Santa Barbara City College

Information Security Policy for PCI DSS Compliance

About this Document

This document contains the Santa Barbara City College information security policies. Detailed standards and processes that support this policy are described in associated standards and procedures documentation. This document is for internal use only and is not to be distributed.

Table 1 - Revision History

Contents

About this Document

Table 1 - Revision History

Version

Date

Author

Description of Change

Contents

Introduction

Purpose / Scope

Security Policy Ownership and Responsibilities

Install and Maintain Network Security Controls

1.1             Processes and mechanisms for installing and maintaining network security controls are defined and understood.

1.2             Network security controls (NSCs) are configured and maintained.

1.3             Network access to and from the cardholder data environment is restricted.

1.4             Network connections between trusted and untrusted networks are controlled.

2         Secure Configurations are applied to all system components.

2.2             System components are configured and managed securely.

2.3             Wireless environments are configured and managed securely.

Protect Stored Cardholder Data

3.1             Processes and mechanisms for protecting stored account data are defined and understood.

3.2             Storage of account data is kept to a minimum.

3.3             Sensitive authentication data (SAD) is not stored after authorization.

3.4             Access to displays of full PAN and ability to copy PAN is restricted.

6         Development and Maintenance of Secure Systems and Software

6.3             Security Vulnerabilities are Identified and Addressed.

6.4             Protection of Public-Facing Web Applications Against Attacks

Implement Strong Access Control Measures

7         Restrict Access to System Components and Cardholder Data by Business Need to Know

7.2             Define and Assign Access to System Components and Data

8         Identify and Authenticate Access to System Components

8.1             Processes and Mechanisms for Identifying Users and Authenticating Access to System Component are Defined and Understood

8.2             User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle

8.3             Authentication for Users and Administrators

8.4             Multi-Factor Authentication (MFA) Implementation

9         Restrict Physical Access to Cardholder Data

9.1             Processes and Mechanisms for Restricting Physical Access to Cardholder Data are Defined and Understood

9.2             Physical Access Controls

9.4             Securely Store, Access, Distribute, and Destroy Media with Cardholder Data

9.5             Protect Point-of-Interaction (POI) Devices from Tampering and Unauthorized Substitution

11             Regularly Test Security Systems and Processes

11.3           Vulnerability Assessment Scans

11.4           Penetration Testing

11.6           Change Detection on Payment Pages

Maintain an Information Security Policy

12             Support Information Security with Organizational Policies and Programs

12.1           Establish, Publish, Distribute, and Maintain the Information Security Policy

12.6           Security Awareness Program

12.7           Personnel Screening

12.8           Policies for Working with Third Party Service Providers (TPSPs)

12.10             Incident Response Plan Policies

Appendix A – Management Roles and Responsibilities

Assignment of Management Roles and Responsibilities for Security

Table A1 - Management Security Responsibilities

Appendix B – Agreement to ComplyAgreement to Comply with Information Security Policies

Introduction

To safeguard Santa Barbara City College‘s information technology resources and to protect the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Santa Barbara City College‘s commitment to comply with required standards governing the security of sensitive and confidential information.

Santa Barbara City College can minimize inappropriate exposures of confidential or sensitive information, loss of data and inappropriate use of computer networks and systems by complying with reasonable standards (such as Payment Card Industry Data Security Standard), attending to the proper design and control of information systems, and applying sanctions when violations of this security policy occur.

Security is the responsibility of everyone who uses Santa Barbara City College‘s information technology resources. It is the responsibility of employees, contractors, business partners, and agents of Santa Barbara City College. Each should become familiar with this policy's provisions and the importance of adhering to it when using Santa Barbara City College‘s computers, networks, data, and other information resources.

Purpose / Scope

The primary purpose of this security policy is to establish rules to ensure the protection of confidential or sensitive information and to ensure protection of Santa Barbara City College‘s information technology resources. The policy assigns responsibility and provides guidelines to protect Santa Barbara City College‘s systems and data against misuse or loss.

This security policy applies to all users of computer systems, centrally managed computer systems, or computers that are authorized to connect to Santa Barbara City College‘s data network. It may apply to users of information services operated or administered by Santa Barbara City College (depending on access to sensitive data, etc.). Individuals working for institutions affiliated with Santa Barbara City College are subject to these same definitions and rules when they are using Santa Barbara City College‘s information technology resources.

