Professional Documents
Culture Documents
KDS-Neo-Information System Security Policy-V2.0
KDS-Neo-Information System Security Policy-V2.0
Classification
1.2 SCOPE................................................................................................................................................................................................. 6
2 DEFINITIONS ............................................................................................................................................... 7
3.1.3 Responsibilities.......................................................................................................................................................................... 8
3.3.3 Classification............................................................................................................................................................................ 12
The content of this document is composed of requirements and is, therefore, mandatory.
1.2 SCOPE
This document applies on software development of Neo ecosystem by KDS and on the infrastructure that
hosts them on production.
In particular, it applies to KDS Neo Information Security Management System (ISMS) and Payment Card
Industry Data Security Standard (PCI DSS) scopes, as they are defined in KDS Neo Security Management
Policy.
This security policy does not apply on the use of software products by KDS customers.
1.3 REVIEW
This Information System Security Policy must be reviewed at least once a year and updated when necessary.
Dispensations may be authorized on the basis of a business or technical constraint. In some cases,
compensating controls may be needed.
SOFTWARE APPLICATIVE COMPONENTS: Applicative services sold by KDS, such as Wave, Neo, Traces,
AdminSuite, Reporting...
Objective: Identify the necessary information security requirements that must be applied.
Rule-01: Information system security policies for specific topics must be documented when necessary.
Rule-02: The following items must be documented:
• The description of the internal and external context that is relevant for KDS ISMS;
• The scope of the ISMS;
• The charter for PCI DSS compliance;
• High-level security responsibilities.
They are included in KDS Neo Security Management Policy.
Rule-03: Documented information system security policies, including this document and lower level
policies, must be reviewed at least once a year.
Objective: Ensure that internal security implementation is controlled and up-to-date regarding state of the
art.
Rule-04: Security must be taken into account in all projects, whether it be developments or changes to the
production environment hosting.
Rule-05: Contacts with special interest groups must be maintained, such as:
• Vendors;
• Security groups.
3.1.3 Responsibilities
Objective: Ensure that information security responsibilities are assigned and well known.
Rule-06: Information system security roles and responsibilities must be defined and assigned, in particular
regarding:
• the ISMS implementation and maintenance of the ISO 27001 certification;
• the PCI DSS compliance program;
• reporting to the top management regarding the information security management system;
• information security risks ownership.
Rule-07: Contacts with the relevant authorities must be identified and maintained. These contain at least:
• KDS PCI DSS Qualified Security Assessor (QSA);
• KDS ISO 27001 certification body;
• Credit card brands to register KDS PCI DSS compliance and to notify them in case of an incident;
Rule-08: An information security risk assessment must be initiated and then reviewed at least once a year.
This must cover both the ISMS scope and the PCI DSS scope, in either one or several documents.
Rule-09: The risk assessment must contribute to the definition of a security action plan.
Objective: Make people aware of KDS security needs and of their responsibilities.
Rule-18: Personnel must receive, at least annually and upon hire, a security awareness training about:
• KDS certifications;
• implications of any nonconformity to the security and security management requirements;
• information security objectives, and particularly the confidentiality of cardholder data;
• information security policies and procedures;
• when applicable, their contribution to the ISMS effectiveness.
Rule-19: After the awareness training, personnel must acknowledge that they have read and understand
this information security policy.
Rule-20: Personnel must be required by their management to apply security policies and procedures.
Rule-21: A disciplinary process must be in place and must be communicated to the employees.
3.2.2 Hiring
Objective: Ensure that people are and remain benevolent with regards to KDS.
Rule-22: Contracts agreed with personnel (whether they are employees, interns, temporary workers,
freelance workers) must contain a confidentiality clause that remains applicable after the end of the
contract.
Rule-23: Background checks must be performed prior to employment. In particular, background of
personnel whose positions are expected to impact cardholder data must be checked to ensure that no
criminal activity related to fraud or hacking has been recorded.
Rule-24: To be effective, the level of background checking should be appropriate for the particular
position. For example, positions requiring greater responsibility or that have administrative access to critical
data or systems may warrant more detailed background checks than positions with less responsibility and
access. This process must cover internal transfers, where personnel in lower risk positions, and who have not
already undergone a detailed background check, are promoted or transferred to positions of greater
responsibility or access.
Rule-25: Background checks must be performed in accordance to local laws, and may include:
• Searching for on name and surname on the Internet;
• Asking for an extract of criminal records (Extract Bulletin n°3 in France);
• Inquiry with previous employers.
