Information Security Policy

3178 Words7 Pages

Building a payment gateway is a daunting task. Not only does it have to be developed properly it has to be secured properly. In an industry where 44 million customer records alone were stolen in 2012 (authorize.net) security is a major concern. This paper will touch on the pitfalls of building a payment gateway and the security concerns that go with it. The Payment Card Council put together a set of standards known as PCI-DSS or Payment Card Industry Data Security Standards. These standards are very strict. Century Business Solutions, a payment card processor is looking to increase their revenue and footprint by expanding their business into this area. In this paper I will recommend and guide them through the web of requirements of PCI 3.0 …show more content…

It is not an option. However, it does no good if the Security Policy is not enforced or updated on a regular basis. SANS Institute describes having a Security Policy in the following manner
“A security policy serves many function. It is a central document that describes in detail acceptable network activity and penalties for misuse. A security policy also provides a forum for identifying and clarifying security goals and objectives to the organization as a whole. A good security policy shows each employee how he or she is responsible for helping to maintain a secure environment.” (SANS Institute)(4)”
There are many ways to put together an Information Security Policy but based on what PCI requires and experts in the field including the SANS Institute and OWASP I have assembled the Policy as listed …show more content…

Network Vulnerability Scanning and Penetration Testing – PCI requires quarterly scanning. In order to meet this strict guideline a policy must be in place that covers what must be done to ready the company for the QSA. This includes who is able to conduct vulnerability testing and what testing method or tools are being use. Recommendations for any detected weaknesses 7. Physical Security – PCI requires this be addressed in the ISP. How is the physical security handled? Employee badges are required along with locked server rooms. Procedures for on-boarding and off-boarding employees will be covered under this section
8. Email Policy - This will cover unacceptable items such as use of personal web based email systems in the work place. Defamation, running a personal business through the email system. E-mail filters and known virus file types will be banned through email traffic.
9. Network and Server Security Policy – This policy will discuss physical access, server password and access control. It will also cover the required roles and responsibilities for updates and patches as set forth by PCI. Also as required by PCI a network diagram will remain on

More about Information Security Policy

Open Document