This security policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of hardware, software, networks or data.

This security policy has been written to specifically address the security of Credit Card Data processed by Santa Barbara City College.

Credit card data stored, processed ,or transmitted with Santa Barbara City College’s Merchant ID must be protected, and security controls must conform to the Payment Card Industry Data Security Standard (PCI DSS).

Cardholder data within this document is defined as the Primary Account Number (PAN), Cardholder Name, Service Code, or Expiration date. Sensitive Authentication Data within this document is defined as the Card Validation Code (CVC, CVV2, CID, CAV2 and CVC2), Credit Card PIN, and any form of magnetic stripe data from the card (Track 1, Track 2). Account Data within this document is defined by any combination of Cardholder Data and Sensitive Authentication Data.

Security Policy Ownership and Responsibilities

The Director of IT Infrastructure and Security is the assigned custodian of this Security Policy.  It is the responsibility of the custodian of this security policy to publish and disseminate these policies to all relevant Santa Barbara City College system users (including vendors, contractors, and business partners). In addition, the custodian(s) must see that the security policy addresses and complies with all standards Santa Barbara City College is required to follow (such as the PCI DSS).  This policy document will also be reviewed at least annually by the custodian(s) (and any relevant data owners) and updated as needed to reflect changes to business objectives or the risk environment.

Questions or comments about this policy should be directed to the custodian(s) listed above.

Install and Maintain Network Security Controls

1.1           Processes and mechanisms for installing and maintaining network security controls are defined and understood.

Santa Barbara City College ensures documented processes and mechanisms for installing and maintaining network security controls are defined and understood, as follows:

●          All security policies and operational procedures that are identified in this section shall be documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 1.1.1)

●          Roles and responsibilities for performing activities in this section shall be documented, assigned, and understood. (PCI DSS Requirement 1.1.2)

1.2           Network security controls (NSCs) are configured and maintained.

To properly perform their security function, Santa Barbara City College's NSCs are configured and operated as follows:

●          An accurate network diagram(s) shall be maintained that shows all connections between the cardholder data environment and other networks, including any wireless networks. (PCI DSS Requirement 1.2.3)

●          All services, protocols, and ports allowed must be identified, approved, and have a defined business need. (PCI DSS Requirement 1.2.5)

●          All insecure services, protocols, and ports in use must be identified and documented, and security features should be defined to mitigate the risk for each. (PCI DSS Requirement 1.2.6a)

●          NSCs must be configured to implement defined security features for each identified insecure service, protocol, and port. (PCI DSS Requirement 1.2.6b)

1.3           Network access to and from the cardholder data environment is restricted.

To prevent malicious individuals from accessing the Santa Barbara City College’s network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner, Santa Barbara City College restricts network access to and from the cardholder data environment as follows:

●          Inbound traffic to the cardholder data environment must be restricted to only traffic that is necessary, and all other traffic should be specifically denied. (PCI DSS Requirement 1.3.1)

●          Outbound traffic from the CDE must be restricted to only traffic that is necessary, and all other traffic should be specifically denied. (PCI DSS Requirement 1.3.2)

●          NSCs must be installed between all wireless networks and the CDE (regardless of whether the wireless network is a CDE). All wireless traffic from wireless networks into the CDE should be denied by default, and only wireless traffic with an authorized business purpose should be allowed into the CDE. (PCI DSS Requirement 1.3.3)

1.4           Network connections between trusted and untrusted networks are controlled.

To monitor and control access and minimize the chances of a malicious individual obtaining access to Santa Barbara City College's internal network via an unprotected connection, NSCs are implemented and configured as follows:

●          Anti-spoofing measures must be implemented to detect and block forged source IP addresses from entering Santa Barbara City College's trusted network. (PCI DSS Requirement 1.4.3)

2              Secure Configurations are applied to all system components.

2.2           System components are configured and managed securely.

To ensure system components are configured consistently and securely and reduce the opportunities available to an attacker, Santa Barbara City College securely configures and manages system components as follows:

●          Configuration standards shall be developed, implemented, and maintained to:

○          Cover all system components.

○          Address all known security vulnerabilities.

○          Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.

