that the team understands the procedures and responsibilities. They complete the required
annual PCI self-assessment (SAQ). They also satisfy the yearly PCI training through Financial
Management. They need appropriate staff to meet the annual PCI training through Financial
Management.
Financial Management – They keep current with PCI DSS regulations and change processes
as appropriate. They maintain the inventory of all devices (i.e., cellular), merchant ids, and
terminal ids, along with activation status. They also evaluate compliance with PCI as part of
scheduled cash handling reviews; this is a shared responsibility with Policy, Compliance, and
Internal Controls.
Guest - Customers who pay online or use a store credit card. All customers have essential
responsibilities for protecting these resources, such as following minimum information security
standards. This applies to all devices connected to the SnowBe Online network.
IT Manager – They manage information technology and computer systems. Plans, organizes,
controls, and evaluates IT and electronic data operations. Manages IT staff by recruiting,
training, and coaching employees, communicating job expectations, and appraising their
performances.
Payment Card Handlers and Processors – They follow the established cash receipts
procedures for the appropriate funding source. They review and comply with SnowBe Online
policies, such as Credit/Debit Card Merchant Requirements and Safeguarding Cash and Cash
Equivalents. They follow the Payment Card Processing Options and use PCI-Compliant Devices
for all card transactions. They complete the Payment Card Authorization Form when applicable.
They also meet the annual PCI training through Financial Management.
PCI Compliance Committee – They monitor SnowBe Online’s compliance with PCI DSS
requirements. They act as a steering committee for PCI DSS and support PCI DSS compliance
efforts.
6
Policies, Compliance, and Internal Controls – They maintain an inventory of all SnowBe
Online departments that process payment card transactions using approved merchant
accounts. They provide and monitor annual training that meets the PCI DSS requirements. They
also coordinate the completion of the yearly self-assessment documents (SAQs). They are
responsible for collecting departmental PCI procedures as part of the annual SAQs and
evaluating compliance with PCI as part of scheduled cash handling reviews; this is a shared
responsibility with Financial Management.
Security Assurance - Responsible for implementing and executing this procedure.
SnowBe IT – They maintain security standards required by PCI DSS. They consult on technical
PCI DSS issues and assist with mandatory annual training sessions. They also keep current
with PCI DSS regulations and make appropriate changes to systems and processes.
User - Any staff member and guest who uses or accesses SnowBe Online electronic
information resources, including connecting to the VPN or wi-fi, is considered a “User” of these
resources. All Users have specific essential responsibilities for the protection of these
resources:
• Ensuring all devices connected to the SnowBe Online network comply with the
compliances.
• You are engaging in the appropriate use of SnowBe Online electronic information
resources under SnowBe Online policies and the law.
• They are becoming knowledgeable about and following relevant security requirements
and guidelines.
• Protecting the resources under their control, such as passwords, computers, and data
they create, receive, or download on our website.
• They were promptly reporting security-related incidents and violations and responding to
official reports of security incidents involving their systems or accounts.
7
Statement of Policies, Standards, and Procedures
Policies
AC-02 Account Management Policy – This policy applies to information systems at the
application and operating system layers, including networks and network services.
AC-16 Security and Privacy Policy – This policy applies to how we collect, use, and safeguard
the information provided to us and to assist in making informed decisions when using our
service.
AC-19 Mobile Device Policy - This policy applies to all SnowBe Online staff who use personal
devices for business purposes or business-issued mobile computing devices. It also establishes
the procedures and protocols for using mobile devices and their connection to the network.
CM-01 Change Management Control Policy - This process aims to govern the introduction of
a transition into production by ensuring that the correct procedures are followed. To minimize
harm and maximize success associated with making changes to an information system or
processes.
SC-20 Secure Address Resolution Service Policy – This policy establishes rules for
preserving the integrity, availability, and authenticity of SnowBe Online’s website.
SP-01 Remote Access Policy - This policy ensures that SnowBe Online data is not
inappropriately stored or shared using public cloud computing and file-sharing services.
SP-02 Cloud Services Policy - Today’s computing environments often require out-of-office
access to information resources. Remote access refers to connecting to internal resources from
an external source (home, hotel, district, or other public areas).
SP-03 PCI Compliance Policy - This policy guides the importance of protecting payment card
data and customer information.
SP-04 System Development Life Cycle - This policy applies to the SnowBe Online information
technology program and project. It integrates security into the process, resulting in the collection
of security requirements alongside functional requirements and risk analysis during the design
phase.
SP-05 Software Development Life Cycle - This policy defines the development and
implementation requirements for SnowBe Online products.
SP-06 Security Maturity Policy - This policy describes how SnowBe Online monitors and
assesses the maturity of its security capability and risk culture.
8
Standards & Procedures
PS-01 Password Standard - Assigning unique user logins and requiring password protection is
one of several primary safeguards to restrict access to the SnowBe Online network and the data
stored within it to only authorized users.
SOP-01 Creating Account - This standard operating procedure explains creating a user
account on our website, SnowBeOnline.com. This procedure pertains to all staff creating a new
user account on our website, SnowBeOnline.com.
SOP-02 Password Procedure - This procedure aims to communicate the standard for solid
passwords, the protection of those passwords, and the frequency of change.
Exceptions/Exemptions
Exemptions must be approved by the CISO and the Department Manager, which is being
requested for.
9
Version History
10
Citations
https://www.uc.edu/content/dam/uc/infosec/docs/policies/Cloud_Computing_Policy_9.1.5.pdf
https://www.dnsstuff.com/what-is-sox-compliance
https://www.controlcase.com/what-are-the-12-requirements-of-pci-dss-compliance/
https://vita.virginia.gov/media/vitavirginiagov/commonwealth-security/docs/VITA-AGENCY-
TEMPLATE-IT-Security-Exception-and-Exemptions-Policy-v1_0.docx
https://security.berkeley.edu/roles-and-responsibilities-policy
https://www.sciencedirect.com/topics/computer-science/policy-enforcement
https://www.cde.state.co.us/dataprivacyandsecurity/remoteaccesspolicy
https://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/pci-compliance.html
https://www.mtu.edu/it/security/policies-procedures-guidelines/pci-dss-guidelines-
procedures/credit-card-acceptance-processing-procedures/
https://www.mastercard.com/content/dam/public/mastercardcom/globalrisk/pdf/PCI_Validation_
Exemption_Program_3-2021.pdf
https://www.cde.state.co.us/dataprivacyandsecurity/mobiledevicepolicy
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-
mdm/#:~:text=Mobile%20Device%20Management%20(MDM)%20is,terms%20of%20usage%20and%20s
ecurity.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
https://preteshbiswas.com/2020/02/06/example-of-website-security-policy/
https://its.weill.cornell.edu/policies/1115-password-policy-and-guidelines
https://chfs.ky.gov/agencies/dph/dls/Documents/PasswordProcedureOutreach.pdf
https://resources.finalsite.net/images/v1643748858/sdcoenet/l2snudgl4hbtoy460lbz/SDCOEPas
swordProcedures.pdf
https://knowledge.exlibrisgroup.com/Cross-
Product/Security/Policies/Software_Development_Life_Cycle_(SDLC)_Policy_v1.2
https://www.opm.gov/about-us/our-people-organization/support-functions/cio/opm-system-
development-life-cycle-policy-and-standards.pdf
https://www.protectivesecurity.gov.au/system/files/2021-06/SnowBe Online-policy-4-security-
maturity-monitoring.pdf
11