Rule-26: As the French law forbids it, extracts of criminal records must not be kept by KDS.
3.2.3 Training
Objective: Ensure that employees have the sufficient competence to fulfil their roles.
Rule-28: The necessary competence required to fulfil security roles must be determined.
Rule-29: Competence must be assessed, and appropriate training must be given if needed. Documented
proofs of competence must be documented (such as diplomas and certificates for example).
3.3.3 Classification
Rule-38: KDS Classification Policy describes the information classification levels for information owned by
or in custody of KDS. This classification policy also details KDS requirements to protect information
depending on their classification level.
Rule-39: Documents managed in the Neo scope must be labelled and information must be protected
according to KDS Classification Policy.
Type of Use KDS software Basic accesses with Without administrative With administrative
use for their own no impact on accesses accesses
purposes cardholder data
KDS software functional Production technical
administrators administrators
Examples Standard KDS users Users of: Administrators of: Hosting members
(cardholders) • Traces • AdminSuite Database
Supervisors • Backoffice • SMP-Admin administrators
Arrangers
Accountants
3.5 CRYPTOGRAPHY
Objective: Ensure appropriate and effective use of cryptography.
Rule-87: All cryptographic controls as well as key management must comply with KDS Cryptography Policy.
3.6.2 Badges
3.6.2.2 Datacentres
Rule-107: Distinct types of access can be distinguished:
• Permanent accesses;
• Temporary accesses;
• Visitors.
Rule-108: Visitors must be identified as such and must be easily distinguishable from datacentre personnel.
Rule-109: Visitors must always be accompanied.
KDS – Neo – Information System Security Policy - Restricted - 16/29
Rule-110: All badges must be surrendered when not needed anymore.
Rule-111: A visitors log must be used to identify who accesses the datacentre and the private suites. This
log must be kept at least 3 months.
Rule-112: The Hosting manager is the owner of KDS private suites physical security. As such, he formally
approves all accesses to the private suites. This approval may be delegated. Records of approval and of
delegation of approval must be kept for at least one year.
Rule-113: Any forgotten or lost badge must be notified to the Hosting manager as soon as possible, and in
no more than one working day, so that accesses are deactivated.
Rule-114: A review of authorized physical accesses must be performed every quarter.
3.7 NETWORK
Objective: Protect information when it is transmitted over networks.
Rule-122: A diagram must identify connections between the cardholder data environment and other
networks.
Rule-123: A diagram must show cardholder data flows across components and networks.
Rule-124: The production network must at least contain a demilitarized zone (DMZ) and an internal zone
(INZ).
Rule-125: Firewalls rules must be reviewed at least every six months.
Rule-126: Network configuration standards must be applied on all network components.
3.8.4 Teleworking
Rule-146: Only KDS-provided equipment must be used to access the production environment.
3.9.3 Events
Rule-156: The following events must be logged:
All individual accesses to cardholder data Access (R/O or R/W) to cardholder data.
Examples:
Identity or name of affected data, system Could be a combination of: local server name (as
component, or resource. log will be centralized), software, tables, files,
database….
Rule-188: New service providers’ security must be evaluated and validated before engagement.
Rule-189: KDS security requirements regarding confidentiality, integrity and availability must be
documented and agreed with service providers that could impact security.
• In particular, contracts with KDS service providers who store, process or transmit cardholder data
or could impact the security of cardholder data, must contain the acknowledgement that those
service providers are responsible for the security of cardholder data.
Rule-190: KDS security requirements regarding confidentiality, integrity and availability must be
documented and agreed along the services and product supply chain.
Rule-191: If service providers can impact cardholder data security, the requirement that they be PCI DSS
compliant must be documented in the contracts.
Rule-192: An inventory of service providers must be maintained. This inventory must indicate whether the
service provider could impact the security of cardholder data.
Rule-193: A document must indicate which PCI DSS requirements are managed by each service providers,
and which are managed by KDS.
Rule-194: PCI DSS compliance status must be monitored at least every year for service providers who store,
process or transmit cardholder data, or who could impact the security of cardholder data.
3.13.1 Redundancy
Rule-228: All critical network equipment must be redundant.
3.13.2 Back up
3.14 COMPLIANCE
Rule-244: KDS must maintain its compliance to PCI DSS.
Rule-245: KDS must maintain its compliance to ISO 27001 on the ISMS scope.
Rule-246: Licences must be obtained and maintained for proprietary software products.
Rule-247: KDS must be compliant with the General Data Protection Regulation (GDPR).