○          Be updated as new vulnerability issues are identified, as defined in PCI DSS Requirement 6.3.1.

○          Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (PCI DSS Requirement 2.2.1)

●          When a vendor default account(s) is used, the default password should be changed per PCI DSS Requirement 8.3.6.

●          If a vendor default account(s) is not used, the account should be removed or disabled. (PCI DSS Requirement 2.2.2)

●          All non-console administrative access should be encrypted using strong cryptography. (PCI DSS Requirement 2.2.7)

2.3           Wireless environments are configured and managed securely.

To prevent unauthorized access to wireless, Santa Barbara City College constructs and manages all wireless networks as follows:

●          For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults should be changed at installation or confirmed to be secure. These include, but are not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security- related wireless vendor defaults. (PCI DSS Requirement 2.3.1)

●          For wireless environments connected to the CDE or transmitting account data, wireless encryption keys should be changed whenever personnel with knowledge of the key leave Santa Barbara City College's organization or the role for which the knowledge was necessary, and whenever a key is suspected of or known to be compromised. (PCI DSS Requirement 2.3.2)

Protect Stored Cardholder Data

3.1           Processes and mechanisms for protecting stored account data are defined and understood.

No electronic storage of cardholder data by Santa Barbara City College merchants is permitted.

3.2           Storage of account data is kept to a minimum.

To ensure that sensitive data is securely destroyed or deleted as soon as it is no longer needed, Santa Barbara City College maintains a formal data retention policy that identifies what data needs to be retained, for how long, and where that data resides, as follows:

●          Account data storage shall be kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:

○          Coverage for all locations of stored account data.

○          Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.

○          Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.

○          Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.

○          Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.

○          A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. (PCI DSS Requirement 3.2.1)

3.3           Sensitive authentication data (SAD) is not stored after authorization.

Santa Barbara City College protects against the unauthorized disclosure of SAD by enforcing the following restrictions:

●          SAD shall not be retained after authorization, even if encrypted. All sensitive authentication data received must be rendered unrecoverable upon completion of the authorization process. (PCI DSS Requirement 3.3.1)

●          The full contents of any track shall not be retained upon completion of the authorization process. (PCI DSS Requirement 3.3.1.1)

●          The card verification code shall not be retained upon completion of the authorization process. (PCI DSS Requirement 3.3.1.2)

●          The personal identification number (PIN) and the PIN block shall not be retained upon completion of the authorization process. (PCI DSS Requirement 3.3.1.3)

3.4           Access to displays of full PAN and ability to copy PAN is restricted.

To prevent the PAN being obtained by unauthorized individuals, Santa Barbara City College ensures that the full PAN is displayed only for those with a legitimate business need, as follows:

●          PAN should be masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. (PCI DSS Requirement 3.4.1)

6              Development and Maintenance of Secure Systems and Software

All system components must have appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.

6.3           Security Vulnerabilities are Identified and Addressed.

●           Santa Barbara City College will identify and manage security vulnerabilities as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs), vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact, risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment and vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.  (PCI DSS Requirement 6.3.1)

●          All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release and all other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).(PCI DSS Requirement 6.3.3)

6.4           Protection of Public-Facing Web Applications Against Attacks

●          If third-party iframes are used to capture payment data on e-commerce websites managed by SBCC, all payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized, a method is implemented to assure the integrity of each script and an inventory of all scripts is maintained with written justification as to why each is necessary.(PCI DSS Requirement 6.4.3)

Implement Strong Access Control Measures

Access to system components and software within the cardholder data environment must be controlled and restricted to those with a business need for that access.  This is achieved using active access control systems, strong controls on user and password management, and restricting physical access to critical or sensitive components and software to individuals with a “need to know”.

7              Restrict Access to System Components and Cardholder Data by Business Need to Know

Systems and processes must be in place to limit access to critical data and systems based on an individual’s need to know and according to job responsibilities.

7.2           Define and Assign Access to System Components and Data

●          Access is assigned to users, including privileged users, based on: (PCI DSS Requirement 7.2.2)

o   Job classification and function.

o   Least privileges necessary to perform job responsibilities.

8              Identify and Authenticate Access to System Components

It is critical to assign a unique identification (ID) to each person with access to critical systems or software. This ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Detailed authentication procedures should be developed and documented to meet the following policies.

8.1           Processes and Mechanisms for Identifying Users and Authenticating Access to System Component are Defined and Understood

●          All security policies and operational procedures that are identified in this section are documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 8.1.1)

8.2           User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle

●          Assign all users a unique ID  before granting access to system components or cardholder data. (PCI DSS Requirement 8.2.1)

●          Only use group, shared, or generic accounts, or other shared authentication credentials when necessary on an exception basis and manage as follows: (PCI DSS Requirement 8.2.2)

o   Account use is prevented unless needed for an exceptional circumstance.

o   Use is limited to the time needed for the exceptional circumstance.

o   Business justification for use is documented.

o   Use is explicitly approved by management.

o   Individual user identity is confirmed before access to an account is granted.

o   Every action taken is attributable to an individual user.

●          Immediately revoke access for terminated users. (PCI DSS Requirement 8.2.5)

●          Manage accounts used by third parties to access, support, or maintain system components via remote access as follows: (PCI DSS Requirement 8.2.7)

o   Enabled only during the time period needed and disabled when not in use.

o   Use is monitored for unexpected activity.

8.3           Authentication for Users and Administrators

●          All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: (PCI DSS Requirement 8.3.1)

o   Something you know, like a password or passphrase.

o   Something you have, like a token device or smart card.

o   Something you are, like a biometric element.

●          When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows: (PCI DSS Requirement 8.3.5)

o   Set to a unique value for first-time use and upon reset.

o   Forced to be changed immediately after the first use.

●          When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they must meet the following minimum level of complexity: (PCI DSS Requirement 8.3.6)

o   A minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of 8 characters).

o   Contain both numeric and alphabetic characters.

●          Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases they have used. (PCI DSS Requirement 8.3.7)

●          When passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: (PCI DSS Requirement 8.3.9)

o   Passwords/passphrases are changed at least once every 90 days, OR

o   The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

8.4           Multi-Factor Authentication (MFA) Implementation

●          Implement MFA for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: (PCI DSS Requirement 8.4.3)

o   All remote access by all personnel, both users and administrators, originating from outside Santa Barbara City College’s network

o   All remote access by third parties and vendors.

9              Restrict Physical Access to Cardholder Data

Any physical access to data or systems that house cardholder data provide the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. Detailed physical security procedures should be developed and documented to meet the following policies. 

9.1           Processes and Mechanisms for Restricting Physical Access to Cardholder Data are Defined and Understood

●          All security policies and operational procedures that are identified in this section are documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 9.1.1)

9.2           Physical Access Controls

●          Implement physical and/or logical controls to restrict use of publicly accessible network jacks within the facility. (PCI DSS Requirement 9.2.2)

9.4           Securely Store, Access, Distribute, and Destroy Media with Cardholder Data

●          Santa Barbara City College will define specific procedures to physically secure all media, including but not limited to computers, removable electronic media, paper receipts, paper reports and faxes. (PCI DSS Requirement 9.4.1)

●          Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. (PCI DSS Requirement 9.4.1.1)

●          Review the offline media backup location’s security at least annually.  (PCI DSS Requirement 9.4.1.2)

●          Classify all media with cardholder data in accordance with the sensitivity of the data. (PCI DSS Requirement 9.4.2)

●          Maintain strict control over the external distribution of media with cardholder data, including the following:  (PCI DSS Requirement 9.4.3)

o   Media sent outside the facility is logged.

o   Send the media by secured courier or other delivery method that can be accurately tracked.

o   Logs must show management approval, and tracking information.  Retain media transfer logs.

o   Ensure management approves all media with cardholder data that is moved from a secured area, including when media is distributed to individuals. (PCI DSS Requirement 9.4.4)

●          Destroy hard-copy materials containing cardholder data when it is no longer needed for business or legal reasons, as follows: (PCI DSS Requirement 9.4.6)

o   Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.

o   Materials are stored in secure storage containers prior to destruction.

9.5           Protect Point-of-Interaction (POI) Devices from Tampering and Unauthorized Substitution

●          Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. (PCI DSS Requirement 9.5)

●          Maintain an up-to-date list of devices including the following: (PCI DSS Requirement 9.5.1.1)

o   Make and model of the device.

o   Location of the device.

o   Device serial number or other method of unique identification.

●          Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been replaced with a fraudulent device). (PCI DSS Requirement 9.5.1.2)

●          Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:  (PCI DSS Requirement 9.5.1.3)

o   Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

o   Do not install, replace, or return devices without verification.

o   Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

o   Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

11           Regularly Test Security Systems and Processes

Vulnerabilities are continually being introduced by new software and discovered in current software. System components, processes, and bespoke and custom software must be tested frequently to ensure security controls continue to reflect a changing environment. Detailed testing procedures should be developed and documented to meet the following policies.

11.3         Vulnerability Assessment Scans

●          External vulnerability scans must (PCI DSS Requirement 11.3.2)

o   Be performed at least every three months.

o   Be performed by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC) with rescans vulnerabilities are resolved and ASV Program Guide requirements for the passing scan are met.

o   Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.

o   Contain no vulnerabilities that are scored 4.0 or higher by the CVSS.

o   Run on all external IP addresses that could be used to gain access to the cardholder data environment. (PCI DSS Requirement 11.3)

●          Ensure that results of each quarter’s internal and external vulnerability assessments are to be documented and retained for review. (PCI DSS Requirement 11.3)

11.4         Penetration Testing

●          If segmentation is used to isolate the Cardholder Data Environment from other networks, Santa Barbara City College shall perform penetration tests on segmentation controls at least annually and after any changes to segmentation controls/methods (PCI DSS Requirement 11.4.5). The penetration test must be conducted in accordance with the Santa Barbara City College’s penetration testing methodology and:

o   Cover all segmentation controls/methods in use,

o   Verify that the segmentation methods are operational, effective and isolate the CDE from all out-of-scope systems,

o   Confirm the effectiveness of any isolation to separate systems with differing security levels,

o   Isolate all out-of-scope systems from in-scope systems,

o   Is performed by a qualified internal resource or qualified external third party,

o   And, Santa Barbara City College must be able to demonstrate the organizational independence of the tester (not required to be a QSA or ASV).

11.6         Change Detection on Payment Pages

●          Where third-party iframes are deployed on e-commerce websites managed by Santa Barbara City College e-commerce servers, a change-detection mechanism to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser must be deployed.  This mechanism is configured to evaluate the received HTTP header and payment page at least once every seven days or periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). (PCI DSS Requirement 11.6)

Maintain an Information Security Policy

Without strong security policies and procedures, many of the layers of security controls become ineffective at preventing data breach.  Unless consistent policy and practices are adopted and followed at all times, security controls break down due to inattention and poor maintenance. The following documentation policies address maintaining the Santa Barbara City College security policies described in this document.

12           Support Information Security with Organizational Policies and Programs

A strong security policy sets the security tone for Santa Barbara City College and informs employees and vendors what is expected of them. All employees and vendors should be aware of the sensitivity of data and their responsibilities for protecting it.

12.1         Establish, Publish, Distribute, and Maintain the Information Security Policy

●          Santa Barbara City College requires that the most recent version of the information security policy be published and disseminated to all relevant system users (including vendors, contractors, and business partners).  (PCI DSS Requirement 12.1)

●          The Santa Barbara City College information security policy must be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.  (PCI DSS Requirement 12.1.2)

●          The security policy must clearly define the information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (PCI DSS Requirement 12.1.3)

12.6         Security Awareness Program

A formal security awareness program must exist and participation is required for all employees working within the cardholder data environment.  (PCI DSS Requirement 12.6.1)

12.7         Personnel Screening

Potential employees/personnel with access to the CDE will be screened prior to hire within the constraints of local laws. (PCI DSS Requirement 12.7)

12.8         Policies for Working with Third Party Service Providers (TPSPs)

●          To conform to industry best practices, it is required that due diligence be performed before engaging with new service providers and is monitored for current service providers that store, process, or transmit cardholder data on Santa Barbara City College’s behalf. Service providers, which could affect the Cardholder Data, are also in-scope of this policy.

●          Santa Barbara City College shall maintain a documented list of all applicable service providers in use and the services they provide. (PCI DSS Requirement 12.8.1)

●          A written agreement with all applicable service providers is required and must include an acknowledgement of the service providers’ responsibility for securing all cardholder data they receive from or on behalf of Santa Barbara City College, or to the extent that they could affect the security of a cardholder data environment (PCI DSS Requirement 12.8.2).  In addition, the service provider must agree to provide compliance validation evidence on an annual basis. (PCI DSS Requirement 12.8.4).  Prior to engaging with an applicable service provider, a thorough due diligence process should be followed. (PCI DSS Requirement 12.8.3)

●          Santa Barbara City College shall annually review evidence provided by applicable service providers demonstrating their continuing PCI DSS compliance. (PCI DSS Requirement 12.8.4)

●          Santa Barbara City College shall maintain a list of which PCI DSS requirements are managed by each service provider, which are managed by Santa Barbara City College, and any that are shared between the service provider and Santa Barbara City College. (PCI DSS Requirement 12.8.5)

12.10   Incident Response Plan Policies

Incidents or suspected incidents regarding the security of the Cardholder Data Environment or cardholder data itself must be handled quickly and in a controlled, coordinated and specific manner.  An incident response plan (IRP) must be developed and followed in the event of a breach or suspected breach.  The following policies specifically address the Santa Barbara City College IRP:

●          Santa Barbara City College must maintain a documented IRP and be prepared to respond immediately to a system breach. (PCI DSS Requirement 12.10)

●          The IRP must clearly define roles and responsibilities for response team members. (PCI DSS Requirement 12.10.1)

●          The IRP must define contact/communication strategies to be used in the event of a compromise including notification of payment brands.  (PCI DSS Requirement 12.10.1)

●          The IRP must define specific incident response procedures to be followed for different types of incidents.  (PCI DSS Requirement 12.10.1)

●          The IRP must document business recovery and continuity procedures.  (PCI DSS Requirement 12.10.1)

●          The IRP must detail all data backup processes.  (PCI DSS Requirement 12.10.1)

●          The IRP must contain an analysis of all legal requirements for reporting compromises of cardholder data (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise of California residents’ data).  (PCI DSS Requirement 12.10.1)

●          The IRP must address coverage and responses for all critical system components.  (PCI DSS Requirement 12.10.1)

●          The IRP must include or reference the specific incident response procedures from the payment brands.  (PCI DSS Requirement 12.10.1)

Appendix A – Management Roles and Responsibilities

Assignment of Management Roles and Responsibilities for Security

As required by policy in Section 12.5 of this security policy, the following table contains the assignment of management roles for security processes.

Table A1 - Management Security Responsibilities

Appendix B – Agreement to Comply

Agreement to Comply with Information Security Policies

All employees working with cardholder data must submit a signed paper copy of this form. Santa Barbara City College management will not accept modifications to the terms and conditions of this agreement. Employees should print, sign, and scan this document (using Adobe Sign to sign digitally is also permissible) and send it via email to infosec@sbcc.edu.

As an alternative to printing this form, employees may fill out the Agreement to Comply with PCI Information Security Policy Form online at the following link: https://forms.gle/BkBPQc8ZQZQLLYib8

__________________________________________

Employee’s Printed Name

__________________________________________

Employee’s Department

__________________________________________

Employee’s Telephone Number

__________________________________________

Employee’s Physical Address and Mail Location

I, the user, agree to take all reasonable precautions to assure that Santa Barbara City College internal information, or information that has been entrusted to Santa Barbara City College by third parties, such as customers, will not be disclosed to unauthorized persons. At the end of my employment or contract with Santa Barbara City College, I agree to return to Santa Barbara City College all information to which I have had access as a result of my position with Santa Barbara City College. I understand that I am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal Santa Barbara City College manager who is the designated information owner.

I have access to a copy of the Santa Barbara City College Information Security Policies Manual, I have read and understand the manual, and I understand how it affects my job. As a condition of continued employment at Santa Barbara City College, I agree to abide by the policies and other requirements found in that manual. I understand that non-compliance will be cause for disciplinary action up to and including system privilege revocation, dismissal from Santa Barbara City College, and perhaps criminal and/or civil penalties.

I agree to choose a difficult-to-guess password as described in the Santa Barbara City College Information Security Policies Manual, I agree not to share this password with any other person, and I agree not to write this password down unless it has been transformed in an unrecognizable way.

I also agree to promptly report all violations or suspected violations of information security policies to the Information Technology department security team at infosec@sbcc.edu.

__________________________________________

Employee’s Signature